Are Your Messages Visible to Hackers?
Secure messaging apps are in the news following Wikileaks release of CIA documents suggesting the spy agency has ways of evading smartphone security features. If your phone isn’t secure, your messaging app should be. But which messaging apps can you rely on? Read on to find out.
Secure Messaging Apps
All of the leading messaging apps provide end-to-end encryption these days. But encrypting data while it’s in transit or stored on third-party servers is not enough. If your phone is infected with a keylogger, it will record all of your messages keystroke by keystroke and send them off to eavesdroppers at Hacker HQ.
Another tactic involves malware that takes screenshots of messaging sessions unbeknown to the users and sends those images to a remote server. The best messaging apps incorporate countermeasures for these tricks, too.
WhatsApp is one of the most popular encrypted messaging apps. That’s important because your contacts must be using the same messaging app you are in order to take advantage of its encryption. Odds are many of your contacts already use WhatsApp.
When you install WhatsApp on your Android or iOS device, it will ask permission to access your contacts. You don’t have to allow it, but you’ll have to enter phone numbers manually if you don’t. That may not be a burden if you have only a couple of contacts with whom you want to communicate via an encrypted channel.
WhatsApp allows users to back up their messages to a cloud service such as Google Drive. Be aware that such cloud storage services do not store data in encrypted form. You may want to encrypt a hard drive on your laptop using Bitlocker or a similar whole-disk encryption utility, and back up your messages to that instead of the cloud.
Then there’s the fact that Facebook has owned WhatsApp since August, 2016. WhatsApp is just starting to share some of its user data - but not message contents - with Facebook, in part to enable better targeting of Facebook ads on the social media network.
More Secure Messaging Apps
Confide is being used by White House staffers and other politicians. This app has been around since 2013, and includes innovative features along with end-to-end encryption. For example, Confide can reveal a message slowly and delete it immediately after it is read.
During installation, you will need to set a Confide password and verify your possession of the phone it’s installed on by entering a code that is sent to the phone’s number. Like WhatsApp, Confide will ask for access to your contacts, but you can refuse and enter phone numbers manually.
Security experts have been skeptical of Confide for two reasons. First, the app’s encryption protocol is proprietary, unlike that of WhatsApp and Signal (see below), so it cannot be vetted by the security community; we just have to take the company’s word that there are no vulnerabilities in Confide’s encryption. Second, in March, 2017, researchers at security firm IOActive reverse-engineered Confide and found “numerous security vulnerabilities” that would allow hackers to impersonate users, decrypt messages, and swipe users’ contacts. Confide’s developers say all of the vulnerabilities were fixed in a subsequent release.
Signal Private Messenger is lauded by the security community for its open-source and innovative encryption protocol, which has been vetted by researchers since 2014. In fact, Signal was just approved for use by the U. S. Senate.
During installation, you will have to enter a 6-digit code sent to your phone via text message, and you will need to give Signal access to your contacts. The company says contacts are quickly deleted from its servers. But why is it required that your contacts must be shared, even briefly?
Signal is popular among international aid workers, human rights activists, journalists. (And soon, perhaps, among Senators and other politicians.) But it’s not widely known amongst the "common folks," so finding Signal users among your contacts may be more difficult.
Apple’s iMessage app is built into iOS, so if you have an iPhone or iPad you can have encrypted conversations with any other Apple fan. Apple’s software is proprietary, but the company has a good track record when it comes to software security. Still, you have to take their cross-your-heart and pinkie-swear promise that they'll never, ever share your info with a third party.
The one astounding failure of iMessage is that you can’t know if the message you’re sending will be encrypted until you hit “Send.” It depends on how you and your contact have your iMesssage apps configured. After hitting send, your screen turns green if the message was not encrypted before sending, or blue if encryption was performed. Really, Apple? By then, it may be too late.
Of course, it’s essential to secure your hardware and operating system as well as your messaging app. Use a lock screen and PIN to prevent unauthorized access to the apps on your phone. If anyone with access to your phone can pick it up and starting poking around, it doesn't matter how much encryption you've got going on.
Apple users get iOS updates straight from Apple, but the vast majority of Android users must wait up to 18 months for their carriers to roll out Android updates. Only Google’s own Pixel phones get prompt updates for the Android operating system. The newest devices with the latest Android OS tend to get updates quicker. If you have an Android phone or tablet that's more than 2 years old, you may not get any updates. Check with your mobile service provider to see if and when your device will receive Android operating system updates.
Your thoughts on this topic are welcome. (And extra credit if you can identity the gadget in the image above.) Post your comment or question below...
This article was posted by Bob Rankin on 22 May 2017
|For Fun: Buy Bob a Snickers.|
Free Wireless Internet? Here's How!
The Top Twenty
5-Point Tuneup For Hacker Defenses
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Are Your Messages Visible to Hackers? (Posted: 22 May 2017)
Copyright © 2005 - Bob Rankin - All Rights Reserved