Sci & Tech

Appraisal of 6 Encrypted Messaging Applications

Auto & Tech Desk
All the apps use end-to-end encryption. Therefore, in case the message is intercepted mid-transaction, they would be a jumble of meaningless digital characters
It is recommended to install more than one app.
It is recommended to install more than one app.
The apps are available for download on Apple’s App Store and Google’s Play Store

Whistleblowers from Perry Fellwock in 1970s to Edward Snowden have revealed how surveillance agencies around the globe attempt to look into ordinary people’s lives and communications. Such revelations have turned privacy into a precious and endangered commodity. In this article, six messaging applications which use end-to-end encryption to preserve users’ privacy are introduced.

A short reminder before getting into the apps: regardless of how careful we are with our online behavior and how many encryption layers and VPNs we use to shield our privacy, when those with influence and power decide to illegally read our communications, they will.

In short, online privacy is a magical beast never sighted. This does not translate into disregarding online security but a healthy pessimism which can help protect your privacy.

Many of these apps and their developers stand accused that they sell user data (both individual data and big data) to other firms and security agencies for a price.

The apps encrypt messages before leaving your device. Thus, hypothetically in case the message is intercepted mid-transaction, they would be a jumble of meaningless digital characters.

Certainly you have heard about many of these apps. Some of the most famous are Telegram, WhatsApp, Signal and Viber.

The following apps are available for download on Apple’s App Store and Google’s Play Store.

It merits mention that several Iranian firms have launched encrypted messengers in recent years, apps like iGap, Soroush, Nazdika, Fanoos and BisPhone. However, since none of them have ever been subject to a fine-toothed independent audit they are not included in this article.

Signal — Endorsed by Edward Snowden, in many online reviews Signal has been named as the “messaging app for privacy-conscious users”. The source code for Signal is available online so it can be checked for vulnerabilities by security experts.

So far, researchers from the University of Oxford in the United Kingdom, Queensland University of Technology in Australia and McMaster University in Canada have given the application a fervent thumbs up.

In a joint report in November 2016, they wrote “We have found no major flaws in its design, which is very encouraging.” However, they have called on other analysts to continue their testing.

Wire — Developed by a 50-strong team of programmers based in Switzerland, Wire has been lauded for being more user-friendly compared to Signal. Furthermore, it does not requiring a phone number for registration (Signal requires your phone number).

The app received its fair share of scrutiny when it was launched. At the time, University of Waterloo cyber security researchers said, “users should avoid using the service while numerous problems remain unfixed.” Its source code was closed and it had problems in call and account authentication. Some of the issues were solved and the code behind the app has been opened up.

Wickr —The app does not require a phone number for registration. For accessing the app, after unlocking the phone every time users are required to authenticate their identity by entering a password or employing the phones fingerprint ID system.

After three years of operation, Wickr’s team released the app’s core crypto code in 2017. The move was applauded by users and professionals.

Wickr uses cipher AES-256 for encrypting messages (in transit and stored on your device), which in theory is not crackable since the combinations of keys made with the cipher are massive.

Furthermore, the app wipes the messages after a defined period from the device. It also offers a self-destructing messaging system. Using it, the sender can set messages to self-destruct a few seconds after the recipient reads them.

WhatsApp — In April 2016, WhatsApp enabled end-to-end encryption. However, later in 2017 it was revealed that the app was riddled with security flaws. For instance, WhatsApp can create new encryption keys for offline users — a common practice for encrypted communication tools. The problem is that the company does not inform users that the key has been changed.

Imagine the lock on your door and its key are swapped but you cannot detect any change in the appearance of the key or the lock.

This could allow someone to intercept the process and make “a copy of your key”. This effectively undermines the apps security and users’ privacy.

The company has introduced some counter measures however none were appealing for the general public. Furthermore, WhatsApp is accused of having backdoors and selling data to governments.

Telegram —The messenger developed by cryptic Russian programmer Pavel Durov is used by French President Emanuel Macron and millions around the globe. Just like rivals, Telegram uses end-to-end encryption.

No specific audit has proved Telegram insecure but many users have questioned its integrity since Durov has never disclosed with detail how the app is financed. Whenever questioned, he has said that it is financed by donors.

Compared to other massaging apps, and in addition to voice and video calls, Telegram has features like self-destructing messages.

Telegram has about 40 million users in Iran and can be named the most popular messenger and social media platform in the country.

Viber — Once popular in Iran four years ago, the app lost appeal after access to it was blocked. Currently, the app is accessible. The messaging app rolled out its end-to-end encryption update in 2016 to catch up with rivals. However, so far it has not received much support from security experts.

It has a more user-friendly environment compared to WhatsApp or Signal but the company is yet to publish details about how its encryption system works -- a common practice with encryption system developers so their product can be audited for vulnerabilities by other researchers.

Furthermore, it has been speculated that Viber uses MD5 algorithm for encryption, widely considered to be cryptographically insecure. This has been rejected by Viber developers and the company has not provided any further information.



Add new comment

Read our comment policy before posting your viewpoints