Unlocking the secret to private messaging apps

- Advertisment -

The University of NSW said people turn to private messaging apps offering end-to-end encryption to secure their conversations, whether for sharing confidential information or mundane discussions.

Apps such as WhatsApp offer privacy that even challenges Government agencies from accessing encrypted conversations.

However, given apps’ ever-changing security and privacy policies, UNSW questions whether messages remain secure from decryption.

In May 2021, many WhatsApp users switched to other private message apps such as Signal and Telegram following disapproval regarding the changes to the platform’s privacy policy for business entities. 

UNSW School of Computer Science and Engineering and UNSW Institute for Cyber Security’s Dr Arash Shaghaghi likens encryption to having a secret conversation with someone.

“To keep our information away from prying eyes, we rely on cryptographic algorithms to encrypt our data. Encryption involves converting human-readable plaintext into an encoded format and the data can only be read after it’s been decrypted,” Dr Shaghaghi said.

He stated that encryption involves using a key to lock a message, while decryption is it to unlock a message. 

He added that with end-to-end encryption protocols like Signal, attackers could not decrypt messages already sent, even if they steal the encryption keys and tap over the connection.

According to UNSW, modern encryption algorithms have undergone rigorous testing and have been found to have no known vulnerabilities. The university added that while this doesn’t mean the encryption will be impossible to crack, the process requires extensive processing power and could take a long time. 

Attackers commonly target endpoints and their vulnerabilities, which the UNSW said is much easier than cryptanalysis, the process used to breach cryptographic security systems.

Last year, for example, attackers targeted a vulnerability in WhatsApp’s image filter functionality, which was prompted when a user opened an attachment containing a maliciously crafted image file. 

Dr Shaghaghi said backed-up conversations are stored in the cloud, meaning those messages are stored on someone else’s computer.

“The service provider’s implementation of end-to-end encryption plays a significant role in the security and privacy of a messaging app against the provider and attackers. WhatsApp used to keep a backup of the messages in an unencrypted format over iCloud for Apple users and Google Drive for those who used WhatsApp in Android. Even though WhatsApp adopted an end-to-end encryption model in 2016, unencrypted backups were vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees,” Dr Shaghaghi stated.

In 2021, WhatsApp gave users an option to enable end-to-end encryption for their backups. While the move was welcomed, Dr Shaghaghi stated that it must be the default for all users and not just offered as an option.

“Users concerned about the security and privacy of their data must make sure to enable the end-to-end encryption backup for WhatsApp and other messaging platforms,” he added.

On the other hand, UNSW said Telegram has no default end-to-end encryption enabled and only applies its open-source and custom-developed protocol when the ‘secure chat’ function is enabled.

“As far as we know, Signal, Telegram, and WhatsApp are secure in providing end-to-end encryption, if the option is enabled. However, Signal is built with privacy and security as the primary motivation. Signal’ endpoint source code is also available to the public — this allows anyone to inspect the code and identity vulnerabilities,” Dr Shaghaghi stated.

He believes that Signal is a more secure and privacy-friendly messaging app than WhatsApp, Telegram, or Facebook Messenger.

With various messaging apps available, he said there are some simple measures to take to help safeguard a user’s privacy.

“Messaging platforms contain a lot of private information so it’s worth ensuring that the platform we use has a good reputation for ensuring the security and privacy of its users,” Dr Shaghaghi added.

According to UNSW, various government agencies have made strong calls for these messaging platforms to include backdoors allowing authorities to access data when necessary.

Recent US Federal Bureau of Investigation (FBI) leaks showed even with a subpoena, messages sent on platforms with end-to-end encryption are difficult for powerful government entities to access.

“From a security engineering perspective, implementing a backdoor is never a good idea. There is no guarantee that malicious hackers do not find out about these backdoors too and exploit them. However, those in favour of a solution allowing access for law enforcement agencies argue that they need access given the increasing usage of these platforms by criminals,” Dr Shaghaghi said.

As a result, some tech firms and messaging providers have altered the platform’s functionality.

“To meet regulatory requirements, WhatsApp now allows users to flag a message to be reviewed by their moderators… Apple has promoted encrypted messaging across its ecosystem and have fought off law enforcement agencies looking for records,” Dr Shaghaghi stated.

“I think we can balance the need for moderating criminal content and security and privacy requirements by breaking down the problem into more specific use-cases and developing innovative solutions,” he added.

LATEST NEWS

- Advertisment -