When you get into the details, there’s secure, then there’s secure
There are many private chat app options out there. One site we use for reference compares a dozen of the most common ones—and there are several missing from the list including SKY ECC. Looking at all features and details for each app can be overwhelming at first, but it’s obvious not all apps are made equal.
As you’re deciding on an end-to-end encrypted communications solution, you must consider how the app balances ease of use with security. This balance is at the heart of all computer security. Messaging apps that let you find friends by their phone number or email make it easy for you to connect to people you know, but they also open up a security hole. This isn’t farfetched, it’s already happened with WhatsApp and is a known issue for other phone number-based messaging products.
When we look at the messaging landscape we break it down into a several groups: insecure, free apps available in app stores, paid apps available in app stores, and device-only apps. In reality, the secure messaging landscape is a continuum through those groupings and we’ll go through the groups and continuum in this post.
Private Chat App Security Continuum
Security purists will say if something isn’t 100% secure, then it’s insecure. While true, there are always degrees of security, as you become more secure you swing the balance away from convenience, and it’s this balance that is at the heart of the continuum:
- Starting at the left are the completely insecure communications tools: email and SMS. Neither these should be considered secure by any measure. At the right are the most secure options. These options use an app installed on a device that is solely for secure communications.
- In the middle is where things get interesting. The secure communications space is dominated by free apps downloaded from app stores onto regular, everyday devices. All of them are easy to obtain and install.
- As you move to the right, connecting with your friends may take a few extra steps, but none of them put up significant barriers to find and add people.
WhatsApp, Facebook Messenger, iMessage: Popular but problematic
These three private chat apps are some of the most popular in the world. Popular is great because chances are anyone you meet is going to have one or all of them. There’s a catch with popular. Popular always equates to convenient. These apps are easy to get (all free and iMessage is the SMS app for iOS) and easy to use. The catch:
- Until recently, WhatsApp messages weren’t encrypted by default and neither were backups saved to iCloud or Google.
- Facebook Messenger forces people to switch into “private chat mode” to end-to-end encrypt messages. Without end-to-end encryption, people (or advertising algorithms) can read the content of your messages.
- In Facebook group chats, for example, Facebook was inserting ads into the stream based on the conversation. The ads were clearly marked as ads, but the targeting was 100% based on the topic of conversation.
- In WhatsApp’s case, while messages are end-to-end encrypted, the metadata surrounding the message is not encrypted.
As we discussed in another post, metadata is just as important to protect as the message itself. Facebook is planning to insert ads into WhatsApp based on message metadata and personal data in 2020—which is also why (it is rumored) the founders of WhatsApp left Facebook.
Apple’s iMessage is a different beast altogether. The messages have always been encrypted end-to-end, and the data is supposed to be impervious to Apple reading the messages, however the private keys for messages are stored on Apple’s servers and could be given to others (or stolen).
For monthly stories like this, subscribe below!
As various iCloud hacks have shown, what you send through iMessage and is saved on iCloud, can be retrieved via your password. Both WhatsApp and iMessage are okay for normal conversations with friends but they are not a private chat app by any stretch of the imagination. Sharing photos with relatives and friends—ensuring that in WhatsApp you disable automatically saving images to your photos app in iOS or Android, is probably okay.
Remember once information is stored and saved to the internet, it’s there forever. There is no universal, 100% for-sure delete from the internet, no matter how much we’d like there to be. Backups of WhatsApp or iMessage messages or years worth of your Facebook Messenger chats exist somewhere. And if they exist in a way you can retrieve them with a password—so could someone else.
Signal, Telegram, Wickr: Free to you, but at what cost?
In the end-to-end encrypted (E2EE) world these three apps are some of the most popular. Edward Snowden is famously a Signal user and recommends it for people who want a secure, private messaging solution. Telegram and Wickr have similar followings, though questions have been raised about Telegram’s security and if messages are truly private and unreadable by the company. Like the three apps above, it’s easy to download and start using them. You can find friends on any of these based on phone numbers or email addresses. These are secure—for the most part—communications apps.
The issue with these popular apps is that they are free. Free is great for gaining traction and a critical mass of users, but who is supporting and helping these users? How is ongoing development being funded? When push comes to shove, if a major vulnerability is found, how quickly will an open-source app with mostly volunteer developers fix it?
We believe that there-when-you-need-us-the-most support is essential. We know the adage, “if the product is free, you’re the product”. While it is not a likely end for these apps (though certainly is for Facebook Messenger and WhatsApp), it’s worth considering who is paying to keep the lights on at these companies and why. Foundations, donors, and individuals might not remain the steady source of funding they are today. If that money dries up, and the money was being used to keep the app running, how long will that app keep working?The risk with free #messagingapps is what happens when the money dries up…and what happends to your data? How much is taken from you? Click To Tweet
Threema: What about the device it’s installed on?
In our own secure messaging apps comparison, Threema gets a lot of marks in the plus column (green boxes, versus red or yellow). As a paid solution, you know where the money is coming from to support users and keep the app updated. Threema bills itself as a secure messaging solution for business, and by all accounts it is.
However, like all the other apps we’ve discussed thus far, it has one potentially fatal flaw—the device the app is installed on. If your phone has been compromised by a malicious app, for example a key logger or, like many “free” versions of paid apps, an enterprise app certificate intercepts all your communications, it doesn’t matter how secure the app is—your messages might not be as private as you think.
These vulnerabilities aren’t Threema’s fault, or under their control, they assume your device is secure and uncompromised when you install their app. If you make an app that can be downloaded to devices via various app stores, you are at the mercy of the device the app is installed on. There are steps you can take to mitigate the risk on devices. You can use VPNs or secure tunnels, but at some point a regular device with Bluetooth, NFC, AirDrop (iOS), and other attack surfaces available, has weaknesses that can be exploited.
Device-based: Very secure, but not for everyone
The third group of secure messaging solutions have dedicated hardware. Devices like those offered by our direct competitors and us—SKY ECC—offer the greatest degree of protection, but also require you to carry two devices. Secure device solutions take an off-the-shelf or custom-built phone and tailor it for secure communications. This means:
- Leveraging on-chip tamper resistance
- Managing the device so features like Bluetooth can be disabled
- Installing the app into a secure container on the phone
- Properly securing the network
This level of security is essential for governments, high value executives who travel extensively outside of North America and Europe, prominent figures who might be the target of snooping campaigns, and anyone else who wants to protect their privacy and keep their communications absolutely secure.
Typically these devices, while still smartphones, have been protected so they cannot be used for email, social media, install apps, or have unrestricted use of the internet. All of these functions introduce significant risks to the security of the device from malware and phishing to spam and mobile viruses. Disabling these features isn’t convenient (or fun), but it is secure. And that’s the point. Focused devices reduce the ways a device could be compromised, but it comes with a trade-off. Device-based solutions are premium solutions where you purchase a secure device on top of purchasing the license for the software.
Many people don’t want to carry a second device, and that’s understandable. However for the people whose needs aren’t met with solutions installed on their own phones, the inconvenience of a second device pales in comparison to the cost of a message falling into the wrong hands. Just as with the self-installed apps we’ve already discussed, not all device-based solutions are created equal. One of the most fundamental parts of a device-based solution is the device itself. Encro offers custom devices using a modified version of Android. Their options do give you some ability to have a “personal” profile on the device as well as “secret” mode for secure messaging.
SKY ECC’s approach to a private chat app
We have taken a different approach with SKY ECC, a move which we believe puts us into the conversation of the most secure phone available anywhere:
- We use devices from Apple, Google, and BlackBerry that meet our stringent security requirements and are backed by well-established companies.
- We know where, and how the devices were made and can leverage testing from a range of people to ensure the security of the platform.
- We leverage the strengths of iOS and Android, but avoid customizing the OS itself. Once an OS has been customized, it cannot be patched or updated directly.
- When an update for iOS or Android is released, SKY ECC users can update immediately—closing any security holes the update fixes.
Users of customized versions of Android will have to wait for the patch to come from our competitors with ‘custom’ phones. This could take a few days or a few weeks, depending on the update. If the security flaw is particularly severe, time is of the essence. High-risk flaws aren’t something we think our customers should have to wait to be patched. For the app and our secure container, we use standardized Mobile Device Management software, which has been tested and is well supported by the manufacturer.
We can’t ever be absolutely certain our devices are impervious to any and all dangers, but we’ve gone to great lengths to protect them from threats to the devices themselves, the network, and the private chat app.
Private chat app tools are essential
The secure messaging landscape isn’t as complex as it might seem. All messaging solutions fall somewhere on the continuum between security and convenience. The more convenient, the less secure; the more secure, the less convenient. Many people use a range of applications that fall on different parts of the landscape:
- SMS and iMessage for quick texts and messages
- WhatsApp for more private things with groups
- More secure apps or devices for their most sensitive communications.
There is no single right choice for all people all the time. The most important thing to keep in mind is knowing the pros and cons of the choices you make. See our chat app comparisons for more.
There isn’t always a need for a second device just for messaging, but when you have the need—you need that solution to be absolutely secure. At SKY GLOBAL we believe everyone has a right to private communications. And when you trust us with your communications, it is our responsibility to protect and maintain that as our prime directive. And if your friends aren’t convinced, our post on the 7 reasons why you should use secure and encrypted messaging or dispelling 7 myths about secure messaging may help.