Backup Messages: Convenient or Calamity Waiting to Happen?

Having backup messages might not be worth the risk to your privacy

Computer pros remind us to always backup our computers and devices. Before you update your laptop or smartphone, make sure you have a backup in case something goes wrong. Have a backup of your files when you travel.

Backups are an essential part of using computers. Except where secure messaging is concerned. Secure chat backups are a trade-off between convenience and security. Some people want to be able to recover chats no matter what. Other people are willing to lose older messages to protect their privacy and the people they communicate with. When you choose to backup your secure messages it’s not just your privacy and security at risk—it’s all the people you’ve chatted with as well.

What are the trade-offs of backup messages?

When we talk about backup messages for chats, the discussion starts to get detailed and complicated very quickly. What are the trade-offs when allowing you to get data back. Where is the balance between “oops” protections and security? There are three big challenges with backup messages:

  • Keeping the backups secure and protected.
  • What are the risks to the people you chat with?
  • Is it a good idea in the first place?

The point of having a backup is if your phone falls in a puddle and breaks, you can get all the data back. For your apps, photos, email, files, and settings, this is a good idea. At one time or another all of us have had to use a backup to restore a phone.

But secure messaging, especially E2EE messaging, is different. If someone gets a hold of a backup of your phone, they could conceivably take that backup, install it on another phone and pretend to be you. That alone compromises your security and the people you message.

What other security risks do backup messages pose?

Then there is the question of the risk to the people you’ve been communicating with. Backups of your chats include both sides of the conversation—and sometimes all the attachments as well. What if someone gets a hold of your backup and the backup isn’t encrypted, what will people be able to learn about the people you communicate with? If you think this example is far-fetched, you only have to look as far as WhatsApp.

WhatsApp allows you to backup your chats (the chats are in fact automatically backed up) to iCloud or Google Drive. Which sounds good in practice, except:

WhatsApp backups are stored as unencrypted plain text.

This is a privacy nightmare. As a few people have found out the hard way, this means whoever gets access to your device with the backups, can read all of the messages. And not just your portion of the messages, since WhatsApp wanted to give people complete protection against losing their chats, the backups contain the complete chats between you and everyone else you messaged. This is one of many issues WhatsApp has.

What is the “puddle versus hammer problem” of backup messages?

The crux of backing up secure messaging apps comes down to the “puddle versus hammer problem”—would you rather get data back or be able to lose the data on purpose. In an Electronic Frontier Foundation (EFF) article—Thinking About What You Need In A Secure Messenger— they talk about the puddle test and the hammer test:

Messaging developers sometimes talk about the “Puddle Test”: If you accidentally dropped your phone in a Puddle and ruined it, would your messages be lost forever? Would you be able to recover them? Conversely, there’s the “Hammer Test”: If you and a contact intentionally took a Hammer to your phones or otherwise tried to delete all your messages, would they really be deleted? Would someone else be able to recover them?

There is a tension between these two potential situations: accidentally losing your messages, and intentionally deleting them. Is it more important to you that your messages be easy to recover if you accidentally lose them, or difficult to recover if you intentionally delete them? The problem with wanting to pass the “puddle test” is if you can get your messages back, you have to ask could someone else too? Even encrypted backups could be exploited if you don’t use a strong password to encrypt them.

Then there is a case like this (also from the above EFF post):

Cloud backups of your messages can throw a wrench in the “Hammer Test” described above. Backups help you pass the “Puddle Test,” but make it much harder to intentionally “hammer” your old messages out of existence. Apps that backup your messages unencrypted store a plaintext copy of your messages outside your device. An unencrypted copy like this can defeat the purpose of forward secrecy, and can stop your deleted messages from really being deleted. For people who are more worried about the “Puddle Test,” this can be a desirable feature. For others, it can be a serious danger.

This is the trade-off. Hammer or puddle. We believe the risks to protect against puddles is too great for our users. For us, the hammer test is the only test we want to pass.

It’s hammer time for backup messages

We think passing the “hammer test” is more important than being able to get your messages back if your device is damaged (or replaced). We make sure that your chats are unrecoverable when you delete your messages or if you:

  • Lose your device
  • Get a new device
  • Have wiped and restored your device
  • Have to reset the SKY ECC password on your device

In any of the cases above, you’ll lose all the previous chats and files stored on your device. Yes, this could be inconvenient, but we think this trade-off is worth the forward and backward security it gives our users. Often the best security isn’t always the most convenient.

No safety net can be safer

When you’re trying to keep your messages as private and secure as possible, it’s better not to have the safety net of backups. We still think you should backup your devices and computers, but secure chats? It’s not worth it. It’s not worth the risk to you or the people you securely communicate with. 

Contact us here at SKY ECC today to learn more about truly secure messaging, or discuss or feelings on chat backups.