Attackers constantly leverage various security and privacy issues to breach popular messengers. Can these apps be trusted?
Calling instant messengers top applications is like saying that the most popular liquid is water. The list of most downloaded apps includes Facebook Messenger, Telegram, and Whatsapp.
WhatsApp and beyond
A massive reputational blow opened this year for WhatsApp further compromising the security image of instant messengers. However, the information security of instant messengers was under the scrutiny of experts and journalists long before that due to their popularity.
In January, WhatsApp announced a privacy policy update. WhatsApp announced that it would transfer user data to Facebook. Its audience responded immediately by migrating to the competitors which increased their downloads in times. For example, Signal messenger downloads grew by 4200% in a week following the announcement.
It is important to note that actually these changes to the privacy policy do not affect the existing methods or actions of WhatsApp in relation to the exchange of data with Facebook. It is just that they get legally declared. Nothing changes for the end-users, and their dramatic outflow is but a delayed response to the Cambridge Analytica scandal that makes people doubt whether Facebook maintains a sound privacy policy.
WhatsApp and Viber had been repeatedly criticized for security problems before January’s statement. For example, in February 2020, the hackers were found to be capable of accessing users’ personal data by sending a single text message to the victim.
A bit later, the researchers revealed that WhatsApp, Signal, and Telegram were leaking phone numbers of their users. And in the case of Telegram, even the users holding no account were exposed to the leakage as all contacts of any account holder were disclosed thus enabling the malefactors to use that data for creating fake accounts and launching various attacks.
In June 2020, the news broke that WhatsApp phone numbers had been publicly available for a long time. Dark web resources or other sophistications were unnecessary; you could do a quite simple Google search and find them.
The vulnerability was discovered by Athul Jayaram, a cybersecurity researcher. He claimed that using Google he managed to get the numbers of about 300,000 users of the messenger. WhatsApp could have avoided this issue if it had encrypted the users’ contact details instead of plain text storing.
Meanwhile, all the three messengers – WhatsApp, Signal, and Telegram are ranked among the top five most protected according to the report by AVG, an antivirus software developer. In their turn, the authors of the study Obstacles to the Adoption of Secure Communication Tools wrote that the vast majority of users do not understand the basic concept of end-to-end encryption.
People used to choose a messenger listening to their heart, not to their brain, but the events in January suggest the opposite trend is on the rise. Users stop focusing on the nice interface and overall popularity of the app and start to pay attention to the security of their data.
Encryption
A messenger to be secured requires any content sent between users to be encrypted and decrypted without involving a third party, i.e., directly on the user’s device. Most applications use the open-source Signal protocol or its variants.
Telegram runs its own closed protocol. However, these protocols provide encryption during data transmission only and do not apply encryption during data processing or after data is received by the end-user. Other functions, such as data storage, user interface framework, and group chat routines, are also vulnerable.
In addition, in the case of Telegram, an attacker can send a recovery code to his phone number, gaining access to your account unless you use two-factor authentication. This enables the malefactors to access the entire history of user communication (except for the history of secret chats.)
In view of all these and other vulnerabilities, end-to-end encryption is by no means a panacea. True, the service operators are unable to view your messages directly. Indirect options are always available though.
Talking about desktop versions, even the most advanced messengers such as Signal and Telegram (which have made privacy and security their priority) are vulnerable. Telegram’s desktop version is vulnerable to session hijacking. Although the additional session will be visible, an average user is unlikely to notice it.
Another problem is that if you wish, you can copy the folder and transfer all unencrypted data and messages to another device. You do not need to be a hacker or have any advanced skills to do this.
It is important to know whether the open-source code is available on the web for viewing and exploring. Of course, a user without advanced skills is unlikely to manage reading it or making sure no vulnerabilities and tracking are taking place, but public availability of the code is a good sign that the developer is willing to be as open as possible with you.
Signal and Telegram have announced open access to their code, but as for the latter, you will not find Telegram’s server-side code available for compiling and using in the intranet, that is, for your internal network. As to the open part of the Telegram code, it gets updated too often, and the code that you can find online is almost always outdated.
An important aspect of security is the inability to identify users. As long as signing up and signing in does not require you to enter your personal details (name, email, phone number), your identity is not likely to be disclosed beyond the limits you set at your discretion. All privacy talks revolve around a single cornerstone question: “If your messenger is so secure and confidential, why does it need to know my phone number?
The Bottom line
Any messenger is vulnerable, like any system that transfers data from client to server and from server to the next client. Although developers actively use and implement all new methods to ensure user security, the costs of an attack on a user and the price of information the attacker wants to get are critical. But more often than not, a comprehensive set of security methods applied make it possible to essentially mitigate an attack targeting a user.
In terms of security, the most protected messenger is the one whose servers you control. Developing such a messaging app for a local corporate network is quite a feasible task. A small team of professionals can complete it within a reasonable time frame. Arranging data storage poses a much more sophisticated challenge.
Proper data processing matters a lot. For example, if your data is kept encrypted and the client is the only holder of the decryption key and there are no backdoors capable of dropping an extra key, you can keep the data on any servers. Otherwise, if someone other than you stores your data (for example, on the servers of a company that develops and maintains the messenger), the risk of leakage remains quite high.
========================
About the Author: David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.