Encrypted messaging apps: Everything you need to know
Privacy is hard to come by these days. Malicious actors, large corporations, and governments are constantly trying to look over your shoulder when you’re online.
But some in the tech community are fighting back. Tools like ad blockers, no-track browsers, and VPNs can help keep digital snoops in check.
One of the most important of these technologies is encrypted messaging, which is available through a number of third-party and native applications.
So how do these messengers work? Are they all the same? And the million dollar question: Are they truly secure? Here’s what you need to know:
End-to-end encryption is the “key”
In the world of mobile messaging, the most secure apps are the ones which offer end-to-end encryption (E2EE). So what is end-to-end encryption, and how does it keep you safe?
End-to-end encryption means that the contents of a message can only be read by the sending and receiving parties. Even the companies handling the message data—including app developers, ISPs, and telecom companies—can’t decipher the messages, because they don’t have access to the decryption keys.
This means that your message can never fall into the hands of bad actors in the same way that personal information does in a data breach. It also means that tech companies can never be forced to hand over your communications to a government or law-enforcement agency: You can’t give Big Brother what you don’t have!
How does E2EE work?
End-to-end encryption is a form of public key cryptography. When public key cryptography is used for secure messaging, the message sender generates a mathematically linked pair of numbers. The receiver also generates their own mathematically linked pair of numbers.
One of these numbers is called the “private key”. The sender and receiver each have their own private key. They don’t share the private key with one another—or with anyone else. In the case of mobile messaging, this means that the private key is kept on the owner’s physical device and nowhere else (i.e. it is never stored on some company’s servers).
The second number that each party generates is called the “public key”. The sender and receiver each have their own public key. The sender’s public key is linked to the sender’s private key, and the receiver’s public key is linked to the receiver’s private key.
As the name implies, the public key can be shared. Because each public key is linked to a single private key, it is therefore linked to a specific individual. In this sense, a public key is a bit like an email address. Many people can know your email address, even though only you can log into your account.
However, because of the mathematical linkage between public and private key, the public key isn’t just a destination for a message: It is also a cryptological tool. This is where the public key’s real power lies: It can be used by anyone who has it to encrypt a message that can only be decrypted with the corresponding private key.
This makes it possible for the sender to encrypt a message at their end, using the receiver’s public key, which can only be decrypted with the receiver’s private key. Thus the sender can send a message which can only be read by the receiver—and all without the sender or anyone else ever needing to have access to the receiver’s private key.
The original sender, of course, has their own public and private key as well. This means that the receiver can send an encrypted reply using the original sender’s public key. This is how two-way, end-to-end encrypted messaging is possible.
Are all messengers E2EE?
In the world of mobile messaging, the most secure apps are the ones which offer end-to-end encryption by default. This includes third-party messaging apps like WhatsApp and Signal; it also includes the native iOS messaging services iMessage and FaceTime. Pointedly, this does not include Facebook Messenger and Telegram, which both offer end-to-end encryption in a “secret” mode, but not by default. Slack’s messaging service, along with Google’s forthcoming RCS-based messenger, do not offer end-to-end encryption at all.
But even within the world of apps offering E2EE, there are important distinctions to consider. For one thing, it’s probably a good idea to think about who owns the app in question—and ask yourself if you really trust that party.
Both iMessage and FaceTime, of course, are owned by Apple. And while Apple is certainly not perfect, they do have a pretty decent track record of respecting their users’ privacy. They’ve also shown a willingness to stand up to law-enforcement agencies attempting to access user data in a way that could undermine the overall security of the iOS platform. WhatsApp is a bit more problematic, as it has now been acquired by Facebook. While we don’t want to cast aspersions, Facebook’s record on privacy has been, frankly, worrisome. Whether that could have implications for WhatsApp users is an open question, but it does give one pause.
Telegram and Signal are comparable apps in many respects, but they do have one important difference: Signal is completely based on open-source software, while Telegram is only open-source on the client side (its server-side code is private). Telegram also uses their own encryption standard, instead of one of the many other proven encryption protocols which are publicly available. This has led some observers to wonder whether the proprietary encryption method used by Telegram is really as secure as the company says.
Is it really secure?
End-to-end encryption apps are great ways to protect your privacy, but they aren’t magic. And unless users realize this, they may be operating with a false sense of security.
For one thing, as mentioned above, not all apps which offer E2EE do so by default. So if you’re sending messages with Skype, Facebook Messenger, or Telegram, your communications aren’t encrypted end-to-end if you aren’t using the app’s “secret” mode.
Another potential privacy issue has to do with the devices on which these apps operate. In particular, they suffer from the simple vulnerability that affects any physical device: They can be lost, stolen, or accessed by a malicious party. If you haven’t set a strong passcode on your device or enabled some form of biometric identification, you could be at risk. Your encrypted communications protocols won’t mean much if someone gets hold of your unlocked phone and starts reading your messages!
For people living or traveling in parts of the world where the police are essentially above the law, it’s important to bear in mind that encrypted communications cannot protect you in situations when it’s just you, your iPhone, and a roomful of hardened interrogators. Perhaps it goes without saying, but dissidents, activists, and journalists in such places should pay as much attention to practical self-protection measures as technological ones.
Lastly, while E2EE apps themselves may be secure, mobile devices are still vulnerable to malware attacks. If a bad actor manages to gain remote access to your device, then they could potentially read or exfiltrate your messages just as easily as if they had physical access to the device. Unfortunately, this scenario doesn’t just refer to cybercriminals and hacktivists. There is plenty of evidence that nation-state actors have gone all-in on mobile malware. This evidence includes a WikiLeaks document which revealed that the CIA had found a way to compromise mobile devices using malware they’d developed—specifically as a way to read messages encrypted by Signal.
Is it worth using E2EE?
With those things in mind, is it actually worth the trouble to set up E2EE apps on your phone?
The answer is a clear yes.
Traditional messaging protocols like SMS or unencrypted messengers are vulnerable to snooping, hacking, and surveillance. Anyone who knows how to monitor and capture network traffic could, at least potentially, eavesdrop on your communications.
There are also ways to mitigate the vulnerabilities of E2EE in order to make the technology even more secure. Choosing an app that uses end-to-end encryption by default is a good start. Practicing good physical device security is crucial: Always make sure your mobile devices have passcodes or biometric locks, and never leave them unattended. Lastly, remember that platforms like iOS are extremely secure, provided that they aren’t running with known vulnerabilities! Update your OS regularly to make sure you have the latest security patches, and you will dramatically decrease the likelihood of a hacker compromising your device and accessing your messages directly.
In short, while almost no technology is truly failsafe, a few basic precautions and a good E2EE messaging app can provide you with a reasonable expectation of privacy—much better than the alternative, and about as good as it gets in cybersecurity.
If you’d like to learn more about online privacy, you may be interested in our Guide to VPNs for Mac Users or this introduction to Tor.