It is highly probable that you use one, two or more messaging apps in your phone. I have four 1) Hangouts because it comes preinstalled in my phone and there is nothing I can do about – yet, it comes in handy when I’m reaching out to friends via PC 2) Telegram, because it is the best out here, 3) WhtasApp because of its insane popularity, and has been pivotal in the development of better messaging apps based on its limitations and 4) Allo, because I want to be supportive to a company that is yet to get a grasp of the dynamics of messaging apps. Others apps in this category include the likes of Messenger and Signal and they all have thousands or millions of loyal users.
The popularity of messaging apps can be explained; people are inherently social beings who want to engage in formal and informal conversations, ask questions, converse about common interests and generally talk about shared activities. Messaging apps thrive in this human characteristic.
However, some of these chat apps do not meet a threshold of what experts can call secure or reliable in terms of privacy. Privacy is getting elusive every day, and in some markets such as the U.S., user data is controlled by internet service providers (ISPs) that are rarely policed. This is after the senate dropped FCC’s broadband privacy regulations because ‘the rules did not solve the issues they claimed to attend to.’ What this means is that ISPs can toy around with your data, and can even sell it to advertising firms without seeking consent. Ideally, they would need to make sure that user data in their reserves is relevant for monetization by implementing creepy measures such as hijacking your searches, peeking into user traffic and planting annoying ads or by injecting tracking cookies in your HTTP traffic, cookies that you can neither detect nor delete. These are some of things that make it too easy for intruders and hackers to target users, which is disastrous thanks to the sensitive nature of information that is exchanged in messaging apps.
Some people, including yours truly (I have since grown up) have argued that laxity in the security of our online exchanges is not a bother because there is nothing to be hidden in such communications. The ‘nothing to hide’ evangelists want you and me to believe that we never take pictures of food, sing loudly in the shower, take selfies while strapped with car seatbelts or are gossip. Admittedly, these are things we do every day and would love them to stay private and in extension, they cement the call for robust security measures in messaging apps because we want these actions to remain private, right?
Now, let’s look at some benchmarks that are used to gauge the security of our messaging apps.
There is a good chance you know what encryption is if you are reading this piece. In a nutshell, it is a mechanism that shelters your information from unauthorized access. In principle, it works by using a mathematical formula referred to as cipher and a key that converts plain text or readable data into cipher text. Popular messaging apps have some form of encryption to enhance privacy. However, encryption can be compromised if select people have access to keys that can unscramble ciphers. This is where end-to-end encryption comes in play because it allows only communicating parties to reach messages. Theoretically, no intruder can get access to the cryptographic keys that are needed to decrypt conversations. Such eavesdroppers may be ISPs, app developers or carriers.
WhatsApp uses Open Whisper Systems Signal Protocol that enables end-to-end encryption that encrypts both text messages, voice and video calls by utilizing an asynchronous procedure under a shared key. Other apps that have employed this solution include Telegram, Facebook Messenger and Signal.
Generally speaking, open-source software is intrinsically more secure than proprietary or closed source software. Making source codes available for scrutiny helps in identifying vulnerabilities – although some argue that it gives attackers access to exploit it. On the other hand, close source apps force users to accept measures that are deemed secure by the distributor.
Signal and Telegram are open-source messaging apps.
Ability to Delete Messages
Some of us have fallen victim of theft or cases where our phones fall into questionable hands. This is made worse if your phone slips off your possession in an unlocked state. Assuming your messaging apps are unprotected by a password, not even encryption can help you. It is because of such circumstances that messaging apps need a feature that allows remote wiping of messages or accounts to stop unauthorized people from giggling or frowning over your typing habits.
Telegram has a web-client where you can log in and end active sessions on your compromised device(s). In fact, you don’t need a PC to use this neat feature because you can use a friend’s Telegram app to log into your account. What’s more, Telegram, together with Signal and Wickr have a self-destruct feature that deactivates user accounts after a set period of inactivity.
Amount of Metadata
Metadata is the information that that we create, store and share to describe stuff, which, in turn, allows us to interact with stuff to obtain the knowledge we need. It is ‘data about data’ and pervasive in messaging apps. In fact, the core features of most messaging apps and other apps thrive on metadata because it is key to the functionality of the systems holding content, and enables users to find interest, records as well sharing that information with others.
It should be remembered that metadata is hardly secured or encrypted as strongly as messages.
Obviously, messaging apps that store less metadata are more secure. It is always vital to check metadata storage policies of your messaging apps.
Only Signal stores the least amount of metadata because it stores data from the last time a user is connected to their servers.
To sum, only Signal checks all the four security boxes stated above. This should pave way for users to gauge the trustworthiness of their messaging apps. While some of these apps may not meet some security measures, we should not throw them out the window. It is paramount that users take security seriously and only share as much with an app as they can trust it.