Friday, November 21, 2014
11 Unsecure Mobile and Internet Messaging Apps
Wazzup Pilipinas!
Kaspersky Lab, a leading developer of secure content and threat management solutions knows that in the age of Internet surveillance, private and secure messaging is a necessity.
The Electronic Frontier Foundation (EFF) recently published a thorough analysis measuring the security and privacy of a long list of mobile and Internet messaging services.
Some providers passed with flying colors, others struggled to make the grade and a number just plain failed.
Interestingly, the list of apps and services that are sleeping on security will, unfortunately, seem all too familiar.
For that reason, this list will focus primarily on the most popular messengers but will also note the poor-scoring, less popular ones as well.
Context
The EFF issued high or low grades to each service for seven categories. For Kaspersky Lab’s purposes, service providers earned failing grades when they only received zero, one or two “yeses” in the following categories:
Is data encrypted in transit?
Is data encrypted so that even the service provider can’t read it?
Can you identify the true identity of contacts?
Does the provider practice what is known as perfect forward secrecy, meaning crypto-keys are ephemeral so a stolen key won’t decrypt existing communications?
Is the service’s code open-source and available for public review?
Are cryptographic implementation procedures and processes documented?
Has there been an independent security audit in the last 12 months?The seven points are designed to measure which services offer the best or worst protection against government surveillance, criminal snooping and corporate data collection.
Neither the EFF nor Kaspersky Lab are officially denouncing or endorsing any of the programs discussed. The list merely indicates which applications are consistently not following best practices.
The Really Bad: Zero Checkmarks
Mxit and QQ mobile messengers
Only the Mxit and QQ mobile messengers received zero checks, but there’s a decent chance that you’ve never used either anyway.
Given all seven categories, the fact that Mxit and QQ aren’t encrypting data in transit is why Kaspersky Lab is recommending that you do not use either of them, because your communications on both apps can be viewed in plain text as they travel from sender to recipient.
The Still Pretty Bad: One Checkmark
Unfortunately, there are four messaging services that nearly all of us have used that received just one out of seven checks.
Yahoo Messenger
A longtime encryption laggard, Yahoo’s messenger service only encrypts user communications in transit. This means that Yahoo (the company) can read your messages or hand them over to law enforcement if they choose to do so.
To be fair, they do issue biannual transparency reports detailing how much information they grant upon government request.
You also cannot verify the identities of your contacts with Yahoo! Messenger. It doesn’t practice perfect forward secrecy, open its code to independent review nor document its security design properly.
Finally, the company has not performed a recent code audit. However, Yahoo’s broader Web offerings have come a long way from where they were two years ago in terms of encryption, so there may be hope yet for its messenger as well.
Skype
Microsoft’s as close as-it-gets-to-ubiquitous Internet calling and messaging service, Skype, scored just as poorly as Yahoo! Messenger, receiving only one (and the same) checkmark for encrypting data in transit.
It did not receive a second passing mark across any of the subsequent categories. Skype has had a bit of a sordid record in terms of communications integrity and surveillance accusations, namely that the service has taken fire from critics for its alleged susceptibility to snooping. Microsoft has denied these claims.
BlackBerry Messenger
BlackBerry Messenger received the exact same score as both Yahoo! Messenger and Skype. The service run by the company formerly known as Research In Motion – or RIM – does encrypt communications in transit, which is good.
But, it does not encrypt communications so that the provider (BlackBerry) can’t read them, allow users to verify contacts, protect past communications in the event that your keys are stolen, open its code to independent review, properly document security design, nor has it allowed a code audit in the last year.
AIM
AIM, perhaps better known as America Online’s Instant Messenger, has been around for a long time. It’s safe to say that from the late 90’s through the mid-2000’s, AOL’s Instant Messenger was peerless.
While its popularity isn’t what it used to be, particularly among the kids, it is still widely used. Unfortunately, like those mentioned above and below, it encrypts data in transit but doesn’t do a whole lot more.
For what it’s worth, the cross platform Secret Message app touts itself as secure and the Hushmail email client calls itself private while each only encrypts data in transit.
The Kik and eBuddy XMS platforms don’t outright advertise their security postures, but they both received the same checkmark as everyone else in this category.
The Better but Still not Good: Two Checkmarks
SnapChat
The popular ephemeral image- and video-sharing application, SnapChat, comes in with two checkmarks. One is for encrypting data in transit as it passes from the sender, through SnapChat’s servers, to the recipient.
The second check is for having performed an audit in the previous year. Like many of the services on this list, SnapChat has been the subject of much criticism, not so much for lacking security, but for failing to follow through on its central premise.
The core idea behind SnapChat is that messages, photos or videos appear for an amount of time, determined by the sender, before disappearing forever. However, the recipient can save images by taking screen grabs, though the sender would be notified.
Even more troubling, an application called SnapHack circumvents SnapChat’s ephemerality altogether, by allowing recipients to simply save ‘snaps’ (that’s what they’re called).
Lastly, researchers have repeatedly claimed that the images never really go away, but merely become harder to find.
Google Hangouts
Likely in the top three in terms of popularity for apps on the EFF’s scorecard, Google’s Hangouts received two checkmarks. Hangouts is cross-platform. It’s not only the built-in Gmail chat client, but it’s also the native chat client for Google Plus as well as for Android devices.
Google encrypts data in transit for Hangouts and has had an audit in the last year. But, it can read your messages, users can’t verify contacts’ true identities, it doesn’t deploy perfect forward secrecy, its code is not open to independent review and its security design is not properly documented.
Facebook Chat
Facebook’s Chat, which is the mobile variety of the Facebook messaging service, gets two checkmarks as well. As popular as any service on the scorecard, Facebook Chat encrypts data in transit and has been audited, but fails across the other categories.
Viber
Viber is surely the least popular service among the two-checks category. While it’s apparently known as a private messenger, it only gets checks for encrypting in transit and carrying out an audit.
This brings us to the increasingly curious case of WhatsApp. WhatsApp is a very popular mobile text messaging service. WhatsApp is so promising that the social media goliath, Facebook, spent a cool $19 billion acquiring it earlier this year.
It’s a sort of data alternative to the SMS texting protocol (as in: it works over the Internet rather than over the cellular network itself). While the EFF gave the service the same two checks that it gave to everyone else in the category, I suspect that could change.
At the moment though, the crypto is only implemented on Android devices for one-on-one communications. So iPhone users will have to wait and group message chains are not as secure yet. However, WhisperSystems says they are working on both of those problems right now.
The bottom line with the WhatsApp crypto announcement is this: WhatsApp is among the most popular and valuable pure messaging services around. That they are starting to take security and privacy very seriously is great news, and hopefully WhatsApp’s competitors will soon follow WhatsApp’s lead.
You can read the EFF’s full report and see how your favorite chat service stacks up.
Subscribe to:
Post Comments (Atom)
Ang Pambansang Blog ng Pilipinas Wazzup Pilipinas and the Umalohokans.
Ang Pambansang Blog ng Pilipinas celebrating 10th year of online presence
Never heard any of these before. Good thing I've read it here. So helpful!
ReplyDeleteThis article is very helpful because it aims to focus on the awareness of each individual especially in our time regarding messaging applications. It is very important because it reminds us to be very careful in using different applications. We must always "think before we click". We should not rely on these apps because it is not 100 % safe.
ReplyDeleteThis is really helpful. I have used and continually using some of the mentioned apps and I'm quite surprised of the outcomes. I guess we, the users, are too pressured with our fellow mobile and internet users that we always tend to uptake the fads and the trends. Sometimes, we may or may not have been really careful in choosing the apps to download and to use. We should still consider important things especially our security because we are living in a world where almost everything we do is being monitored.
ReplyDeleteThe article was a great help to the many! Thank you Electronic Frontier Foundation (EFF).
This is really an eye opener to all the smartphone users out there. It is really necessary to know what will make your phone slow down or malfunction. Security for an app is really necessary to make it an efficient and trusted up. These apps may offer you a lot but always take note that not all can really be as efficient as what they say they are. These apps may bring you harm, not to you but to you beloved smartphone. Think twice before clicking download!
ReplyDeleteA very informative article. It was surprising to see those apps belong in the list that can caused malfunctions of phone. This article should be read by those users out there especially those users who continually using messenger apps. THINK BEFORE YOU CLICK! :) Don't just easily believe the good description of an application.
ReplyDeleteThis a really informative article to all the smartphone users out there. Its main goal is to make the users aware as to what are the dangers of not ensuring the security of the apps you are using which can cause malfunctions. The article is very helpful in preventing people from using these bogus apps.
ReplyDeleteChatting requires privacy and security of your messages. Thanks to this post because it informed us the unsafe communication applications that we are probably using. :)
ReplyDeleteNowadays, people communicate through online applications like the messaging and chatting applications mentioned in the article. Readers of this article will now be aware of the dangers of not ensuring the security of the applications of our smartphone. This served as an wake-up call to never sacrifice the efficiency of your smartphone for the sake of downloading applications that may help you but may also cause malfunctioning. Think before you tap!
ReplyDeleteThank you for posting this article. Without this post I may not have known that our most used apps are really untrusted and that they failed in 5 of 7 categories.
ReplyDeleteGood info!
ReplyDeleteWhat happiness that in this list there is no applications kakaotalk. I was confident in the reliability of the messenger when I downloaded it to my Android here https://downloadkakaotalk.com. Definitely to securely exchange messages and photos you need a well-protected messenger, such as kakaotalk.
ReplyDelete