Follow us

All messengers are secure… until the government is interested in your chats

A brief overlook of the security and privacy of the most widely used messengers in 2021.

Updated: September 17, 2021 By Ozair Malik

Hands are holding the mobile phone while typing a message

Image source – freepik.com

Since the appearance of android and IOS smartphones and the rapid development of mobile apps, low-cost or free messengers have replaced the SMS service offered by telecom companies.

Before social messaging apps, we used SMS for chatting, but now we prefer instant messaging over SMS. Instant messaging is a type of online chat which offers real-time text transmission via the internet.

All messenger apps provide main features, including group chats, stickers, emojis, GIFs, exchanging pictures and videos. Some apps do offer additional features to improving user experience.

But But But...

Do you believe that the messenger app you use is secure? Doesn't the security and privacy of your personal chats vital to you?

Readout to clear your misconceptions with thought-provoking yet factual debate on the crucial topic of messenger's security and privacy...


Are your messengers secure? 

Yes, Cooltechzone security researcher's social messaging app audit reveals that most of them provide essential to advanced level security. We observed that most of the messengers used RSA and AES encryption algorithms—the most secure algorithms available today for encryption and key hashes. But, there is a lot more to reveal…..

We audited the 6 most popular messenger apps of 2021 based on the number of monthly active users.

  1. WhatsApp – 2 billion
  2. Facebook Messenger – 1.3 billion
  3. WeChat – 1.242 billion
  4. QQ – 606 million
  5. Telegram – 550 million
  6. Snapchat – 514 million

Both the Facebook-owned WhatsApp and FB Messenger were found to be using the industry-trusted Signal protocol for end-to-end encryption. WhatsApp introduced end-to-end encryption for all types of communication in early 2016.

Unlike WhatsApp, Messenger has had end-to-end encryption only for text messages since 2016. Recently, Facebook announced that it is implementing the same on voice and video calls.

Thus, I am convinced both the widely used and most popular social messaging apps are pretty secure.

Now, let's talk about QQ, owned by china based tech giant Tencer. Interestingly, it does not offers an end-to-end encryption feature for any sort of communication over the platform. So, your personal chats can be read and intercepted by Government and Hackers. Also, its communication protocol has many flaws (source Security Analysis of Mobile QQ research paper)

Another Tencer-owned messenger—WeChat is China's most prominent and major digital space, used for social media, banking, e-commerce, business, digital payment, etc. But, User's security and privacy over the platform are highly questionable. It is the hot-pie for cybercriminals, and almost 50% of fraud incidents investigated by Chinese authorities were conducted via WeChat.

Ironically, WeChat also lacks end-to-end encryption for all sorts of communication over the platform. Hence, there is no privacy over the medium, and the User's personal chats are not private.

Telegram, which recently gained popularity amid WhatsApp's stringent privacy policies, is not secured by default. But, it can be made secure by tweaking some user settings. Moreover, it does not have end-to-end encryption enabled by default. However, the company claims it to be a safe and private messaging app.

But, you can opt for "secret chat," a feature of telegram implementing end-to-end encryption. To do a secret chat with your friend, open the profile of your friend-> tap on 3-dots-> select secret chat. 

Lastly, Snapchat-the most famous snap-sharing app among teens-only uses end-to-end encryption for snaps or photos shared between users. Text messages and other communication over the platform are not encrypted at the same level.

However, the researchers of the paper "Security Analysis of Snapchat" conclude that overall it is relatively secure than others, and no sensitive information was revealed by the app in the investigation. But, the vulnerabilities are present in third-party plugins, API, and filters.


Do governments read your private chats?

Yes, every government and LEA is interested in your chats. They do read, monitor your conversations, and transcript your calls.

But But But….

Usually, it is only done when they suspect you of some wrongdoing. Nonetheless, suppose you live in a country like the USA, China, South Korea, or any other with strict surveillance over its citizens. In that case, your personal convos are most likely to be monitored.

The famous and frightening Snowden Leaks clearly tell us about the US Spy program under which millions of citizens of the US, along with other nationals, were put under strict NSA surveillance.

The primary reason China's prominent messenger apps QQ and WeChat are not encrypted is that the Chinese authorities want to have access to your every message.

Moreover, the great firewall of china filters the contents and each message sent over the platforms according to defined rules. For filtering, it needs to read the contents. Thus, your personal chats are not so private.

Interestingly, governments like the USA, Canada, Australia, UK, India, Pakistan, etc., are pressurizing companies to provide backdoors. Though the companies are standing firm against this demand. But, they desperately want to have complete access to your private chats. Thus, privacy is no longer guaranteed even if your messenger is end-to-encrypted.

Facebook has retaliated against the new policies asking for backdoor entry into the platforms. In an official statement, it said:

We oppose government attempts to build backdoors because they would undermine the privacy and security of our users everywhere. Government policies like the Cloud Act allow companies to provide available information when we receive valid legal requests and do not require companies to build back doors.

Facebook official press release

WhatsApp has filed a lawsuit in Delhi against the Indian government seeking to block the new privacy regulations, which compel the company to break the privacy protection and share user data with the government.

Source—reuters.com


Telegram Vulnerabilities

Telegram uses MTproto protocol to secure communications between clients and servers as an alternative to the Industry-standard TLS protocol. However, security researchers have found some cryptographic vulnerabilities in the protocol.

The end-to-end encryption based on MTProto is not enabled by default neither available for group chats.

The security researchers disclosed the vulnerabilities to Telegram Developers on 16 July 2021, which included:

  1. An attacker on the network of the client can reorder messages.
  2. An attacker can detect that which of two particular messages were encrypted by the server under certain conditions.
  3. Plaintext could be recovered from encrypted messages through code found in the Telegram client's implementation.
  4. Man in the Middle (MITM) attack could be made on the initial key negotiation between the client and server.

The vulnerabilities mentioned above were patched in the subsequent update. But, the company did not issue a security advisory nor alerted its users.


Use Signal

If you ask my honest opinion, Signal is the most reliable and secure messenger in 2021.

Although Signal only has a small number of users, approximately 40 million monthly active users. But, these 40 million are those who are really, really, very privacy-conscious.

To support my recommendation, here are some facts about Signal.

  1. The Signal is a non-profit organization, so monetary benefits are not their primary goal.
  2. All sorts of communication are end-to-end encrypted. Even the meta-data of the message is also encrypted.
  3. WhatsApp, Session and, Messenger use the Signal protocol for encryption.
  4. It is Open Source. Thus, the cryptographic community has contributed a lot to the development of a secure protocol.
  5. Elon Musk tweeted, "Use Signal"

I hope these facts are enough to convince you to make Signal your default messenger. But, I would also suggest you do your own research.

Elon Musk tweet screenshot from its official handle, stating “Use Signal


Conclusion

One cannot say that any messenger is entirely secure and unhackable

Even the SMS sent via GSM is also not secure.

Governments worldwide will continue to demand access to your personal chats from companies. In the coming years, the situation will worsen.

Social companies are working very hard to provide secure and private messenger apps. But, complete security is a myth, and one who believes in it lives in a fool's paradise.

We have presented you with all the observations from our security audit of the most widely used messengers in 2021. Now, the ball is in your court, and you are the one to decide your fate.

If you find any other hidden gem like Signal or find our observations contradicting, please feel free to comment below.

Happy chatting!!!

Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Write a review

click to select