+ Wednesday September 18th, 2019

Most people are familiar with SMS and after twenty odd years, they should be. However, SMS is far from secure. If you’re discussing things where privacy and security is paramount, then it’s time to look at an encrypted messaging app.

Why might you need one? Well, the mainstream media would have you believe that encrypted messaging is just for terrorists, but that’s not really true. From discussing corporate secrets, to sharing private messages with family and friends, encrypted messaging has a place for most people. It means no one – not the app maker, not your carrier, and not the government – can see or read what you’re exchanging; it’s truly private.

There’s other benefits too – these apps often work on more than one device, meaning you can message from your computer, a tablet, as well as your phone. If you get a new phone, it’s also easy to get your messages on a new device. Unlike SMS, messaging apps that use data generally are free of charge, whereas many carriers charge for SMS (especially overseas).

So, how do you pick one?

The gold standard is the open-source app called Signal. By default, it encrypts all your messages, chats and video chats with other Signal users. A good number of security professionals and cryptography experts have gone through Signal’s code, and verified its ability to secure your communications. Besides your phone number, almost no metadata is collected, meaning that even if someone got access to Signal’s data, they’d get next to nothing.

Not only are all Signal messages encrypted – so data from Signal would be garbage anyway – but messages can be set to expire, you can lock the Signal app separately to your phone (requiring another layer of security to get in), and senders can even mask their phone number for further privacy.

However, it’s not just Signal

Ausdroid uses Telegram, and we recommend it to family and friends. It offers most of the features of Signal, but we must acknowledge it’s not quite as secure. Messages are not encrypted by default, unless you use a “Secret Chat”. However, in that mode, end-to-end encryption is the default, messages can be set to expire, and nothing remains on Telegram’s servers. The service isn’t without its criticism, though: “Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout,” OpSec expert The Grugq concludes in a damning assessment of the technology. “I couldn’t possibly think of a worse combination for a safe messenger.”

For now, WhatsApp is a viable alternative, offering relatively secure end-to-end encryption, but owned by Facebook, that could change at any time. With enough privacy concerns about Facebook as it is, WhatsApp should probably not be considered as secure or reliable. Facebook Messenger is even worse.

Apple users have an option built in to their devices, but it’s limited; it only works on Apple. iMessage is secure, encrypted, and used by millions. However, if you use an Android, or a Windows desktop, you’re out of luck.

There are, of course, other apps out there offering secure features for your private messages, but these are the main ones.

Verify who you’re talking to

Encryption is well and good, but you need to be sure that you’re talking to who you think you are. Not much good encrypting your messages, if they’re going to the wrong place!

Signal, WhatsApp and Telegram have methods to do this, variously called secret numbers, codes or icons. It’s called Key Verification, and it can be really easily implemented. You just need to be sensible.

The best way to do this is to meet in person; establish a secret chat when you’re both in the same place, verify the keys (codes, numbers, whatever) match, and then off you go.

If you’re doing this remotely, it’s a bit harder. If you know the person and recognise their voice, you can call them up on the phone and verify that the keys match. If you don’t know the person that well, or you can’t call them, you’re left with verifying their identity another way and that’s a bit trickier.

For a good read on key verification used by the major apps, check out this story on Medium.

Some other tips

Cloud backups often aren’t as secure as the messaging apps themselves. If security is your main concern, don’t back up anything anywhere.

Desktop apps can be quite buggy, and they rely on far more complex operating systems that can themselves be compromised. Not much point having a secure conversation on a compromised Windows machine. The old maxim is true – a chain is only as strong as its weakest link. If someone can see your conversation over your shoulder, or is monitoring your computer’s display, you’re not secure at all.

Set your messages to expire if they’re especially sensitive. Yes, it means you might have to send them again if they get missed, but it also means that – after a preset period – those messages no longer exist.

Keep your messaging apps up to date. Often, bugs are fixed and patches released fairly quickly. Always update your messaging apps and follow any guidance (e.g. restarting your phone or PC). It’s for your own good.

Chris Rowland   Managing Editor

Chris Rowland

Chris has been at the forefront of smartphone reporting in Australia since smartphones were a thing, and has used mobile phones since they came with giant lead-acid batteries that were "transportable" and were carried in a shoulder bag.

Today, Chris publishes one of Australia's most popular technology websites, Ausdroid. His interests include mobile (of course), as well as connected technology and how it can make all our lives easier.

5
Join the Ausdroid Conversation

avatar
4 Comment threads
1 Thread replies
3 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
LesitsabadworldBrainBeatDazweeja Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Les
Guest
Les

Governments don’t like whistleblowers who leak to the media about wrongdoing by the government.

The government will root out and imprison whistleblowers they find. That’s why the government wants to put back doors in encryption, so they can eavesdrop on the population and find who journalist’s sources are.

This isn’t about privacy. It’s about democracy.

BrainBeat
Guest
BrainBeat

The problem now this statement “It means no one – not the app maker, not your carrier, and not the government – can see or read what you’re exchanging; it’s truly private.” may not be true anymore. Sure the legislation is said to help catch the “bad people” but it is just as likely to ruin the privacy of everyone.

itsabadworld
Guest
itsabadworld

Agreed, encryption doesn’t mean it won’t be read.

The problem is the governement might be targetting “bad guys” but how does it find them? At some point they’ll need to identify targets – and some of that is via traditional intelligence, but you can bet some of that will be by harvesting every message sent via encrypted apps and filtering them by keywords and/or metadata.

Your privacy is dead, encryption might stop casual spying, but nothing more.

Itsabadworld
Guest
Itsabadworld

Wickr should be considered, recognising it’s closed source.

You’ve not really touched upon the Australian government’s pending legislation, which forces developers to put back doors in.

Noting that most of the apps are developed O/S, the only workable way for the government to spy will be to put back doors in Google Play/AppleApp store, so that your device spies on the decrypted messages before they are sent (or after receipt).

dazweeja
Ausdroid Reader

Telegram may be convenient but you would never use it for privacy, because as mentioned here, it has wonky, homebrew, closed-source, Russian encryption.

Check Also

Google Fastshare update completed before it’s even released

We got our first look at Google’s Fastshare in July this year, and it seems …