Most people are familiar with SMS and after twenty odd years, they should be. However, SMS is far from secure. If you’re discussing things where privacy and security is paramount, then it’s time to look at an encrypted messaging app.
Why might you need one? Well, the mainstream media would have you believe that encrypted messaging is just for terrorists, but that’s not really true. From discussing corporate secrets, to sharing private messages with family and friends, encrypted messaging has a place for most people. It means no one – not the app maker, not your carrier, and not the government – can see or read what you’re exchanging; it’s truly private.
There’s other benefits too – these apps often work on more than one device, meaning you can message from your computer, a tablet, as well as your phone. If you get a new phone, it’s also easy to get your messages on a new device. Unlike SMS, messaging apps that use data generally are free of charge, whereas many carriers charge for SMS (especially overseas).
So, how do you pick one?
The gold standard is the open-source app called Signal. By default, it encrypts all your messages, chats and video chats with other Signal users. A good number of security professionals and cryptography experts have gone through Signal’s code, and verified its ability to secure your communications. Besides your phone number, almost no metadata is collected, meaning that even if someone got access to Signal’s data, they’d get next to nothing.
Not only are all Signal messages encrypted – so data from Signal would be garbage anyway – but messages can be set to expire, you can lock the Signal app separately to your phone (requiring another layer of security to get in), and senders can even mask their phone number for further privacy.
However, it’s not just Signal
Ausdroid uses Telegram, and we recommend it to family and friends. It offers most of the features of Signal, but we must acknowledge it’s not quite as secure. Messages are not encrypted by default, unless you use a “Secret Chat”. However, in that mode, end-to-end encryption is the default, messages can be set to expire, and nothing remains on Telegram’s servers. The service isn’t without its criticism, though: “Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout,” OpSec expert The Grugq concludes in a damning assessment of the technology. “I couldn’t possibly think of a worse combination for a safe messenger.”
For now, WhatsApp is a viable alternative, offering relatively secure end-to-end encryption, but owned by Facebook, that could change at any time. With enough privacy concerns about Facebook as it is, WhatsApp should probably not be considered as secure or reliable. Facebook Messenger is even worse.
Apple users have an option built in to their devices, but it’s limited; it only works on Apple. iMessage is secure, encrypted, and used by millions. However, if you use an Android, or a Windows desktop, you’re out of luck.
There are, of course, other apps out there offering secure features for your private messages, but these are the main ones.
Verify who you’re talking to
Encryption is well and good, but you need to be sure that you’re talking to who you think you are. Not much good encrypting your messages, if they’re going to the wrong place!
Signal, WhatsApp and Telegram have methods to do this, variously called secret numbers, codes or icons. It’s called Key Verification, and it can be really easily implemented. You just need to be sensible.
The best way to do this is to meet in person; establish a secret chat when you’re both in the same place, verify the keys (codes, numbers, whatever) match, and then off you go.
If you’re doing this remotely, it’s a bit harder. If you know the person and recognise their voice, you can call them up on the phone and verify that the keys match. If you don’t know the person that well, or you can’t call them, you’re left with verifying their identity another way and that’s a bit trickier.
For a good read on key verification used by the major apps, check out this story on Medium.
Some other tips
Cloud backups often aren’t as secure as the messaging apps themselves. If security is your main concern, don’t back up anything anywhere.
Desktop apps can be quite buggy, and they rely on far more complex operating systems that can themselves be compromised. Not much point having a secure conversation on a compromised Windows machine. The old maxim is true – a chain is only as strong as its weakest link. If someone can see your conversation over your shoulder, or is monitoring your computer’s display, you’re not secure at all.
Set your messages to expire if they’re especially sensitive. Yes, it means you might have to send them again if they get missed, but it also means that – after a preset period – those messages no longer exist.
Keep your messaging apps up to date. Often, bugs are fixed and patches released fairly quickly. Always update your messaging apps and follow any guidance (e.g. restarting your phone or PC). It’s for your own good.
Governments don’t like whistleblowers who leak to the media about wrongdoing by the government.
The government will root out and imprison whistleblowers they find. That’s why the government wants to put back doors in encryption, so they can eavesdrop on the population and find who journalist’s sources are.
This isn’t about privacy. It’s about democracy.
The problem now this statement “It means no one – not the app maker, not your carrier, and not the government – can see or read what you’re exchanging; it’s truly private.” may not be true anymore. Sure the legislation is said to help catch the “bad people” but it is just as likely to ruin the privacy of everyone.
Agreed, encryption doesn’t mean it won’t be read.
The problem is the governement might be targetting “bad guys” but how does it find them? At some point they’ll need to identify targets – and some of that is via traditional intelligence, but you can bet some of that will be by harvesting every message sent via encrypted apps and filtering them by keywords and/or metadata.
Your privacy is dead, encryption might stop casual spying, but nothing more.
Wickr should be considered, recognising it’s closed source.
You’ve not really touched upon the Australian government’s pending legislation, which forces developers to put back doors in.
Noting that most of the apps are developed O/S, the only workable way for the government to spy will be to put back doors in Google Play/AppleApp store, so that your device spies on the decrypted messages before they are sent (or after receipt).
Telegram may be convenient but you would never use it for privacy, because as mentioned here, it has wonky, homebrew, closed-source, Russian encryption.