Research: nearly all of your messaging apps are secure

CyberNews Investigation team analyzed the 13 most popular messaging apps to see if the apps are really safe. 


In recent research, the CyberNews Investigation team discovered that a chat service, most likely based in China, had leaked more than 130,000 extremely NSFW images, video and audio recordings of their users. While this messaging service was connected to a company that offered a “private social network,” and therefore with a small user base, we wanted to see the security features of larger messaging apps.

For users of these bigger messaging apps, we have some good news: 86% of the apps (11 of 13) we looked at were secure by default. Only two apps – Telegram and Facebook Messenger – did not have these secure features enabled by default. These results are generally promising, as it signifies that the secure messaging industry is heading in the right direction.

We also found that most of the apps used variations of RSA and AES for encryption and key hashes – which are some of the most secure encryption algorithms available today.

In general, this is good not only for your “late night” messages (NSFW or not), but also for other important activities. We’ve covered before how important it is for people participating in protests around the world – whether Black Lives Matter in the US or anti-Lukashenko in Belarus – to use secure messaging services to coordinate activities and provide support. Our research shows that those users would be wise to use the top secure messaging apps like Signal, Wire, Cyber Dust and others on our list.

Key takeaways

SignalWireQtoxWickr MeViberSessionMessengerCyber DustBriarWhatsAppiMessagePryvateTelegram  In order to perform our analysis, we looked at various aspects of 13 popular secure messaging apps:

Our analysis included the various apps’ transport and encryption standards, keys-exchange principles, and cryptographic primitives.

These are the key results of our analysis:

2 of the messaging apps were not secure by default, and users will have to turn on this security in the settings4 of the secure messaging apps use the industry-trusted Signal Protocol for encryptionOnly two of the apps use P2P for their transport mechanismiMessage does not encrypt messages if they are sent through GSM (used for 2G and 3G)3 out of 13 applications have paid plans that allow more users to access extra featuresMost of the applications use RSA and AES, some of the most secure encryption algorithms available today, for encryption and key hashesThe nature of secure messaging apps

While most of the attention focuses on the most popular secure messaging apps, such as Signal, Messenger, Viber, Telegram and WhatsApp, we wanted to expand our analysis to understand the larger scope of the secure messaging industry. This includes looking at less-popular secure messaging services like Session, Briar, Wickr Me, Wire and Cyber Dust.

For the most part, we were not interested in ranking these apps in any way – rather, we wanted to investigate the applications’ encryption, transport and overall privacy.

What we found was largely positive: all but two of the apps offered security by default, and of those two apps, Telegram and Messenger, both could easily be made secure by changing user settings.

Four of the apps – Signal, Messenger, WhatsApp and Session – used the Signal protocol for end-to-end encryption. In end-to-end encryption, only the sender and the receiver will be able to view the messages, whereas without end-to-end encryption, the messaging app server that sits between the sender and receiver might be able to read the messages. The Signal protocol has become the industry standard for securing messaging, voice and video communications.

One interesting aspect of our analysis was that Apple’s iMessage, which is used in iPhone, iPad, Apple Watch and Mac, only uses encryption on HTTPS. When messages are sent through GSM – a protocol for 2G and 3G devices – they are not encrypted.

Only two apps – Briar and Qtox – use a peer-to-peer (P2P) transport mechanism. P2P here means that there is no server sitting in the middle between the sender and receiver: the messages go directly from one device to the next. While Briar offers other transfer mechanisms, Qtox only uses its TOX P2P, and therefore it has no privacy policy – it doesn’t need it, since it never touches the user’s data.

While nearly all of the messaging services we looked at are free or have a free version, only Wired requires a subscription. That’s because this messaging service is built for corporate use – something like Slack or Microsoft Teams, but with end-to-end encryption.

A caveat: what secure does and doesn’t mean in messaging apps

It’s important to note that there are some limitations when it comes to secure messaging services. This largely depends on what you want to do with the messaging service.

For general usage, it’s important that the messaging service you use has encryption enabled – preferably by default. For the NSFW media files we discovered on an unsecured Amazon bucket, the files were not encrypted, and so that messaging service simply was not a secure choice.

But beyond that, there are users who want as much security as possible – which means near or total anonymity: to not have their messages readable by others, to not be tracked by others, to not be named or connected to communications by others. In this light, most of these messaging services have failed or will fail. And that’s simply the nature of software – all programs have bugs, some more serious than others.

One famous example is WhatsApp, which has had numerous vulnerabilities throughout the years. This includes Israeli spyware that could  install surveillance software on a target’s phone by simply calling them through WhatsApp. Messenger had its share of problems too, where attackers could see who you’ve been messaging with.

Even Signal, probably the messaging app most recommended by cybersecurity professionals, was victim to a rather complex attack where someone could listen in on your surroundings by making a sort of ghost call – calling you through Signal and then pressing mute without the call being seen, to eavesdrop on your conversations.

And that’s just usage by cybercriminals to attack individuals. Law enforcement has been using various methods throughout the years to spy on groups of people. In Hong Kong, a Telegram bug was reportedly exploited by the Chinese government to leak users’ phone numbers. German researchers also discovered that WhatsApp, Signal and Telegram were exposing users’ personal data via contact discovery.

Suffice it to say: none of these apps offer absolute security, and none ever will, since there will always be a workaround by a person or a group with enough time and resources. Even if an app were absolutely secure in and of itself, it wouldn’t be able to mitigate your mistakes. As Telegram’s FAQ nicely puts it:

“We cannot protect you from your own mother if she takes your unlocked phone without a passcode. Or from your IT-department if they access your computer at work. Or from any other people that get physical or root access to your phones or computers running Telegram.”

If you behave unsecurely, no secure messaging app will save you.

Summary table

In the table below, you’ll find all the details about the 13 messaging apps we looked at:

Messaging appTransfer ProtocolsDefault security?EncryptionKeys- Exchange and Cryptographic primitivesSignalHttps / SIP over WebSocketsYesSignal protocol (X3DH + Double ratchet + AES-256)pre-keys + Curve25519, HMAC-SHA256Wickr MeHttpsYesWickr Secure Messaging ProtocolHKDF, SHA-256MessengerHttpsNoSignal protocol (X3DH + Double ratchet + AES-256)pre-keys + Curve25519, HMAC-SHA256WhatsAppHttpsYesAES-256, AES-256 IVPre-keys, HMAC-SHA256TelegramHttps / SIP over WebSocketsNoMTProto 2.0 (AES-256, AES IGE IV 256)Persistent shared key generated via DH, KDF, Double SHA-256WireHttps / SRTPYesAxolotl/Double Ratchetpre-keys + Curve25519, HMAC-SHA256, ChaCha20, AES-GCM-256ViberHttp/Https – RTP(SRTP)YesDouble ratchetpre-keys + Curve25519, SHA256, HMAC_SHA256, ECDHCyber DustHttps, hsts, websocketYes + RAM- based message storageAES-128RSA-2048iMessageHttps / GSMYes (if Http is used)Double AES-128RSAPryvateHttpsYesAES-256RSA-4096, DH key exchangeQtoxTOX p2pYesNaCl via libsodiumCurve25519, xsalsa20, poly1305SessionTOR Onion HttpYesModified Signal protocolpre-keys, AES, 4 DHBriarBluetooth/ Http/Tor onion HttpYesBTPpseudo random function BLAKE2b,authenticated cipher, random numbersInfographic for the table above:

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
catch (error) {}
About the author Bernard Meyer

(SecurityAffairs – hacking, messaging apps)

The post Research: nearly all of your messaging apps are secure appeared first on Security Affairs.