SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
25 Nov 2014

11 Unsecure Mobile and Internet Messaging Apps

In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers.

For years, privacy and security experts worldwide have called on the general public to adopt strong, open-source cryptography to protect our communications. Many companies offer “secure messaging” products — but are these systems actually secure?

The Electronic Frontier Foundation’s secure messaging scorecard made a list of mobile and Internet messaging services that scored well on privacy and security and the services that scored poorly. Let’s focus primarily on the most popular messengers, though there are also the poor-scoring, less popular ones as well.

Context

The EFF issued high or low grades to each service for seven categories. For our purposes, service providers earned failing grades when they only received zero, one or two ‘yeses’ in the following categories:

  1. Is data encrypted in transit?
  2. Is data encrypted so that even the service provider can’t read it?
  3. Can you identify the true identity of contacts?
  4. Does the provider practice what is known as perfect forward secrecy, meaning crypto-keys are ephemeral so a stolen key won’t decrypt existing communications?
  5. Is the service’s code open-source and available for public review?
  6. Are cryptographic implementation procedures and processes documented?
  7. Has there been an independent security audit in the last 12 months?

The seven points are designed to measure which services offer the best (or worst) protection against government surveillance, criminal snooping and corporate data collection. The list merely indicates which applications are consistently not following best practices.

The Really Bad: Zero Checkmarks

Only the Mxit and QQ mobile messengers received zero checks, but there’s a decent chance that you’ve never used either anyway. Given all seven categories, the fact that Mxit and QQ aren’t encrypting data in transit is why we are recommending that you do not use either of them, because your communications on both apps can be viewed in plain text as they travel from sender to recipient.

The Still Pretty Bad: One Checkmark

Unfortunately, there are four messaging services that nearly all of us have used that received just one out of seven checks.

A longtime encryption laggard, Yahoo’s messenger service only encrypts user communications in transit. This means that Yahoo (the company) can read your messages or hand them over to law enforcement if they choose to do so. To be fair, they do issue biannual transparency reports detailing how much information they grant upon government request.

You also cannot verify the identities of your contacts with Yahoo! Messenger. It doesn’t practice perfect forward secrecy, open its code to independent review nor document its security design properly. Finally, the company has not performed a recent code audit. However, Yahoo’s broader Web offerings have come a long way from where they were two years ago in terms of encryption, so there may be hope yet for its messenger as well.

Microsoft’s as close as-it-gets-to-ubiquitous Internet calling and messaging service, Skype, scored just as poorly as Yahoo! Messenger, receiving only one (and the same) checkmark for encrypting data in transit. It did not receive a second passing mark across any of the subsequent categories. Skype has had a bit of a sordid record in terms of communications integrity and surveillance accusations, namely that the service has taken fire from critics for its alleged susceptibility to snooping. Microsoft has denied these claims.

BlackBerry Messenger received the exact same score as both Yahoo! Messenger and Skype. The service run by the company formerly known as Research In Motion – or RIM – does encrypt communications in transit, which is good. But, it does not encrypt communications so that the provider (BlackBerry) can’t read them, allow users to verify contacts, protect past communications in the event that your keys are stolen, open its code to independent review, properly document security design, nor has it allowed a code audit in the last year.

AIM, perhaps better known as America Online’s Instant Messenger, has been around for a long time. It’s safe to say that from the late 90’s through the mid-2000’s, AOL’s Instant Messenger was peerless. While its popularity isn’t what it used to be, particularly among the kids, it is still widely used. Unfortunately, like those mentioned above and below, it encrypts data in transit but doesn’t do a whole lot more.

For what it’s worth, the cross platform Secret Message app touts itself as secure and the Hushmail email client calls itself private while each only encrypts data in transit. The Kik and eBuddy XMS platforms don’t outright advertise their security postures, but they both received the same checkmark as everyone else in this category.

The Better but Still not Good: Two Checkmarks

The popular ephemeral image- and video-sharing application, SnapChat, comes in with two checkmarks. One is for encrypting data in transit as it passes from the sender, through SnapChat’s servers, to the recipient. The second check is for having performed an audit in the previous year. Like many of the services on this list, SnapChat has been the subject of much criticism, not so much for lacking security, but for failing to follow through on its central premise.

The core idea behind SnapChat is that messages, photos or videos appear for an amount of time, determined by the sender, before disappearing forever. However, the recipient can save images by taking screen grabs, though the sender would be notified. Even more troubling, an application called SnapHack circumvents SnapChat’s ephemerality altogether, by allowing recipients to simply save ‘snaps’ (that’s what they’re called). Lastly, researchers have repeatedly claimed that the images never really go away, but merely become harder to find.

Likely in the top three in terms of popularity for apps on the EFF’s scorecard, Google’s Hangouts received two checkmarks. Hangouts is cross-platform. It’s not only the built-in Gmail chat client, but it’s also the native chat client for Google Plus as well as for Android devices. Google encrypts data in transit for Hangouts and has had an audit in the last year. But, it can read your messages, users can’t verify contacts’ true identities, it doesn’t deploy perfect forward secrecy, its code is not open to independent review and its security design is not properly documented.

Facebook’s Chat, which is the mobile variety of the Facebook messaging service, gets two checkmarks as well. As popular as any service on the scorecard, Facebook Chat encrypts data in transit and has been audited, but fails across the other categories.

Viber is surely the least popular service among the two-checks category. While it’s apparently known as a private messenger, it only gets checks for encrypting in transit and carrying out an audit.

This brings us to the increasingly curious case of WhatsApp. WhatsApp is a very popular mobile text messaging service. WhatsApp is so promising that the social media goliath, Facebook, spent a cool $19 billion acquiring it earlier this year. It’s a sort of data alternative to the SMS texting protocol (as in: it works over the Internet rather than over the cellular network itself). While the EFF gave the service the same two checks that it gave to everyone else in the category, I suspect that could change.

The reason for that change is that just this week, WhatsApp partnered with Open Whisper Systems, adding default encryption to its Android app. As a point of reference for why we think things could change for WhatsApp given this partnership, Whisper Systems’ Signal, RedPhone, SilentText and SilentPhone offerings passed on all seven checks on the EFF’s score card. In other words, it appears that WhatsApp will become considerably more secure in the coming days and months.

At the moment though, the crypto is only implemented on Android devices for one-on-one communications. So iPhone users will have to wait and group message chains are not as secure yet. However, WhisperSystems says they are working on both of those problems right now.

The bottom line with the WhatsApp crypto announcement is this: WhatsApp is among the most popular and valuable pure messaging services around. That they are starting to take security and privacy very seriously is great news, and hopefully WhatsApp’s competitors will soon follow WhatsApp’s lead.

OUR POINT 

We have some many "information security" products in different shapes and colors. However, we have realized that many of those are only fashioned tools rather than secure ones. The article that you have read is another proof to this point. That is why we decided to release our messenger. Even at final testing stage of our messenger SafeUM, we are ready to answer all these important questions.

  1. Is data encrypted in transit? Yes, encrypted. Not only data, but also the transmission channels. Even we cannot read your information, and it is located on servers in encrypted form. We have access only to the public information such as a session and IP address. All actions within the system transparent and exclude the human factor.
  2. Is data encrypted so that even the service provider can’t read it? Yes, protected. All your data encrypted and stored in the servers memory (RAM), which does not hard drives, as well as protected from seizures.
  3. Can you identify the true identity of contacts? Yes, it can. All users pass the verification procedure, and each of them has a unique digital signature. The signature is generated based on the "pass phrase" which is not stored neither on your device nor on our servers. If your one the user from your contact list changed the "secret key" you will be immediately notified.
  4. Does the provider practice what is known as perfect forward secrecy, meaning crypto-keys are ephemeral so a stolen key won’t decrypt existing communications? Yes, protected. The keys cannot be taken down, since they only stored in RAM and do not transmit anywhere. The keys are not «passing" the communication channel and gaining access to your correspondence impossible. Session keys encrypted with every message in the chat, and in order to decipher the conversation, you need to pick up the key to each message. This will take decades and all the computing power of the planet. Read more information how are the security keys generated in SafeUM.
  5. Is the service’s code open-source and available for public review? No, for the maximum security and protection for all our users, no one has access to the source code of our application. The development team has implemented the unique hybrid encryption methods, which we would like to keep secret, and for the reasons of commercial confidentiality, too.
  6. Are cryptographic implementation procedures and processes documented? Yes. Details on the methods and algorithm of encryption you can read here.
  7. Has there been an independent security audit in the last 12 months? Not yet, but we are negotiating with the best specialists in the field of encryption, and already received the agreement on that matter. The audit will be conducted with independent and reputable cryptographers practitioners.
Tags:
Yahoo Skype SnapChat Viber WhatsApp messenger trends Facebook Google
Source:
Kaspersky Daily
4611
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015