NokiMo
The Hated One
The Hated One

patreon


Guide to choosing a secure messaging app

Securing your digital communications should be your highest priority when going online. There are just way too many threats to trust any company with your private data. Companies care more about their bottom line then about fixing bugs in their software or poorly undersecured data centers. And they definitely don’t care if they expose your digital life to harassment, scammers, fraud and data mining advertisers. 

Can you actually find a secure messaging app you can trust? And how can you make sure an app that promises encryption won’t turn evil? 

Well, ever since the Snowden leaks on N.S.A. mass surveillance, we now have more options then ever before. You can thank the broad community of security researchers and developers on the front lines in the war against data mining and surveillance. 

We can actually create our own purity test with a set of features to choose from for all of our specific threat models. So after reading this article, you will know how to choose the most secure messaging app to defend your conversations against any form of attack you might be likely to encounter.

To build our purity test, there is a set of questions that can help us filter which apps provide reasonable security and which ones don’t. The first question is an absolute standard below which you shouldn’t go. Does your app support end-to-end encryption? In today’s day and age, when data breaches are business as usual, and where Facebook and Google let third parties read your private messages or target their content with ads, it’s absolutely necessary that no one but your recipients can read your convos. 

End-to-end encryption means your message is encrypted before it is sent out from your device, and it is decrypted only when it reaches your contact’s device. Even if it is stored in a database, only you have access to your decryption keys and thus no one else can decrypt your communication. 

What you also need to know is whether the app encrypts all conversations by default, or whether users have to opt in by toggling some settings. If the app provides encryption only as a feature that needs to be manually enabled, users will be prone to making mistakes. The best app for security is the one that only sends encrypted messages and doesn’t fall back to plain text mode under any circumstances. 

Now this is an ideal world. In reality, not all end-to-end encryption has been created equal. Some companies offer snake-oil encryption – where they have access to your encryption keys and thus intercept your exchange anytime they want. And many others give you promises, but you have to trust their word because they keep implementation of strong open source cryptography proprietary. 

That is why end-to-end encryption needs to be immediately accommodated with a question – is the app fully open source or free software? This isn’t just a question of licensing. The most secure designs are the ones you don’t have to trust. When developers of secure systems hide their source code, we can’t verify whether they didn’t build a backdoor into their implementation. 

But don’t be fooled by false advertising – just because an app uses open source cryptography, doesn’t mean it’s fully open source. Most still keep the rest of the source code including implementation of open source encryption proprietary. Especially commercial apps like iMessage or WhatsApp offer way too many features that make their source code too complex for a single company to patch all the bugs. The more eyes on the code the more secure it becomes. 

The third question on the purity test is: how is the app making money? Cryptographers and developers are expensive. Maintaining servers that handle a lot of content and bandwidth isn’t cheap either. Who is paying for all that? Usually, the saying goes – if it’s free, you’re the product. But in the world of open source, that is not necessarily the case. Many open source app developers are part of non-profit organizations and they tend to live off donations and sponsorships. Some do have a business model where they make money somewhere else – by offering premium versions, or selling hardware. If the team behind an app is publicly facing and you can verify who they are and how they earn a living, they most likely take security seriously. If they are hiding behind good PR and corporate speak and you can’t find out who’s backing them, or their company is in the advertising business, that’s a red flag. 

The fourth question is a bit contested. Where’s the organization’s jurisdiction? This applies to where the company is legally registered, where they conduct business from and where they host user data. Every Internet service is going to handle some user data for some period of time. They could be forced by law enforcement to log their users or hand over any data to the government. As a general advice, it is recommended to avoid providers from the Five-Eyes surveillance alliance. But that on its own isn’t disqualifying, if the organization can prove they don’t retain any sensitive or potentially incriminating user data. 

Which leads to our fifth question – what is the app’s metadata policy? This can be found in privacy policies published directly on their websites. I call it metadata policy, because that’s your biggest concern with encrypted apps. You want to read what information they collect as well as whom they share your data with. The general rule of thumb is – the shorter the policy the better. If it spans out on several pages explaining how they handle every bit of metadata they collect, that’s a big sign to stay away from it. The best privacy policy states – we don’t collect any user data and we delete all data once no longer necessary to deliver the message. 

Speaking of metadata the next question asks – can you create an account anonymously? This is gonna be important to some people more than others. If you are targeted by someone who knows your identity, like the government or the Italian mob, then you want full anonymity. If your app requires a phone number or an email, you are not anonymous. Even if you can get a burner SIM, it’s still associated with your general location. Emails can be anonymous, but only if they were created over Tor and never exposed to the clear net. Which is something that isn’t so easy to achieve. The most anonymous account creation is one where you can download the app over Tor connection, outside of Google Play Store or Apple App Store, create an anonymous identity straight away and run the app over Tor at all times. Only a handful of apps meet this criteria. But you might not need it unless you expect to be targeted. 

Your communication can only be as secure as its weakest link. And if you can’t verify your contact’s identity, someone can hack into your contacts account and read your conversations or even pretend to be your contact. Which is why you need to ask – does my app offer contact verification? If you are a newcomer to privacy, contact verification may be a novel concept for you. But it is a powerful feature that can prevent hackers from taking over your conversations. Contact verification usually takes a form of comparing fingerprint codes over a phone call or scanning each other’s QR codes in real life. And if a hacker logs in with a new device, your app will alert both of you about their new unverified device. 

If you can’t 100% rely on the physical security of your device, does your app provide disappearing messages? Self-destructing messages is a really neat feature that gives you the peace of mind that even if you lose your phone, your conversation will be automatically deleted after a preset expiration time. This can be anywhere from weeks all the way down to just a few seconds.  But if your adversary obtains your private decryption key from your device and they already have your encrypted messages, then they could decrypt your conversations. But, not if your app generates a new encryption key for every message, so that even if the keys from the last message are compromised, they can’t be used to decrypt past conversations. And that’s why the next question on the purity test should be: Does your app’s encryption provide forward secrecy?

In the long run, encryption is nice and all, but without freedom, your security will have a single point of failure. It is important know: Is your app a centralized ecosystem or a decentralized platform? The meaning of decentralization has multiple levels. If all of the data flows through central servers of your app provider, then you have to trust them with your metadata. If you can host your own instance or choose a different server, you have the freedom to delegate trust to someone else in some other jurisdiction. If your app is fully peer-to-peer, then there are no central servers to compromise and there is no single point of failure. If your app is open source, is it also federated? Meaning – does it allow its spinoffs and other apps to communicate with their users? Or is it locked down like most messaging ecosystems? Federation allows you to take the most secure encryption protocol and use it to securely communicate with users of other apps – so that none of you has to rely on a single provider. Federation is the future of the Internet – at least that version of the future that doesn’t turn into a tech-dystopian nightmare.

When I search for security of messaging apps, these are the most important questions I ask. Other features for me are more of a novelty but not a necessity. If you want to add anything to this, feel free to post your thoughts in the comments to improve this guide.

Thank you.

THO

Comments

Thanks, THO.

Anonymous VPNs are a myth. You are NEVER anonymous with any VPN service no matter how you sign up. If you need anonymity, use Tor (torproject.org)

The Hated One

I like how Mullvad uses ‘client number’ instead of having you register with your name or email. The only drawback with using their VPN is, unless you pay by CASH or BITCOIN, using other payment services removes your anonymity. 🤔


Related Creators