Unlocks the secret behind private messaging apps

Unlocks the secret behind private messaging apps

Whether you’re sharing confidential information or swapping movie ideas with a friend, people use private messaging apps that offer end-to-end encryption to protect the content of their conversations.

When data is shared over the Internet, it often crosses a number of networks to reach its destination. Apps like WhatsApp, owned by social media giant Meta (formerly Facebook), provide a level of privacy that even challenges government agencies from accessing encrypted conversations.

But with the apps constantly changing their security and privacy policies, are the messages still safe from being decrypted?

Back in May 2021, rejection by the online community with the changes in WhatsApp’s privacy policy for business entities using the platform, saw many users switch to other private messaging apps such as Signal and Telegram.

Cybersecurity expert Dr Arash Shaghaghi from the UNSW School of Computer Science and Engineering and the UNSW Institute for Cyber ​​Security compares encryption to having a secret conversation between you and another person.

“To keep our information away from prying eyes, we rely on cryptographic algorithms to encrypt our data. Encryption involves converting human-readable plain text into an encoded format, and the data can only be read after it is decrypted,” he says.

“Encryption involves using a key to lock a message, while decryption is using a key to unlock a message.

“In theory, if an outsider observed an encrypted conversation, they couldn’t understand it, and they would need the correct key to decrypt it.

“Interestingly, with some end-to-end encryption protocols, such as Signal, they cannot decrypt messages that have already been sent, even if someone steals the encryption keys and taps the connection. In crypto parlance, this is referred to as forward secrecy.”

Read more: Camfecting: how hackers attack by accessing your webcam

Are our messages completely secure?

Modern encryption algorithms have been battle-tested and shown to have no known vulnerabilities. While that doesn’t mean it’s impossible to crack, the process requires extensive processing power and can take a significant amount of time to do. Quantum computers, if mature enough, will be able to crack much of today’s encryption.

See also  Anonymous hacked Russian Yandex taxi app causing massive traffic jams

Attackers typically target endpoints and their vulnerabilities. This is much easier than cryptanalysis, which is the process used to break cryptographic security systems.

For example, last year, attackers targeted a vulnerability related to WhatsApp’s image filter functionality that was triggered when a user opened an attachment containing a malicious image file. More serious and less complicated vulnerabilities targeting WhatsApp clients running on iOS and Android have been reported.

Dr. Shaghaghi says that when you back up your messages on any of the messaging platforms, your messages are sent to the cloud. This means that all your messages are now stored on someone else’s computer.

“The service provider’s implementation of end-to-end encryption plays a significant role in the security and privacy of a messaging app against the provider and attackers,” he says.

“WhatsApp used to keep a backup copy of the messages in an unencrypted format over iCloud for Apple users and Google Drive for those using WhatsApp on Android. Although WhatsApp adopted an end-to-end encryption model in 2016, unencrypted backups were vulnerable to government requests, third-party hacking, and disclosure by Apple or Google employees.”

In 2021, WhatsApp rolled out an option for users to enable end-to-end encryption of their backups. While this was welcomed as a positive step forward, it should be standard for all users – not offered as an option, says Dr Shaghaghi.

“Users who are concerned about the security and privacy of their data should make sure to enable end-to-end encryption backup for WhatsApp and other messaging platforms.”

What about Signal and Telegram?

Unlike WhatsApp and Signal, Telegram does not have end-to-end encryption enabled by default. Only when the ‘secure chat’ feature is enabled, Telegram uses the MTProto protocol, an open source and specially developed protocol by the messaging provider.

“As far as we know, Signal, Telegram and WhatsApp are secure in providing end-to-end encryption, if the option is enabled,” says Dr Shaghaghi.

“But Signal is built with privacy and security as the primary motivation. Signal’s endpoint source code is also publicly available – allowing anyone to inspect the code and identify vulnerabilities.

“I think the consensus is that Signal is a more secure and privacy-friendly messaging solution compared to WhatsApp, Telegram or Facebook Messenger.”

With so many messaging platforms available on the market, Dr. Shaghaghi says there are some simple steps to take to help safeguard a user’s privacy.

“Messaging platforms contain a lot of private information, so it’s worth making sure the platform we use has a good reputation to ensure the safety and privacy of users,” he says.

“It’s also worth taking a few extra minutes to enable some of the more advanced security features these platforms offer, such as end-to-end backup encryption or multi-factor authentication.

“And no matter which platform you choose to use, the best practice is to make sure we’re using the latest version of the apps and avoid downloading apps from third-party stores.”

Read more: How cyberspace has become the new battlefield of modern warfare

Moderate content exchanged over end-to-end encrypted messaging platforms

There have been strong calls from various government organizations for these apps to include back doors that would allow access to data when deemed required by the authorities.

Recent leaks from the US Federal Bureau of Investigation (FBI) showed that even with a subpoena, powerful authorities have limited access to messages exchanged over apps that use end-to-end encryption.

See also  LastPass hacked, but user passwords were not accessed

This argument is of particular concern to many users who are concerned that it is the first step away from the strong encryption principles they rely on to ensure the security and privacy of their data.

There have been ongoing debates in Australia and overseas on this subject.

“From a security engineering perspective, implementing a backdoor is never a good idea,” says Dr. Shaghaghi.

“There is no guarantee that malicious hackers won’t find out about these backdoors as well and exploit them.

“However, those in favor of a solution that provides access for law enforcement agencies argue that they need access given the increasing use of these platforms by criminals.”

Some messaging providers and technology companies have responded by making changes to the functionality of the platform.

“To meet regulatory requirements, WhatsApp now allows users to flag a message to be reviewed by their moderators. This has to be initiated by a user and once a message is flagged, the few messages before it is also forwarded to WhatsApp moderators,” said Dr .Shaghaghi.

“Apple has promoted encrypted messaging across its ecosystem and has fought law enforcement agencies looking for records.

“In 2021, they announced child safety features that include detection of sexually explicit images over iMessage, another platform that uses end-to-end encryption. To implement this feature, Apple plans to implement the detection on the device and not through an encryption backdoor.

“I believe we can balance the need to moderate criminal content and security and privacy requirements by breaking down the problem into more specific use cases and developing innovative solutions.”

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *