In a world stricken by worries over illicit surveillance, a new generation of secure mobile communication apps wants to ride to the rescue of the privacy conscious. This type of application has been a cottage industry for desktop computers for years, usually for secure email or instant messaging, but the arrival of mobile platforms has given them the sort of kick that is leading many to dream of reaching the mainstream.
These days, activity in the sector is now so fevered that several platforms have launched in the second half of 2015 alone, a striking uptick for a type of software that used to be seen as the preserve of the technical users with a paranoid bent or political dissidents. Once small scale in their ambitions, the mostly new companies making these apps sense a huge opportunity to grab business users anxious about the implications of living in the post-Snowden world.
Android still tends to be the default platform although iOS versions are usually available after a short delay. The issue of platform support is more important that it might appear. Even if you don’t personally use an iPhone, say, the fact that your favoured contacts do will render any app that doesn’t support both platforms useless if the same app is needed at both ends. Some apps integrate with third-party applications, for instance email clients. That can be important for businesses – can the app support the preferred communications software used by an organisation and will it work across desktop as well as mobile? Some can, some can’t.
WhatsApp is one of the most popular messaging apps out there, and while it might not be the most secure, it can offer a good level of protection even among times of controversy.
This week, WikiLeaks released information documenting over 8,000 CIA spying files in its 'Vault 7' collection. Reports surrounding this claimed that the CIA was able to easily bypass WhatsApp's (and Signal's) security systems and read user messages. In addition, WikiLeaks also said that the CIA uses malware and hacking tools to remotely hack smartphones and turn TVs into recording devices.
While understandably alarming, this information has been challenged by some, claiming that the WikiLeaks report is misleading. "The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots," stated Robert Graham from Errata Security. "Technically, this bypasses/defeats encryption - but such phrases used by Wikileaks are highly misleading, since nothing related to Signal/WhatsApp is happening," he added.
Essentially, this shows that anyone can hack into a phone once they have access to it. It also highlights the fact that currently encryption doesn't measure up to the hacking abilities of the CIA, and if anyone thought downloading an app would prevent intelligence agencies from accessing their phone's data, then they are entirely wrong.
In February 2017 WhatsApp incrementally introduced two-factor authentication to all of its users as an optional added layer of security.
Two-factor authentication essentially means verifying your identity twice – and in this case users will choose to access their account through a six-digit number. WhatsApp users will need to enable the feature through their settings and once switched on, the passcode will remain on the associated account, no matter which device it's being accessed through.
The feature first appeared in beta late last year, and the app will require users to enter the passcode about once every week. Users will be able to set up a backup email in case they forget the passcode.
It's unlikely to inspire enormous confidence in WhatsApp as a secure platform, but it is a small nod towards security for personal use.
Earlier this year, a Guardian report claimed that a security vulnerability in WhatsApp meant Facebook – WhatsApp’s parent company – could read encrypted messages sent through the service. Security researcher Tobias Boelter told the paper that WhatsApp is able to create new encryption keys for offline users, unknown to the sender or recipient, meaning that the company could generate new keys if it’s ordered to.
And although Facebook insists that it couldn’t read your WhatsApp messages even if it wanted to, critics have been suspicious since the buy – since Facebook’s entire platform depends on data and advertising, and its own Messenger service is infamously intrusive.
In terms of security, it’s important to distinguish pure secure messaging apps from apps that happen to have some security, for instance the hugely popular WhatsApp and SnapChat. Many use encryption but operate using insecure channels in which the keys are stored centrally and hide behind proprietary technologies that mask software weaknesses.
As it happens, earlier in 2015 Facebook’s WhatsApp started using the TextSecure platform (now called Signal – see below) from the Open Whisper Systems which improves security by using true end-to-end encryption with perfect forward secrecy (PFS). This means the keys used to scramble communication can’t be captured through a server and no single key gives access to past messages. It was presumably this sort of innovation that so upset British Prime Minister David Cameron when in early 2015 he started making thinly-veiled references to the difficulty security services were having in getting round the message encryption being used by intelligence targets.
In April 2016, the Signal protocol was rolled out as a mandatory upgrade to all WhatsApp users across all mobile platforms, an important moment for a technology that has spent years on the fringes. At a stroke it also made Open Whisper Systems the most widely used encryption platform on earth, albeit one largely used transparently without the user realising it.
It's fair to say that police and intelligence services are now worried about the improved security on offer from these apps, which risks making them favoured software for terrorists and criminals. That said, they are not impregnable. Using competent encryption secures the communication channel but does not necessarily secure the device itself. There are other ways to sniff communications than breaking encryption.
Most recent apps will, in addition to messaging, usually any combination of video, voice, IM, file exchange, and sometimes (though with a lot more difficulty because mobile networks work differently) SMS and MMS messaging. An interesting theme is the way that apps in this feature often share underlying open source technologies although this doesn’t mean that the apps are identical to one another. The user interface and additional security features will still vary.
For further background, the Electronic Frontier Foundation (EFF) published a comparison in 2014 of the of the sometimes confusing levels of security on offer from the growing population of apps on the market. All mobile messaging apps claim to use good security but this is a useful reminder that definitions of what ‘secure’ actually means are starting to change.
The future? There are two trends to watch out for. First, business-class secure messaging systems have started to appear, including ones that operate as services or using centralised enterprise control. A second and intriguing direction is the morphing of static messaging apps into complete broadcasting systems that can distribute different types of content and then erase all traces of this activity once it has been read. This latter capability is likely to prove another contentious development for governments and the police.