In October 2021, Facebook (now Meta) and all of its platforms (Instagram, WhatsApp, and Messenger) were shut down worldwide for up to six hours, leaving billions without messaging service. As Facebook engineers scrambled to fix the problem, users turned to other apps to stay connected. Due to the blackout, Telegram added 70 million usersaccording to the platform’s founder, Pavel Durov.
While the facebook outage was due to a routine maintenance error, the event caused many to wonder about messaging app violations and other issues. If someone switched from WhatsApp to Telegram, did they really end up with a more secure app? What makes a messaging app more secure? And what about the risks of using instant messages for business?
These questions are important, since we use more and more messaging applications on a daily basis. This is especially relevant among international teams where fast and affordable communication helps people get to work faster.
Messaging App Security Comparison
Although there is no consensus, messaging app security comparisons exists. But beware. What one source says is safe, another source might say otherwise.
Meanwhile, cybersecurity researcher Natalie Silvanovich of the Project Zero Team at Google I found a serious bug in the Signal app. Using a modified client, you sent a peer-to-peer connection message to a device running Signal. This made it possible to answer a voice call, even though the caller never touched the device.
Silvanovich found similar gaps in Facebook Messenger, Google Duo, JioChat, and Mocha. After the report of him, all these vulnerabilities they have since been fixed.
Privacy Messaging App: What Are Threat Actors Using?
What about threat actors? What app are they chatting on? It is safe? Recent research describes a flourishing network of cybercriminals on Telegram, where data leaks have increased in frequency. Some illicit Telegram channels host tens of thousands of subscribers, and the content resembles what one might find in darknet hubs. Still, what attracts threat actors might not be the security of the app, but rather the lack of moderation of the platform.
As for security, Telegram uses its own MTProto encryption protocol, rather than the more widely accepted Transport Layer Security (TLS) protocol. Some cryptographers consider MTProto to be a cryptographic weakness. While any encryption is better than none, the basic components of MTProto’s security requirements (hash functions, block ciphers, public key encryption, etc.) have not been tested.
We dare you to attack us
However, Telegram is not worried about its encryption security. In fact, the platform recently held a contest to crack Telegram encryption. Despite offering a $30,000 reward, no one cracked the platform’s Secret Chats code. Please note that the Secret Telegram chats The mode is not enabled by default and does not work in group chat either. During standard chat and group chat, end-to-end encryption remains disabled on Telegram.
Up to 740 billion SMS messages per year exposed
What about SMS messages? Are they safer? Syniverse is a company that routes hundreds of billions of text messages each year for hundreds of carriers, including Verizon, T-Mobile, and AT&T. In May 2021, the company told government regulators that the attackers had been violating their databases for five years. Syniverse processes more than 740 billion messages each year for more than 300 mobile operators around the world.
What information did the attackers expose? The company did not say so, but the content of the SMS text messages may have been targeted.
Big Name Messenger App Security
Google Messages, Apple iMessage and Facebook Messenger (and Meta’s WhatsApp) have also been scrutinized for the security of their apps. Google and Apple turn encryption on by default, as does WhatsApp, but Facebook Messenger does not.
Other criticisms of the security surrounding Google and Facebook include the collection of user information. Since they collect user data, they must also protect it. This implies an added risk. Also, Apple uses closed source application and backend server code. This calls into question the quality of the code, including the strength of the encryption or whether there are any vulnerabilities.
Get the signal?
Out of all the messaging apps out there, Signal seems to be one of the most secure. Yes, it was found to be at risk of eavesdropping attacks as mentioned above, but that weakness has reportedly been fixed.
Meanwhile, Signal has plenty of features to look for in a secure messaging appsuch as:
- It is an open source project supported by grants and donations. This means there should be no ads, affiliates, or hidden tracking.
- End-to-end encryption by default means only the parties involved in the conversation can see the messages. No one else, not even the app owners, can see the chat content.
- A message auto-destruct and disappear feature deletes messages forever after a set period of time.
- Minimal user data collection means messages, images, and files are stored locally on your phone, unlike Google or Facebook apps that collect information for other business purposes.
Hygiene Messenger App
Beyond the intrinsic security of the messaging platform, how your teams interact with the app greatly affects security. For example, phishing campaigns and social engineering attacks have plagued third-party messaging apps for years. Attackers simply send targets a tempting message to click a link or download an infected file.
While breaching a corporate network from a smartphone app can be difficult, many users also install a desktop version of their messaging app. Any malicious links or downloads accessed from the desktop app version could open the door to malware.
There is no perfect messaging app
Businesses, especially those with international teams, are likely to continue to use popular messaging apps. While no app is 100% secure, some implement better security measures than others. The default end-to-end encryption is an example of good security practice. It’s also worth reminding teams that online phishing scams are just as dangerous when they target you from your app.