This is what your messaging app needs to be truly secure

Encryption's important, but there's more to it than that.

woman using cell phone

You may love your messaging app, but your messaging app may not love your privacy and security. WhatsApp, arguably the most popular messaging app in the world with a billion users, made a significant step in April by introducing end-to-end encryption built on the Signal protocol, much to the chagrin of governments and police forces.

Some apps are much further ahead in the security game than others. As you wade through the glut of messaging services available, these are the features to look for.

End-to-end encryption

Previously, encrypting messages in transit was considered good practice, but the standards have changed. Look for an app that encrypts messages from user to user, so the app developer itself can’t even read the contents of your communications. “That’s the biggest line of demarcation between tools that are at least serious about trying to provide good security versus the ones that aren’t quite there yet,” advised Joseph Bonneau, tech fellow at the Electronic Frontier Foundation (EFF).

In 2014 EFF published the first edition of its secure messaging scorecard, which rated dozens of chat apps based on set criteria. EFF’s rankings were not designed to push people to any one tool but to clearly set out what’s working and what isn’t. The digital rights group has now retired that scorecard and is working on a new one.

WhatsApp had originally scored pretty well but like any product, it’s not perfect. “There is one tiny problem with WhatsApp and a couple of others. For example, they don’t create the data locally,” said Filip Chytry, manager of mobile threat intelligence at Avast. “My recommendation is to find the apps that are actually encrypting the messages stored locally on your device.”

EFF’s Bonneau noted competitors to WhatsApp that are making a strong effort on security. “Signal is really popular among the tech crowd for sure. I think ChatSecure is doing a nice job,” he said.

Default settings mean a lot

Encryption is a must-have, but it’s not the absolute standard yet, as we saw with the recent launch of Google’s Allo. The app has encryption turned off by default, a feature that has attracted criticism from security pros and even Edward Snowden, who called it “dangerous.”

computer security stock image

Plenty of apps still don’t run end-to-end encryption, mostly because implementing the feature is tough to do. “It’s a mix of engineering costs and complexity. Maybe they haven’t gotten around to it yet. It does make things harder,” said Bonneau. “Also I think this wasn’t on most people’s radar until relatively recently. A lot of products by legacy are not encrypted.” As security standards improve, these apps risk becoming obsolete.

Open-source code is the responsible choice

Whether the app maker has its code open to review says a lot about the app, too. There’s an old mindset in security: If you don’t tell anyone how something works, it will be harder for people to break it or take it apart. That attitude has since been debunked, as the security community embraces open-source as a way to spread ideas and collaborate.

Avast’s Chytry added that while he’s in favor of open-source, developers still need to be wary of people who will reverse-engineer their tech—though the benefits outweigh the threats. Ryan Hagemann, technology and civil liberties policy analyst at DC think tank Niskanen Center, agreed. “The gold star goes to platforms that rely on open-source code and that aren’t stored on third-party servers,” he said.

You’d also be wise to avoid backing up chat histories to the cloud, Hagemann continued. Storing encrypted data on a third-party server puts it at risk if it involves transmitting private keys to the server operator.

A proactive approach to vetting apps is important too, added Avast’s Chytry. This includes being critical of a messaging app’s permissions and using a VPN for an additional layer of security.

Never underestimate modesty

No security tool is perfect, and any qualified security engineer will make this clear to the consumer. “A lot of tools out there promise everything. They’ll throw around terms like ‘military-grade’ or ‘unbreakable’. That’s a sign of amateurs designing the tool,” said Bonneau.

We’ve even seen WhatsApp subjected to theoretical attacks and flaws that could undermine its security. It still stores metadata, for example. “Tools that aren’t self-critical at all or don’t list the limitations or threats that it doesn’t protect you from, it’s probably a sign that the people who designed it aren’t really trained security engineers,” Bonneau warned.

End-to-end encryption on by default is still by far the strongest measure of an app’s security. But there’s plenty to consider, from permissions to open-source code. Remember, any app that makes lofty promises should be investigated. Security is hard, and user vigilance is key.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.