Why Encrypted Messaging Apps Should Not be Trusted
- Which messaging apps have you found to be most vulnerable and why?
- What kind of abuses are most common on messaging apps?
- What is the Do Not Call Registry? And how can it help prevent fraud and spam on messaging apps?
- What can people using messaging apps do to protect their privacy?
- In your opinion, what should messaging app operators do to ensure the safety of their users?
Fidelis Cybersecurity have recently expressed their growing concern related to the safety of using messaging apps like whatsapp, signal and others. We spoke to John Bambenek, Threat Systems Manager at Fidelis Cybersecurity, to find out why messaging apps may not offer users the expected level of privacy, what’s problematic and what can users do to maintain their privacy. Share
Which messaging apps have you found to be most vulnerable and why?
WhatsApp and Confide both have had public issues reported this year. That said, there is only a subset of issues researchers can test (namely the applications themselves and the public interfaces to their backend). There may be vulnerabilities in the backend of the infrastructure these applications use that could expose people to eavesdropping or other issues.
What kind of abuses are most common on messaging apps?
Although so far there hasn’t been much in the way of large scale scamming, I would characterize the use of messaging apps is either highly targeted or experimental. Generally it involves abusing someone’s trust that “encrypted” messaging also means “trusted” when they are no more inherently trustworthy than other messaging apps. They provide you protection against eavesdropping but there are many other forms of malfeasance.
What is the Do Not Call Registry? And how can it help prevent fraud and spam on messaging apps?
The Do Not Call Registry is part of a program by the U.S. Federal Trade Commission where you can place your phone number on a list that telemarketers are required to have and use to prevent them from calling you. The problem is that enabling legislation only applies to phone calls, and there was no consideration of non-telephony communication such as encrypted text messages or phone calls (i.e., apps such as Signal).
What can people using messaging apps do to protect their privacy?
The important thing to realize is that you need to verify the identity of new contacts outside of the application (i.e. call them on the phone, send an email). Take notice of odd changes or linguistical oddities of messages. For instance, if a contact is American and they start spelling words like “colour”, something could be up.
In your opinion, what should messaging app operators do to ensure the safety of their users?
As with any encryption system, having transparent, third-party verification of their encryption and their security should be published so users can have greater confidence in the providers. They should also proactively look for spammers, scammers and others who would abuse their systems and block them.