Should you switch from WhatsApp to secure messaging app Signal? - Telegraph.co.uk

Should you switch from WhatsApp to secure messaging app Signal? - Telegraph.co.uk


Should you switch from WhatsApp to secure messaging app Signal? - Telegraph.co.uk

Posted: 25 Feb 2020 12:00 AM PST

It has become a communication channel for MPs, world leaders and business moguls, but according to the European Commission, WhatsApp should not be the app of choice for those who want to keep their private messages safe.

The Commission has begun recommending that staff use the encrypted messaging app Signal as it seeks to boost security after a string of high-profile hacks, according to reports.

Security experts say that Signal provides an extra layer of assurance beyond apps such as WhatsApp, which is owned by Facebook and has had to deal with several several security bugs in the last year.

Signal was first launched in 2014 as the successor to encrypted messaging and phone call apps from Open Whisper Systems, a project developed by the US entrepreneur and security engineer Moxie Marlinspike. It has since secured millions in funding from Brian Acton, one of the two original WhatsApp founders.

On the surface, it has more similarities than differences with WhatsApp. Users plug in their phone number, grant the app access to their contact book, and can start sending messages to friends.

Both WhatsApp and Signal use end-to-end encryption, meaning that messages cannot be deciphered while being sent between devices. WhatsApp even uses the Signal Protocol, a way of encrypting messages developed by Signal.

But experts say there are relevant differences between them. Signal is "open source", meaning engineers and researchers can inspect its underlying code, while WhatsApp closely guards its own. Although there has been no evidence that anybody has been able to crack WhatsApp's encryption, its technology cannot be examined as easily.

A more important difference is in what other data is collected beyond what one sends in a message. 

While WhatsApp messages themselves cannot be intercepted, the app does store information such as interactions between users, when they were last online, and the phone numbers from their contact book. In some cases, this data is linked to Facebook profiles, although the company has been stopped from doing so in countries including the UK and says it is not used for advertising. 

That may change in the future, however. WhatsApp's data policy specifies only that WhatsApp data is not used for advertising "today". And the parent company is working on plans to make its three messaging apps – WhatsApp, Facebook Messenger and Instagram Direct – compatible with one another, which may involve more data sharing. The additional usage information that WhatsApp collects, so-called "metadata", can also be requested by police.

"We're not asking the right question [when we talk about encryption]," says Andersen Cheng, the chief executive of cryptography company Post Quantum. "In the intelligence world sometimes metadata is more important." Cheng said he developed a messaging app but pulled it when it appeared on an Islamic State recommended apps list.

WhatsApp's online backups, which allow users to restore messages when they get a new phone, are also not protected by end-to-end encryption, meaning that access to an iCloud or Google Drive account could mean access to private messages. Unencrypted iCloud backups allowed US prosecutors to access messages from Donald Trump's former campaign chair Paul Manafort, for example.

Signal allows Android users to backup their chats, but decrypting them requires a 30-digit passphrase. On the iPhone, they cannot be backed up at all.

WhatsApp has had a share of security scares, particularly in recent months. The app was named in connection with a cyber attack on Amazon chief executive Jeff Bezos, allegedly sent from the phone of Saudi Crown Prince Mohammed bin Salman.

WhatsApp is not alone in having security flaws – both Signal and Apple's FaceTime patched their own bugs last year – but its popularity makes it a big target for those looking for gaps to exploit. 

The app has 2bn users around the world. Signal has not revealed user numbers but according to data from app tracker Sensor Tower, it was installed just 9.2m times last year, an increase on the previous year's 6.8m, but miniscule compared to 860m for WhatsApp.

According to the Electronic Frontier Foundation, Signal's niche nature is its biggest problem: using it may be seen as suspicious in its own right. More practically, a messaging app is only as good as the people using it, and you might find a minority of friends on Signal. "It's really a lot of cryptographers and privacy advocates," says Cheng.

The EFF says both WhatsApp and Signal come recommended, albeit with their own trade-offs. Both represent major improvements in messaging security from a few years ago. But if Signal continues to become more popular, its disadvantages might become less noticeable.

Have security risks meant that you've stopped using WhatsApp? Share your own concerns in the comments section below. 

Session is a decentralised messenger you can use without a telephone number - AndroidPIT

Posted: 07 Mar 2020 07:00 AM PST

Modern messengers have a common privacy problem: they almost invariably ask for your phone number. Even though we have gotten used to it by now, it is actually not very discreet. After all, we do not know to whom it is passed on. Session should solve that. We introduce the new Messenger for privacy friends in more detail.

Smartphones are supposed to connect us with each other in an uncomplicated way. Simple messenger apps offer convenient options and are mostly free. Nevertheless, we pay a price for it: our phone number and contacts, as well as the so-called meta data, are often used commercially by the operators. There is money to be made from the information when we communicate with whom and for how long.

session begin 2020 03 03
At the beginning, a session ID is created ... / © AndroidPIT

And even if we can trust an app developer, as it is the case for me with Signal messenger, there is a catch: we are supposed to register with our phone number and give the app access to our contacts. In Germany, the former is inevitably linked to our real identity, and the latter would theoretically have to agree individually that we pass on their phone numbers.

A friend or threat to Signal?

The new messenger Session is a so-called fork from Signal. Functionally, it is largely identical, but during the setup process, however, you will no longer be asked for your phone number. There's also no provision for accessing your contact list or linking your number or email address to your session ID - making Session even more paranoid than Threema.

What Session can do

Session masters the usual chat functions. There are voice messages, a GIF search (with privacy warning), file sharing and group chats. You can add new contacts by scanning a QR code or exchanging the session ID. You can share your groups via a link.

session gif warning 2020 03 03
If you share GIFs, Session warns you of compromised metadata. / © AndroidPIT

Encrypted group chats

Another advantage over Signal or Telegram is end-to-end encrypted group chats. Up to ten people can network fully anonymously via session. Yes, WhatsApp also has encrypted group chats. But your metadata, phone numbers, and IP addresses remain visible to Facebook. Session is completely unsuspecting.

Session on all platforms

Session is available in the Play Store (or as APK), in the App Store and for download for Windows, macOS, and Linux. In theory, you can use the same Session ID on all your devices at the same time. Unfortunately, in a self-experiment, I did not succeed. When you install Session for the first time, it creates a - hence the name - new session. This is protected by a recovery phrase. So if you change your smartphone, you can continue your session on the new device using this phrase.

Transfer Sessions

Chat backups are made in sessions in two different ways. Either you create a local backup, also protected by a passphrase, just like in Signal. You can copy these from the internal storage of your smartphone to the new device before you reset your phone.

Or you rely on your chat partners and download the chat logs from them after restoring your session. Unfortunately, even this did not succeed in the self-experiment.

session restore 2020 03 03
After the restoration, parts of the old chats are missing. / © AndroidPIT

What Session cannot (yet) do

As you can see above, Session is not very talented at restoring backups. If you want to move the app to a new device, you will have to expect difficulties restoring the chat logs. However, since Session is designed for short-lived sessions, I don't expect any improvement in this area in the near future.

Unlock restored sessions

Session is also not very reliable in keeping you in contact with people. When I restored a session in the test, I was able to restore my session contacts, but only with their IDs and without their nicknames. But I couldn't write to them anymore because of my changed crypto-key. Only when they contacted me, I could answer again. So if one of your session contacts doesn't answer for a while, ping them once. You might have to unlock it again first.

Telegram is Sessions' best friend

Since Sessions is designed for you to create and then throw away sessions only for short periods of time, it is worth using Telegram in parallel. I have used the latter for a quick exchange of IDs (optionally via secure chat with self-destruct timer) and for saving and synchronizing my IDs and passphrases. Similar functionality would be offered by the combination of syncing and text editor, but it is not as easy to set up.

Who is behind Session?

Session is part of the Loki Foundation, a non-profit organization without a permanent seat. The CEO is Simon Harman. Even though the project is not profit-oriented, it wants to monetize Session. Parts of the infrastructure are based on a block-chain network that mines its own currency, $LOKI.

The network provides important infrastructure for anonymizing its users, including an onion router to hide your IP address. Neither your counterpart nor the Loki Foundation can determine your location.

So if a state were to obtain a court order to inspect the session servers, investigators would find nothing but meaningless session IDs and TOR-IP addresses. None of this information would allow us to draw clear conclusions about the identity of the messenger app's users.

Conclusion

Session is one of the most promising messengers for the paranoid for me. If it overcomes the annoying weaknesses when used on multiple devices and especially when restoring the session, it will become suitable for everyday use for me as well. Until then, it is definitely an exciting feasibility study and proof that it can be done differently.

Comments

Popular Posts

Skiff Mail is a new end-to-end encrypted email service, but should you use it? - Ghacks

Cyber security 101: Protect your privacy from hackers, spies, and the government - ZDNet

Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET