Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET

Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET


Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET

Posted: 19 Feb 2021 04:00 AM PST

gettyimages-1230683533
Brent Lewin/Bloomberg/Getty Images

If your choice of encrypted messaging app is a toss-up between Signal, Telegram and WhatsApp, do not waste your time with anything but Signal. This isn't about which has cuter features, more bells and whistles or is most convenient to use -- this is about pure privacy. If that's what you're after, nothing beats Signal.

By now you probably already know what happened. On Jan. 7, in a tweet heard 'round the world, tech mogul Elon Musk continued his feud with Facebook by advocating people drop its WhatsApp messenger and use Signal instead. Twitter CEO Jack Dorsey retweeted his call. Around the same time, right-wing social network Parler went dark following the Capitol attacks, while political boycotters fled Facebook and Twitter. It was the perfect storm -- the number of new users on Signal and Telegram has surged by tens of millions since. 

Read more: Everything to know about Signal

The jolt also reignited security and privacy scrutiny over messaging apps more widely. Among the three currently dominating download numbers, there are some commonalities. All three are mobile apps available in the Play Store and App Store, and which support cross-platform messaging, have group chat features, offer multifactor authentication, and can be used to share files and photos. They all provide encryption for texting, voice and video calls.

Now playing: Watch this: Why Signal is surging: Elon Musk

5:06

Signal, Telegram and WhatsApp all use end-to-end encryption in some portion of their app, meaning that if an outside party intercepts your texts, they should be scrambled and unreadable. It also means that the exact content of your messages supposedly can't be viewed by the people working for any of those apps when you are communicating with another private user. This prevents law enforcement, your mobile carrier and other snooping entities from being able to read the contents of your messages, even when they intercept them (which happens more often than you might think). 

The privacy and security differences between Signal, Telegram and WhatsApp couldn't be bigger, though. Here's what you need to know about each of them. 

Getty/SOPA Images
  • Does not collect data, only your phone number
  • Free, no ads, funded by nonprofit Signal Foundation 
  • Fully open-source
  • Encryption: Signal Protocol

Signal is a typical one-tap install app that can be found in your normal marketplaces like Google's Play Store and Apple's App Store and works just like the usual text-messaging app. It's an open-source development provided free of charge by the nonprofit Signal Foundation and has been famously used for years by high-profile privacy icons like Edward Snowden.

Signal's main function is that it can send -- to either an individual or a group -- fully encrypted text, video, audio and picture messages, after verifying your phone number and letting you independently verify other Signal users' identity. For a deeper dive into the potential pitfalls and limitations of encrypted messaging apps, CNET's Laura Hautala's explainer is a life-saver. 

When it comes to privacy, it's hard to beat Signal's offer. It doesn't store your user data. And beyond its encryption prowess, it gives you extended, onscreen privacy options, including app-specific locks, blank notification pop-ups, face-blurring antisurveillance tools and disappearing messages. 

Occasional bugs have proven that the tech is far from bulletproof, of course, but the overall arc of Signal's reputation and results have kept it at the top of every privacy-savvy person's list of identity protection tools. The GuardianThe Washington PostThe New York Times (which also recommends WhatsApp) and The Wall Street Journal all recommend using Signal to contact their reporters safely. 

For years, the core privacy challenge for Signal lay not in its technology but in its wider adoption. Sending an encrypted Signal message is great, but if your recipient isn't using Signal, then your privacy may be nil. Think of it like the herd immunity created by vaccines, but for your messaging privacy. 

Now that Musk's and Dorsey's endorsements have sent a surge of users to get a privacy booster shot, however, that challenge may be a thing of the past. 

Getty/NurPhoto
  • Data linked to you: Name, phone number, contacts, user ID
  • Free, forthcoming Ad Platform and premium features, funded mainly by founder
  • Only partially open-source
  • Encryption: MTProto

Telegram falls somewhere in the middle of the privacy scale, and it stands apart from other messenger apps because of its efforts to create a social network-style environment. While it doesn't collect as much data as WhatsApp, it also doesn't offer encrypted group calls like WhatsApp, nor as much user data privacy and company transparency as Signal. Data collected by Telegram that could be linked to you includes your name, phone number, contact list and user ID. 

Telegram also collects your IP address, something else Signal doesn't do. And unlike Signal and WhatsApp, Telegram's one-to-one messages aren't encrypted by default. Rather, you have to turn them on in the app's settings. Telegram group messages also aren't encrypted. Researchers found that while some of Telegram's MTProto encryption scheme was open-source, some portions were not, so it's not completely clear what happens to your texts once they're in Telegram's servers. 

Telegram has seen several breaches. Some 42 million Telegram user IDs and phone numbers were exposed in March of 2020, thought to be the work of Iranian government officials. It would be the second massive breach linked to Iran, after 15 million Iranian users were exposed in 2016. A Telegram bug was exploited by Chinese authorities in 2019 during the Hong Kong protests. Then there was the deep-fake bot on Telegram that has been allowed to create forged nudes of women from regular pictures. Most recently, its GPS-enabled feature allowing you to find others near you has created obvious problems for privacy

I reached out to Telegram to find out whether there were any major security plans in the works for the app, and what its security priorities were after this latest user surge. I'll update this story when I hear back.

Angela Lang/CNET
  • Data linked to you: Too much to list (see below)
  • Free; business versions available for free, funded by Facebook
  • Not open-source, except for encryption
  • Encryption: Signal Protocol 

Let's be clear: There's a difference between security and privacy. Security is about safeguarding your data against unauthorized access, and privacy is about safeguarding your identity regardless of who has access to that data. 

On the security front, WhatsApp's encryption is the same as Signal's, and that encryption is secure. But that encryption protocol is one of the few open-source parts of WhatsApp, so we're being asked to trust WhatsApp more than we are Signal. WhatsApp's actual app and other infrastructure have also faced hacks, just as Telegram has. 

Jeff Bezos' phone was famously hacked in January of 2020 through a WhatsApp video message. In December of the same year, Texas' attorney general alleged -- though has not proven -- that Facebook and Google struck a back-room deal to reveal WhatsApp message content. A spyware vendor targeted a WhatsApp vulnerability with its software to hack 1,400 devices, resulting in a lawsuit from Facebook. WhatsApp's unencrypted cloud-based backup feature has long been considered a security risk by privacy experts and was one way the FBI got evidence on notorious political fixer Paul Manafort. To top it off, WhatsApp has also become known as a haven for scam artists and malware purveyors over the years (just as Telegram has attracted its own share of platform abuse, detailed above). 

Despite the hacks, it's not the security aspect that concerns me about WhatsApp as much as the privacy. I'm not eager for Facebook to have yet another piece of software installed on my phone from which it can cull still more behavioral data via an easy-to-use app with a pretty interface and more security than your regular messenger. 

When WhatsApp says it can't view the content of the encrypted messages you send to another WhatsApp user, what is doesn't say is that there's a laundry list of other data that it collects that could be linked to your identity: Your unique device ID, usage and advertising data, purchase history and financial information, physical location, phone number, your contact information and that of your list of contacts, what products you've interacted with, how often you use the app, and how it performs when you do. The list goes on. This is way more than Signal or Telegram. 

When I asked the company why users should settle for less data privacy, a WhatsApp spokesperson pointed out that it limits what it does with this user data, and that the data collection only applies to some users. For instance, financial transaction data collection would be relevant only to those WhatsApp users in Brazil, where the service is available. 

"We do not share your contacts with Facebook, and we cannot see your shared location," the WhatsApp spokesperson told CNET. 

"While most people use WhatsApp just to chat with friends and family, we've also begun to offer the ability for people to chat with businesses to get help or make a purchase, with health authorities to get information about COVID, with domestic violence support agencies, and with fact checkers to provide people with the ability to get accurate information," the spokesperson said. "As we've expanded our services, we continue to protect people's messages and limit the information we collect." 

Is WhatsApp more convenient than Signal and Telegram? Yes. Is it prettier? Sure. Is it just as secure? We won't know unless we see more of its source code. But is it more private? Not when it comes to how much data it collects comparatively. For real privacy, I'm sticking with Signal and I recommend you do the same. 

This Is How Apple Secures Your iMessage Messages And FaceTime Calls On Your Apple iPhone - News18

Posted: 18 Feb 2021 06:15 PM PST

At a time when there is a lot of chatter about how secure instant messaging apps are, Apple has updated the Platform Security conversation to give better perspective to how the data on your iPhone, iPad, Mac, Apple Watch, Apple TV, HomePod and indeed iMessage, FaceTime, iCloud and Car keys, to name a few apps and services. The iMessage and FaceTime security protocols that are in place are perhaps the most relevant for a lot of users, considering messaging is in focus. Apple iMessage messaging service, at this time, is available across a variety of Apple devices, including the iPhone, iPad, Apple Watch and Mac computing devices. FaceTime video and voice calling service is also available across these devices. In a nutshell, and let's just say a spoiler alert in advance, it may just be a case of move over for WhatsApp, Zoom and a lot of other apps and services that deliver on these two use cases.

Let us look at how iMessage is secured. Apple clarifies from the outset that they do not log the contents of messages or attachments, and all of these are protected by end-to-end encryption. Just the sender and the receiver can access these messages. Apple cannot decrypt this data, something that has often put the tech giant at loggerheads with law enforcement, particularly in the US. For setting up iMessage, a phone number is verified by the carrier network and the SIM, which often requires an SMS be sent to complete the verification chain. Email addresses can also be used with iMessage, and the iCloud IDs would also be verified by a confirmation link.

Apple says that when a user turns on iMessage on a device, the device generates encryption and signing pairs of keys for use with the service. For encryption, there is an encryption RSA 1280- bit key as well as an encryption EC 256-bit key on the NIST P-256 curve. For signatures, Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit signing keys are used.

Every time you want to send an iMessage to a new contact or start a new conversation, your iPhone or iPad or Mac, for instance, would connect with the Apple Identity Service (IDS) to get access to the public keys and addresses for all devices associated with the ID or contact you are sending the message to. This is to enable seamless delivery of iMessage chats to all devices signed in with the same iCloud ID. Any outgoing message is individually encrypted for each of the receiver's devices. These are 128-bit keys, a combination of a randomly generated 88-bit value and a HMAC-SHA256 key to construct a 40-bit value, says Apple.

FaceTime voice and video calls also get set up in a similar way, with SIM authentication if needed. All calls as well as audio and video content are end-to-end encrypted. The FaceTime connection is made through an Apple server infrastructure which relays data packets between the registered devices attempting a FaceTime call. The encryption is the AES256 and HMAC-SHA1. Group FaceTime can have up to 33 concurrent participants and all group calls are end to end encrypted.

The updated Apple Platform Security takes forward Apple's focus on security and data privacy as the very core foundation of the apps and services that it builds for the iPhone and other devices. The guidelines that are part of the update cover iOS 14.3, iPadOS 14.3, macOS 11.1, tvOS 14.3, and watchOS 7.2 operating systems. "Apple believes privacy is a fundamental human right and has numerous built-in controls and options that allow users to decide how and when apps use their information, as well as what information is being used," they say, in the documentation.

Comments

Popular Posts

Harry Dunn's parents to meet Anne Sacoolas as immunity row continues - The Guardian

VPN browser extensions: Why you shouldn't use then - Tech Advisor