Evaluating security claims: a quick guide to what you should avoid in a messaging app.
You should always be concerned about the privacy and overall security of your personal information. That applies to the messaging apps you use—regardless of the multi billion dollar deals behind them—on up to your online banking solution.
Because the general public has not been very demanding in privacy and security matters in the past, the incentives for developing truly robust and easy-to-use solutions are only slowly increasing. Take the mobile messaging space, for example, in the news recently when popular WhatsApp was acquired by Facebook for $19 billion.
Six ways to tell the good from the bad
In messaging apps, the lack of security scrutiny up to now has attracted a range of not-so-competent to outright-dishonest actors, leaving you, the consumer, to sort out the good guys from the bad. A few pointers to help you distinguish a legitimate and well-built app from a facade interested in getting to your data or your money:
1. “We have access to your messages, but trust us, we will not abuse your data.”
2. “We designed our very own cryptographic methods.”
There are so many things one can get wrong while designing a cryptosystem that whoever serves you such a claim, no matter how long they say they worked on it, must have made at least a handful of errors. It takes many years and a huge, competent, dedicated community to finally vet certain methods. Such a claim likely indicates that they reinvented the wheel and made it a square in the process.
3. “We open-sourced our code, thus we are secure.”
In fact, the most widely used and recognized tools are open source. Whoever wants to, but especially the competent community, is allowed to look into them and poke around, increasing the chance of critical problems being discovered and corrected. Yet it takes dedicated people and time for this review to happen, and errors are bound to persist. Open-source is a necessary but insufficient security claim
4. “We have a proprietary and closed system, only we know how it works.”
Biggest. No-no. Ever. While openness is not in itself a guarantee for security (see 3), experience shows that non-transparent solutions have been much worse, especially because they often go hand in hand with claim number 2.
5. “We haven’t been broken, thus we are secure.”
Sure, a good system shouldn’t be breached. But this statement should be understood as “We haven’t been broken yet.” It is only as good as the number of decades during which the solution and the tools it uses have been under scrutiny. Plus, don’t be fooled by hacking contests or rewards—they do not magically demonstrate security either.
6. “We are 100 percent secure, nobody can break us.”
By now you should know this is an imperfect world. Whoever claims complete security lives in a fairy tale and should not be trusted.
How to vet your favorite app
To find out how your desired app stacks up, you might have to turn to the community and do some digging. If the developers behind the app are serious about security, they should use existing solutions wherever possible, respond positively to constructive critique, encourage people to point out potential flaws, accept improvement proposals, answer any question about their system, and make consistent and true statements about their product.
I suggest you look into the developers’ record. Use your favorite search tools, refer to your savvy friends, read tech-related news sites and blogs… like in real life, building trust takes time, multiple perspectives, and experience.
WhatsApp’s claims about privacy being their guiding principle leave a slightly bitter taste, for example, when you learn that during their first years of operation, your messages were not protected and that they committed critical errors when they first began implementing security measures.
Doing it right and securely
If a giant like WhatsApp can get it wrong, is there a messaging app that does security right? I believe so: Silicon Valley-based textSecure. Its only problem is that the very privacy it enables cuts it off from today’s most trendy way to fund a service: targeted advertising. The result is a less shiny user-interface and an iOS version that is still in the pipeline (it was initially released for Android).
But in matters of private and secure messaging, textSecure is the most serious player out there. For me, they are worth supporting. Their developers deserve it, and there will come a day when we’ll be glad they exist because the industry seems unlikely to turn away from (ab)using your information anytime soon.
Links for the curious
- An app seemingly doing it right but with lots of questions from the community.
- About snake oil crypto.
- About the fallacy of cracking contests.
- Open Source Encryption Tools
- NYTimes on secure messaging apps