Messaging apps and encryption: A false sense of security

In the last couple of weeks we have seen consumer messaging giants WhatsApp and Viber retrospectively add end-to-end encryption technology to their communications platforms. The notion of providing users with improved security is certainly to be applauded, and seeing messaging apps adopt encryption as a necessity as opposed to simply a nice-to-have feature, is long overdue.

However, the manner in which providers are increasingly introducing encryption technology within apps as an afterthought is potentially providing a false sense of security to the billions of people that use them on a daily basis.

The reality is that messaging platforms like WhatsApp, Viber, and countless similar offerings on the marketplace do not provide users with a level of encryption that safeguards truly sensitive information – yet they continue to claim they do.

The danger here is that the majority of users are unaware that there are different levels of encryption, so when these apps describe themselves as being identical to those that offer higher levels of security, it is understandable that consumers and business users believe them. Terms like end-to-end encryption, for example, can apply to vastly different systems and lead end users into a false sense of security that their calls, text messages, and instant messages are being sent securely.

The encryption epitome

The public nature of data breaches making major news headlines is enlightening businesses and consumers on the risks of a potential breach when they use their smartphones to communicate on a daily basis. So now, more than ever, it is imperative that communication services across email, voice calls, conference calls, video calls, and instant messenger are properly protected from cybercriminals, intruders, corporate espionage, and hackers.

The state of cybercrime, whereby hackers are more sophisticated than ever in their bid to steal data for financial gain, necessitates the need for specialist communication applications with encryption at their core. This means people that truly care about the security of their communications must move away from popular messaging platforms that simply deploy encryption as a bolt-on to their current offering, in favour of true end-to-end encryption solutions.

These applications are built with security in mind from the ground up, with features like top-of-the-line RSA 4096-bit encryption, which is essential as it ensures all business and personal communications remain truly private. The key difference that sets these applications apart from others on the market is that they set out with the sole intention of developing a suite of totally secure communication services.

True encryption applications hold no access to encryption keys and no records of any communications between users. All encryption keys are generated within the user’s app on their device and are automatically deleted once used with another 4096-bit key generated for each session – nothing is seen or held by the provider and their networks are not involved.

Mainstream messaging concerns

This ideal of deploying true encryption is a far cry from what users receive with the likes of WhatsApp and Viber. WhatsApp, for example, has freely admitted that its new encryption service uses ‘derived keys', which means that the company has some access to keys before a conversation is initiated and implies that it operates some form of temporary storage. This has the potential to create security loopholes that hackers could exploit, as the keys are stored on devices but is not clear how they are generated or if they are deleted, or whether users’ messages are accessible from WhatsApp’s servers.

The case of Viber is even more concerning. The ‘coloured lock’ that the company says signifies whether messages are secured or not is simply a marketing gimmick that gives users a complete false sense of security that their messages are protected. There is no mention of how algorithms protect conversations or whether group messages – of up to 200 users – are protected by a single key or individual keys for each user. Its launch has failed to provide users with assurances that it is operating a level of security anywhere near true encryption.

With hacking and data breaches becoming increasingly prominent, consumers and businesses must be encouraged to think encryption first. But it is equally important to consider how secure the offering they choose to protect their businesses and personal communications actually is. The vast majority of offerings on the market from some big, well-known businesses simply don’t make the grade when it comes to offering total security and would not even come close to preventing highly skilled cybercriminals from accessing users’ communications.

It is vital that people take their digital communications seriously to ensure they can feel confident and fully secure when they interact with friends, family members and colleagues at home, at work and while travelling.

Jonathan Parker-Bray, CEO of Pryvate

Image Credit: Shutterstock/Andrea Danti