What Is Encrypted Messaging and How Secure Is It Really?

finjanmobileBlog, Mobile Security

Encrypted Messaging

People across the world have been turning to encrypted messaging, chat, and online communications tools as a way of protecting themselves from increasing levels of government surveillance and eavesdropping, and to keep themselves secure against cyber-criminal activity.

The idea that text-based communications and even voice messages can be scrambled through encryption and thus rendered inaccessible to prying eyes, is a comforting thought to many. But as we shall see, encrypted messaging isn’t a total solution itself. And the protective umbrella of encryption doesn’t always extend as far as people may think.

End-to-end Encryption

For many applications, encryption is only applied to data in transit. So the content of a message or data transmission exists in a readable or plain text state at the point of origin, or the place where it’s stored. The information is scrambled and unreadable as it passes from point to point across a network, or the internet. And when it reaches its destination, the message or communication is converted back to its original and readable form. This leaves the information in an unsecured state at both its origin and destination points.

End-to-end encryption extends protection to the endpoints of a communication by converting information to an unreadable state as soon as the transmission begins. And this is the condition in which it arrives at the destination. Data isn’t decrypted at the receiver’s end until their system gives the go-ahead for that to happen. To make this part of the process more secure, the encryption key required to scramble or decipher a communication is stored locally on each device.

So in theory, data transfers conducted via end-to-end encryption remain secure throughout their course. This is why the technique is at the heart of encrypted messaging systems.

Encrypted Messaging Systems

Email, text, chat, and even voice messaging apps with encryption applied to all stages of the information exchange process give users some assurance that their communications will remain free from casual eavesdropping, serious surveillance, interception, or hacking. In an age where digital privacy has become a prime concern, this explains why encrypted messaging systems have been gaining in adoption and popularity.

There are currently systems available to cover a wide range of applications. But not every aspect of digital communication has embraced the encrypted messaging option.

Some mobile network carriers boast that SMS text messaging is encrypted under their service – but there’s usually less to this claim than meets the eye. If any encryption is applied to text messages at all (it’s an optional feature, and one not always enabled by the network carrier), this typically occurs only on the link between your phone and the nearest cell tower.

Since SMS encryption for mobile only extends as far as to cell towers, once a message reaches this point it will be decrypted before being sent on to the network carrier’s database. There, the information will be stored in an unencrypted and vulnerable state, awaiting further processing. And while it’s in storage, metadata concerning each message will also be archived by the mobile provider.

An exception to this is iMessage, the default texting app on iOS and Apple Macs, which uses end-to-end encryption on all communications between Apple devices.

Truly encrypted messaging systems will be encrypted end-to-end, so that even the service provider and its staff are unable to decipher what’s in your communications. Ideal solutions are “server-less” in that they won’t store user information anywhere, and are therefore safe from hacking, unavailable to third parties, and unable to satisfy requests for records lodged by government or law enforcement agencies.

At the mainstream level, popular platforms include the likes of Signal, Telegram, and Wickr. WhatsApp is a major encrypted messaging platform, but its association with Facebook (which purchased the brand in 2014) has rather tainted its reputation, of late.

In a more general sense, users of unsecured public Wi-Fi should also consider using a Virtual Private Network (VPN) application, to conceal their identity and location from Internet Service Providers (ISPs), higher level surveillance, and the attentions of hackers. InvinciBull – a VPN product from the Finjan stable, and successor to Vital Security – uses military-grade encryption to ensure the transmission of private and confidential messages or emails, and includes the option of a built-in browser with tracking detection and blocking capabilities.

The Disappearing Message Feature

One of the principal features of good encrypted messaging systems is their lack of an audit trail. As well as the content of a message being unreadable to anyone but the sender and recipient, there should be no associated metadata stored that might give clues as to the correspondent’s identity, location, or the nature of their communication.

To eliminate the risk of data being stored (and therefore, possibly accessible), many platforms secure exchanges between users with a “disappearing message” function. For example, Telegram offers a Secret Chat option which orders the app on the other side of a conversation to delete all messages that took place in that discussion when the party on the other end deletes it from their own device.

Similarly, messages, photos, videos, or files may be set to self-destruct in a “Mission Impossible” fashion after a certain amount of time, once they’ve been read or opened by the recipient.

All of these security and configuration features of encrypted messaging are well and good. But unfortunately, these systems don’t exist in a vacuum.

How Secure Is Your Recipient?

While an encrypted messaging exchange is going on, the content of that communication remains private and secure between the sender and recipient. But what happens after that?

For one thing, the message content will be deciphered, once it reaches its destination. At this point, there’s no guarantee that one or other of the parties to an exchange won’t pass on some of that information to friends or colleagues, take screenshots, or store the data on their devices for extended periods in a form that’s accessible to third parties. One high-profile example of this is the relative ease with which the FBI gained access to WhatsApp messages from contacts of former Trump campaign chairman Paul Manafort.

And the ecosystem that’s been put in place to secure a messaging platform may fall to carry out its duties to the full. Providers may delay in removing messages that users have marked for deletion. Data stored on their servers may be willingly or inadvertently released to law enforcement or government – particularly if a lot of pressure is being applied. And the encryption standards that the service providers advertise may not actually be as strong as they claim.

Encrypted Messaging and Keeping Track of Devices

Encrypted messaging users with more than one device may also compromise the secure running of a system by failing to keep track of what information is stored on which piece of hardware. For instance, if chat streams are synchronized between a mobile phone, laptop, and cloud backup service, this increases the number of potential access points to that data.

It’s because of this that users are advised to disable (or at least, enable with caution) any default cloud backup settings on their encrypted messaging apps.

The Operations Security Approach (OpSec)

Instead of relying solely on the assumed security of encrypted messaging, it’s best to adopt an operations security or OpSec approach. This involves taking a holistic view of all the ways that information could be intercepted or accessed and taking relevant and specific steps to secure each avenue.

Secure All of Your Devices for One Low Monthly Fee!
Get InvinciBull™ VPN now!

Share this Post