How safe is your primary IM App ?

Instant Messaging (IM) apps have changed the face of our communication with the world, without sounding clichéd, like actually they have brought about a revolution in the way we reach out to other people, I mean, when was the last time you actually “SMS-ed” someone ?

In parallel with the popularity that these apps have gained, they have also become a integral part our lives, so much so that many people end their day, before sleeping, while looking at their IM app (many people fall asleep while texting :p) and IM apps are the first thing many people check even before getting up from their bed!

And, ever since Edward Snowden leaked NSA’s massive spying program called PRISM in late spring last year, public fear and privacy concerns about their data and information have only escalated, though this has not affected the usage metrics and IM apps usage.

Nevertheless, A secure messenger is something which everyone of us deserve, in parallel to our right to privacy and freedom.

First off, here’s a list of  top 5 Instant messaging apps by usage metrics:

WhatsApp dominates this list with mind boggling 600 million users, the Chinese giant WeChat is behind WhatsApp at 460 million users, then comes Line, SnapChat and Viber.

Recently, the Electronic frontier Foundation, an Organization which fights for rights to privacy in the digital age conducted a test called “Securing Messaging scorecard” on various Instant messaging apps.Apps were screened and tested on many different grounds, testing out their ability to encrypt data, testing out their transmission security (between Sender to Server and back to recipient), ability of the hackers decrypt the messages and so on..

The test was conducted on 7 parameters:

  • Encrypted in transit ?

This criterion requires that all user communications are encrypted along all the links in the communication path. Note that we are not requiring encryption of data that is transmitted on a company network, though that is ideal. We do not require that metadata (such as user names or addresses) is encrypted.

  • Encrypted so the provider can’t read it ?

This criterion requires that all user communications are end-to-end encrypted. This means the keys necessary to decrypt messages must be generated and stored at the endpoints (i.e. by users, not by servers). The keys should never leave endpoints except with explicit user action, such as to backup a key or synchronize keys between two devices. It is fine if users’ public keys are exchanged using a centralized server.

  • Can you verify contacts’ identities ?

This criterion requires that a built-in method exists for users to verify the identity of correspondents they are speaking with and the integrity of the channel, even if the service provider or other third parties are compromised.

  • Are past comms secure if your keys are stolen ?

This criterion requires that the app provide forward-secrecy, that is, all communications must be encrypted with ephemeral keys which are routinely deleted (along with the random values used to derive them). It is imperative that these keys cannot be reconstructed after the fact by anybody even given access to both parties’ long-term private keys, ensuring that if users choose to delete their local copies of correspondence, they are permanently deleted. Note that this criterion requires criterion 2, end-to-end encryption.

  • Is the code open to independent review ?

This criterion requires that sufficient source-code has been published that a compatible implementation can be independently compiled. Although it is preferable, we do not require the code to be released under any specific free/open source license. We only require that all code which could affect the communication and encryption performed by the client is available for review in order to detect bugs, back doors, and structural problems.

  • Is security design properly documented ?

This criterion requires clear and detailed explanations of the cryptography used by the application. Preferably this should take the form of a white-paper written for review by an audience of professional cryptographers.

  • Has there been any recent code audit ?

This criterion requires an independent security review has been performed within the 12 months prior to evaluation. This review must cover both the design and the implementation of the app and must be performed by a named auditing party that is independent of the tool’s main development team. Audits by an independent security team within a large organization are sufficient. Recognizing that unpublished audits can be valuable, we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.

Here’s the result of the test:

CryptoCat and PidGin take the top honours, WhatsApp scores a meagre 2/7!
CryptoCat and PidGin take the top honours, WhatsApp scores a meagre 2/7!

World’s most used IM app, WhatsApp managed to check only 2 out of the 7 check boxes, many other popular messaging apps failed to live upto their security and privacy hype too with Facebook messenger scoring just on 2 out of the 7 parameters joining ranks along with WhatsApp (No Wonder, they’re both owned by Facebook Inc :p)!

Google Hangouts too joined the hall of shame with WhatsApp and Facebook messenger scoring just 2/7

Skype and AIM were the poorest performers of all the apps that went under the hammer for this test, scoring just once on all the 7 occasions, what a shame! :/

Rival Apple’s iMessage meanwhile managed to score 5 times out of the total 7 and flexed it’s muscle in the encryption test. Still, lack of access to code for independent review is still a “major” concern!

The top honours were bagged by CryptoCat and PidGin, scoring a perfect 7/7, scoring on all the occasions including encryption, access to code for independent review, code audit, among other things.

This test clearly highlights the fact that popular option is not always the safest option. I’m in no way against the usage of WhatsApp/ Facebook messenger/ Google Hangouts, but, what I’m trying to say is, if companies give away their products for free, for you to use, you’re not the consumer, you’re the product itself, for the company, for the advertisers, So choose your messenger carefully and practice safe messaging etiquettes!

Happy IM-ing! :)





Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s