Want to chat securely? Here’s what to look for in an app
SAN FRANCISCO (CNNMoney) — You’ve probably heard that everyone from activists to White House staff is using secure messaging apps. You might want to start using them, too.
Encrypted apps are growing in popularity as people become more concerned about private information falling into the wrong hands. But apps that cloak your messages with additional layers of security aren’t just useful for coordinating protests or leaking to the press.
It’s just good practice.
Tools that block prying eyes from seeing your chats no longer require technical know-how.
There are a number of encrypted chat apps that use end-to-end encryption, meaning only the sender and recipient can read the messages. They prevent third parties from intercepting your texts.
According to documents released by WikiLeaks on Tuesday, the CIA and other government agencies can “bypass” encryption on some chat apps by hacking the phone itself. But this isn’t new — if anyone gains physical access to your device (because you use bad passwords, for instance), then encryption doesn’t matter for any app.
It’s important to note that are created equal. Here’s a cheat sheet.
Look for ‘Signal Protocol’
In short, use Signal or WhatsApp, according to Nicholas Weaver, senior staff researcher at the International Computer Science Institute in Berkeley.
In fact, Weaver said, Facebook-owned WhatsApp may be better in many cases, because it’s less suspicious than having Signal on your phone. (Although some people don’t like WhatsApp because it shares some data — though not your messages — with its parent company.)
There are a variety of cryptographic protocols (mathematical nuts and bolts) that apps can use to secure your messages. Signal and WhatsApp use one designed by Open Whisper Systems, widely considered to be the best. But some apps write their own algorithms and customize security implementation, which is a red flag for researchers.
Chat app Telegram caught flack from critics for “rolling their own crypto” last year, and security experts don’t recommend it.
Don’t believe ‘military-grade’ claims
Experts say you should be wary of anything that has outlandish claims like being unhackable by federal agencies. Or, in the case of Confide, that uses “military-grade cryptography.”
“Anyone who says ‘military-grade crypto’ is a huge warning sign because it’s someone who doesn’t understand cryptography, or it’s someone who understands cryptography and is deliberately using a term that cryptographers regularly ridicule,” Weaver said.
Weaver notes that military and government spy agencies already use systems based on consumer-grade cryptography — tech anyone can use — so calling it “military-grade” is meaningless. Further, secure apps are about more than fancy algorithms. Other details — like user verification and how long it takes to encrypt your messages — are just as important, since that’s how someone might compromise it.
Check for independent audits
If an encrypted app hasn’t published a white paper that describes its tech, or hasn’t been reviewed by third-party researchers, you might want to be cautious before using it. Independent reviews often find bugs that the company’s engineers missed.
“Unless they have been independently tested, we don’t know that they have made a correct choice and implemented a good algorithm, and use appropriate methods to generate and distribute keys,” according to Eugene H. Spafford, a computer science professor at Purdue University.
Signal and WhatsApp have released technical papers outlining their security methods, and Open Whisper Systems publishes Signal’s code for anyone to look at. Wickr also recently published its code for public review.
Federal employees have reportedly been using these apps as a means to securely leak information. CNN previously reported that White House press secretary Sean Spicer checked aides’ mobile devices and told them using encrypted chat apps, like Confide, violates the Federal Records Act.
Following the revelations that White House staffers use Confide, security researcher Jonathan Zdziarski took a cursory look at the app’s innards. He didn’t find anything glaring in the information that’s publicly available (Confide doesn’t publish its code like Signal), but said he wouldn’t recommend it.
“[It] obviously has at least a few disagreeable functions (such as retaining undelivered messages),” Zdziarski wrote in the post. “It may be fine for personal conversation, but I would recommend a more proven technology, such as Signal, if I were to have my pick of the litter.”
Entrepreneurs are trying to take advantage of an increased desire for secure communications. For instance, Cloakroom, an anonymous app for federal workers, recently added a secure messaging function for people who want to leak information.
Before downloading anything, do your own research. It’s worth spending time investigating an app before trusting it keep your communications secure.