The research of Electronic Frontier Foundation ascertained that only eight IM-messengers were corresponding to all types of security. How can e-criminals get inside our messengers and what can they steal? And more importantly, is there a way application security testing can stop cybercriminals from doing that?
Scripts are not remedy
All five applications (WhatsApp, Viber, Skype, Facebook Messenger and Google Hangouts) encrypt the network traffic to protect users’ information from interception and modification. Although it’s vital for users’ security this type of protection is quite new.
For a long time it was common to send images, locations and links to files freely with no protection at all. But little by little as the applications were spreading within more people they capture the attention of information security specialists. They were finding vulnerabilities and then publishing them in open sources. That pushed developers to start fixing bugs.
If the application has an encrypted code it still cannot ensure absolute security. Any profile can be hacked and spammed. The reason of insecurity can be simply explained: all applications are made by humans and if at least one developer made a tiny mistake, the whole application may stay unsecure.
Thus a potential criminal almost always has a chance to steal users’ data or disable application using vulnerabilities developers and testers omitted. Those vulnerabilities can come up on the stage of entering the message. The thing is that even if the message is formed correctly it still may allow doing a random command or denial of service. In this case personal data can be sold to the third party. The most harmless way to use stolen data is spamming those users with targeting ads. But if a denial of service is happening users will lose the access to the application.
Popular vs. secure
All five famous applications described in this article were proved to have at least one security flaw. Are there any flawless IM-messengers? According to EFF, the following IM-messengers correspond to all security requirements:
- Signal / RedPhone
- Silent Text
- Silent Phone
- Telegram (secret chats)
- Off-The-Record Messaging for Windows (Pidgin)
- ChatSecure + Orbot
Unsecured by default
Many users are interested whether the owners IM-clients have access to their private messages and files transferred. According to EFF all five applications compared in this article are not encrypted so the provider can read them. Even Blackberry Messenger which was considered to be well-protected one turned out to be vulnerable.
Facebook Messenger can, however, collect and use your data for advertising purposes. Some would consider this to be ‘spying’ on you, but not in the way that many reports are suggesting.
Going further, Google Hangouts doesn’t support off-the-record (OTR) encryption, which provides a secure, end-to-end connection between users. Using OTR encryption, no one can read your messages – not even your Internet service provider. But no Google service supports OTR encryption, and many privacy advocates, like the EFF, say they should.
Moreover, some applications are not just encrypted but allow bosses to watch their employee chats if they are registered in the special app. It can be said about Slack. Being oriented on corporate communication it allows bosses not just watch, but even correct both business and private chats.
As we can see from EFF rating, the most popular applications remain unsecure. At the same time the applications developed by amateurs and not well known were found to have a high level of security. Anyway, it’s always up to a user which application to choose, a popular and unsecured or secured but little-known one.