Last week we looked at the Electronic Frontier Foundation’s secure messaging scorecard and made a list of nine mobile and Internet messaging services that scored well on privacy and security. Today, we’re looking at the worst.
Interestingly, if last week’s list of messengers seemed obscure, than this week’s list of apps and services will seem all too familiar. For that reason, we’ll focus primarily on the most popular messengers, though we’ll also note the poor-scoring less popular ones as well.
The EFF issued up or down grades to each service for seven categories. For Kaspersky Daily, service providers earned failing grades where they received no points in the following categories:
1. Is data encrypted in transit?
2. Is data encrypted so that even the service provider can’t read it?
3. Can you identify the true identity of contacts?
4. Does the provider practice what is known as perfect forward secrecy, meaning crypto-keys are ephemeral so a stolen key won’t decrypt existing communications?
5. Is the service’s code open-source and available for public review?
6. Are cryptographic implementation procedures and processes documented?
7. Has there been an independent security audit in the last 12 months?
Altogether, the seven points are designed to measure which service offers the best protection against government surveillance, criminal snooping and corporate data collection. That said, neither the EFF nor Kaspersky Daily are officially endorsing any of the following programs. The list merely indicates which applications are consistently not following best practices.
The Really Bad: Zero Checkmarks
Only the Mxit and QQ mobile messengers received zero stars, but there’s a decent chance you’ve never used either anyway. Of all seven categories, the fact that Mxit and QQ aren’t encrypting data in transit is why we are recommending you use neither of them, because your communications on both apps can be viewed in plain text as they travel from sender to recipient.
The Still Pretty Bad: One Checkmark
Unfortunately, there are four messenger services that nearly all of us have used, that received just one of seven stars.
Long-time encryption laggard Yahoo’s messenger service only manages to encrypt user communications in transit. This means that Yahoo (the company) can read your messages or hand them over to law enforcement if they choose to do so. Despite this, they do issue biannual transparency reports detailing how much information they grant upon government request.
You also can’t verify the identities of your contacts with Yahoo! Messenger, nor does it practice perfect forward secrecy, open its code to independent review, or document its security design properly. Finally, the company has not performed a recent code audit either. To be fair, Yahoo’s more broad Web offerings have come a long way from where it was two years ago in terms of encryption, so there may be hope yet for its messenger as well.
Microsoft’s calling and messaging service, Skype, scored just as poorly as Yahoo! Messenger, receiving only one (and the same) check-mark for encrypting data in transit. It didn’t receive a second passing mark across each of the subsequent categories. Skype has something of a patchy record in terms of communications integrity and surveillance accusations, namely that the service has taken fire from critics for its alleged susceptibility to snooping. Microsoft has denied these claims.
BlackBerry Messenger received the exact same score as both Yahoo! and Skype. The service, run by the company formerly known as Research In Motion – or RIM – does encrypt communications in transit, which is good, but it does not encrypt communications so the provider (BlackBerry) can’t read them, allow users to verify contacts, protect past communications in the event that your keys are stolen, open its code to independent review, properly document security design, nor has it allowed a code audit in the last year.
AIM, perhaps better known as American Online’s Instant Messenger has been around for a long time. It’s safe to say that from the late 90’s through the mid-naughts, AOL’s Instant Messenger was peerless. While it’s popularity isn’t what it used to be, particularly among the younger generation, it’s still widely used. Unfortunately, like those mentioned above and below, it encrypts data in transit but doesn’t do a whole lot more.
For what it’s worth, the cross platform Secret Message app touts itself as secure and the Hushmail email client calls itself private while each only encrypts data in transit. The Kik and eBuddy XMS platforms don’t outright advertise their security posture, but they both received the same check-mark as everyone else in this category and no others.
The Better but Still not Good: two checks
The popular ephemeral image and video-sharing application, SnapChat, comes in with two-stars. One for encrypting data in transit as it passes from the sender, through SnapChat’s servers, to the recipient. And another star for having performed an audit in the previous year. Like many of the services on this list, SnapChat has been the subject of much criticism, not so much for lacking security, but for failing to follow through on its central premise.
The core idea behind SnapChat is that messages, photos or videos appear for an amount of time determined by the sender before disappearing forever. However, the recipient can save images by taking screen grabs, though the sender would be notified. More troubling, an application called SnapHack circumvents SnapChats ephemerality altogether, by allowing recipients to simply save Snaps. And lastly, researchers have repeatedly claimed that the images never really go away, but merely become more difficult to find.
Likely in the top three in terms of popularity for apps on the EFF’s scorecard, Google’s Hangouts got two stars. Hangouts is cross-platform. It’s not only the built-in Gmail chat client, but it’s also the native chat client for Google Plus as well as for Android devices. Google encrypts data in transit for Hangouts and has had an audit in the last year, but Google can read your messages, users can’t verify contacts’ true identities, it doesn’t deploy perfect forward secrecy, it’s code is not open to independent review and its security design is not properly documented.
Facebook’s Chat, which is the mobile variety of the Facebook messaging service, gets two stars too. As popular as any service on the scorecard, Facebook Chat encrypts data in transit and has been audited, but fails across the other categories.
Viber is surely the least popular among the two-star category. While it’s apparently known as a private messenger, it only gets checks for encrypting in transit and carrying out an audit.
This brings us to the increasingly curious case of WhatsApp. WhatsApp is an incredibly popular mobile text messaging service. So promising is WhatsApp, the social media goliath, Faceboook, spent a cool $19 billion acquiring it earlier this year. It’s a sort of data alternative to the SMS texting protocol (as in it works over the Internet rather than over the cellular network itself). While the EFF gave the service the same two checks it gave everyone else in the two-star category, I suspect that could change.
The reason for that change is that just this week, WhatsApp partnered with Open Whisper Systems adding default encryption to its Android app. As a point of reference for why we think things could change for WhatApp given this partnership, Whisper Systems’ Signal, RedPhone, SilentText and SilentPhone offerings passed on all seven checks in the EFF’s score card. In other words, it appears that WhatsApp is to become considerable more secure in the coming days and months.
At the moment though, the cryptography is only implemented on Android devices for one-on-one communications. So iPhone users will have to wait and group message chains are not as secure yet. However, WhisperSystems says they are working on both of those problems as we speak.
The bottom line with the WhatsApp cryptography announcement is this: That they are starting to take security and privacy very seriously is great news, and hopefully WhatsApp’s competitors will follow its lead.