Find out how secure your messaging application is
When it comes to sending messages to other recipients, chat applications that allow you to do so have been around for ages.
Recently things have moved to mobile though and that's were most communication takes places nowadays.
Mobile users pick apps out of hundreds of even thousands of available ones, and while many select most popular apps such as WhatsApp, Facebook Chat or Google Hangouts, others may select apps that promise better security or privacy.
It is nearly impossible to tell for end users whether these apps live up to the promises they make or whether security and privacy is just an illusion.
The Electronic Frontier Foundation analyzed dozens of mobile chat applications from popular choices to those that promise security over anything else.
For each app, the following questions are answered:
- Is the data encrypted in transit?
- Can the (app) provider read the message?
- Can contacts be verified?
- Are past communications secure if the keys get stolen?
- Is the code open source or available for independent reviews?
- Is the applications security design documented and available?
- Has the code been audited by third-parties?
You find explanations about each question and the methodology used to come to an answer at the bottom of the page.
Most applications that the EFF analyzed failed in one or multiple categories. Only the following apps passed all tests:
- ChatSecure + Orbot (encrypted chat application for iPhone and Android)
- Cryptocat (Available for iOS, Os X, and web browsers)
- Signal (iOS only)
- Silent Circle (available for Android and iOS)
- Silent Text (available for Android and iOS)
- TextSecure (Android)
How did the popular apps fare in the test?
- AIM passed 1 out of 7
- Blackberry Messenger passed 1 out of 7
- Blackberry Protected passed 3 out of 7
- Facebook Chat passed 2 out of 7
- FaceTime passed 5 out of 7
- Google Hangouts passed 2 out of 7
- Skype passed 2 out of 7
- Telegram passed 5 out of 7
- WhatsApp passed 2 out of 7
- Yahoo! Messenger passed 1 out of 7
It is important to check which tests were passed and which were not as you may not consider every test equally important.
The EFF plans to examine apps closer in terms of usability and security in the near future and notes that the test should not be seen as endorsement just yet.
Now You: Are you using a chat application? If so which and why?
I read this the other day and was surprised OTR code is not audited (I thought it was open source?). I use Pidgin (a pimped out portable one, of course) with OTR.
One of the problems here is how to migrate users away from Skype etc, and to use open protocols, rather than proprietary ones in closed eco-systems.
Looking at free versions (I assume they’re free) – I’ve always shied away from CryptoCat for some reason .. something I read somewhere. But will look again at it, as well as TextSecure. Otherwise, if I had the money I would definitely go for SilentCircle.
Just because something is open sourced doesn’t mean it has been audited, though people can review the source code at any time, given that they know programming.
I feel you on Cryptocat, I believe it was due to some bug that allowed people to decrypt messages for some time. I never used it though.
Otr is open source and was already audited, more than once. Yes it is secure by design.
I use Threema and for SMS TextSecure (hope Threema get someday an sms upgrade). And it’s fine, I decompiled Threema and couldn’t find any proplematically things.
This is part of the explanation for “Audited” column, and it is laughable: “[…]we do not require that the results of the audit have been made public, only that a named party is willing to verify that the audit took place.”
This way, an open source application like Pidgin+OTR is considered not audited, but Facebook Chat is.
Extremely relevant today due to whatsapp’s update, in which other user can tell if you actually read his message or not…
Less of privacy issue, but definitely relevant to some users, and some may look to switch an app nowadays…
Nice one Martin =)
“in which other user can tell if you actually read his message or not” – Indeed, like email receipts and email tracking beacons etc (which is why I always block all online content in emails)
Pidgin .. kinda funny (and annoying) that when one user is typing the other is told “Scarlett is typing…” .. highly annoying, especially when the other person doesn’t message you anything, and you think .. “Does she still love me?” *sigh*
UI: Whoever came up with the ridiculous left/right speech bubbles that get imitated everywhere (was it Apple?). It wastes space, forces you to change finding where the message starts, etc. And blue and green speech bubbles … /me vomits
…………………………………………………………………………………Quit it with the smileys, dude!
……………………………………………………………………It’s like I don’t even know you anymore.
Pidgin has an option to disable that “…is typing” notice, if I recall.
The audit column is useless.
Being a CPA, the scope of an audit of software is defined by the company, and is specific to the EXACT question(s) defined within scope.
So for example, the audit scope could include “the software (version 4.5.6816785) was developed in accordance with Company X’s Application Change Management Policy”. This of course would have nothing to do with security, privacy or anything that would really matter to the normal user.
It could also include say “the software (version 4.5.6816785) collects the IP address, data usage (details which would be defined), provides this complete data to external party Y in accordance with sales agreements in effect as of X.
Both are legitimate audits!
And to make this even more useless, a company that has asked for the non-statutory audit can change the question depending upon the results – so you MUST read the audit in detail to understand what it truly means.
Again for example, if an item in the scope was “when a user accesses the server, their login name and password is authenticated on a server where the data is stored in an encrpyted database”
– this does NOT mean the data is always encrypted – it could be unencrypted everywhere else it maybe stored. It also does not say that the company does not have the ability to unencrypt to the data.
So audit means NOTHING when the audit report is not disclosed, and even then, you must really know how to read that report when it is.
I use the open source Text Secure and its companion Red Phone. Mostly when discussing taxes and other businesses.