2017 M01 26, Thu
Secure Messengers in Comparison: WhatsApp and its Alternatives
In the 21st century, encryption has become a means of self-defense. Who we defend ourselves against varies, as well as the different reasons why we do so. Some use encryption as a self-defense for ideological reasons, fore example to claim the right to privacy without compromise, others because without it, their lives would be in danger.
All over the world, investigative journalists, human rights activists and whistleblowers, but also lawyers, doctors and privacy-conscious individuals rely on secure encryption. Thus, the former protect themselves, because the sensitive data they have is that explosive that it could threaten their safety. The latter protect others, being entrusted with their sensitive information.
Obviously, encryption is essential for those who stand up for minorities and justice in totalitarian regimes and countries where free speech implies fear for one’s personal safety. But there are also some western democracies which continuously compromise the right to privacy and legitimate the surveillance state. The only opposition we can offer is encryption as self-defense.
Encryption Comparison – Our New Series
In our “Encryption Comparison” series we will present different platforms and channels on which you are able to protect yourself by encryption, no matter if you are a journalist, businessman or private person who appreciates data security and privacy. To kick off the series, we compared instant messaging services, such as Threema, WhatsApp, Facebook Messenger, Telegram or Google Allo, that offer end-to-end-encryption. We analyze in detail what this actually means and if your messages are protected comprehensively.
Future articles of this series will be about the encryption of hard disks and devices, of emails, clouds and more.
The Signal Protocol
Many of the messaging apps which we compare below use the Signal Protocol. Therefore, here is a short explanation what it actually is.
Signal is an open-source encryption protocol developed by the renowned IT security experts Trevor Perrin and Moxie Marlinspike at Open Whisper Systems. In 2016, the Signal Protocol was analyzed by a team of international security specialists and has been considered very secure. Moreover, on their website it is recommended by Edward Snowden.
Apps with End-to-End-Encryption by Default
At present, WhatsApp is used by more than a billion people which makes it the most popular messaging app in the world. This is the reason why we look at this one first. There have been quite a few things going on at WhatsApp in recent years.
As of 2016, WhatsApp protects all messages with end-to-end-encryption based on the Signal Protocol, by default. Thus, any unauthorized person is prevented of reading the chats, WhatsApp themselves included. Every contact is assigned an individual security code, which makes it possible for you to verify the other person’s identity. However, this feature needs to be activated manually. The security code protects users against man-in-the-middle attacks.
Introducing end-to-end-encryption by default, WhatsApp achieved what the IT-security industry has been working towards for decades: encryption and privacy for every person without major compromises in terms of usability. This marks a milestone in the history of encryption. There are two sides two every story, though. Here are two things to be born in mind.
Another problem is the backup feature. Originally, WhatsApp stored the chat logs unencrypted on servers. Meanwhile, one has improved here. Under certain circumstances, however, at least the unencrypted metadata can be viewed. Plus, if you or your conversation partner uses automatic backups to iCloud or a Google account, the chats will be in the cloud, unencrypted, as well. Data protectors are not yet satisfied with the new backup solution for iCloud.
As before, the app downloads all data from the smartphone directory during installation. According to the Terms and Conditions, the Whatsapp user is responsible for obtaining the consent of each contact. It goes without saying that this never happens and would be disproportionate.
There is a security hole in messages that are sent but not delivered. WhatsApp sells this gap as a feature. The argument is that there is no data loss when changing the mobile number on the receiver side. Data protectors consider this circumstance at least questionable. We recommend this text in the Guardian.
Signal was developed, amongst others, by security specialist Moxie Marlinspike at the non-profit group Open Whisper Systems. Edward Snowden recommends Signal and Open Whisper Systems without reservation, for example on their website. There, crypto expert Bruce Schneier – the author of standard reference Applied Cryptography - claims to be a huge fan of the app as well.
Signal offers group chats, text and voice messages, voice calls and the possibility to send images, videos, audios, emojis and stickers. This should cover anything a normal user needs. As the cherry on top, it also features adding text and drawings on images before sending them. Recently added features include a self-destruction-timer for messages (timer can be set between 5 seconds and a week). Screenshots can be blocked, using a specific setting. This is providing some protection against the dissemination of sensitive chat content.
According to Open Whisper Systems conversations are end-to-end encrypted by default using the open-source Signal Protocol. Contacts are verified by checking safety numbers or scanning QR codes. This implies one additional step as you have to either compare safety numbers via a different channel or meet the other person to scan QR codes. However, this procedure protects you against man-in-the-middle attacks. In contrast to WhatsApp, Signal does not back up messages in the cloud. Therefore, the backups are secure.
Signal needs to be verified via SMS code. Hence, using Signal is only possible with a SIM card being used. This fact is excluding some user groups and use cases. Fundamentally, the number of Signal users is comparatively small. This is why most people, intending to change to Signal, will need to put effort into convincing their peer group first. Those, admittedly few friends, who are using Signal will be unveiled immediately during the installation of the app, due to the app requesting access to the phones contacts.
Just like Signal, Threema is considered outstanding in terms of its security. The messaging app Made in Switzerland is being used by 3.7 million people (by June 2015). Whereas Signal dominates the international market for WhatsApp alternatives, Threema is popular mainly in German speaking countries - 85% of the users are from Germany, Austria and Switzerland.
During the registration process, an anonymous Threema-ID and password are generated. Profile name and picture are optional. There is no need for the app to access your contacts if you do not want it to do so.
Furthermore, private chats can be hidden and secured by a PIN code. There are three different categories of contacts, depending on the level of mutual trust: red for unknowns, yellow for verified users and green for contacts known in person. In order to mark contacts in green, you have to meet and verify them in person by scanning their QR codes. Thus, you are protected against man-in-the-middle attacks. Threema end-to-end encrypts all messages by default, using the NaCI library.
There are no problems known concerning data security. Voice or video calls are not possible.
Services with Opt-in Encryption
The messaging service Telegram is free and by now has more than 100 million users. It was developed in 2013 by the Durow brothers – the founders of the Russian social network VKontakte.
Telegram offers opt-in end-to-end encryption and the option that messages self-destruct after a certain time.
Security experts criticize that nobody really knows where the company behind Telegram is located. Additionally, Telegram uses its own encryption algorithm MTProto Protocol, which has been developed in-house. This is incomprehensible, as there are good and tested solutions out there, such as the Signal Protocol. There have been many controversies over the protocol Telegram is using.
Because of these dubious circumstances and the missing imprint on their website, Telegram is not recommended.
Facebook Messenger is Facebook's very own instant messenger app that, starting mid-2016, Facebook users have to use if they want to read their Facebook messages on mobile devices. For this reason alone the Messenger is the second most used messenger app in the world. In our opinion, this pressure to use the app is a huge downside.
This messaging app is mentioned in this list only because it started offering end-to-end encryption using the Signal Protocol last year as well.
End-to-end encryption is provided as an opt-in only, which means that you have to activate the encryption feature “Secret Conversation” manually. Therefore, many users will probably stick to the common unencrypted chats. Encrypted group chats are not possible.
Be aware that your unencrypted messages are being automatically scanned for key words by Facebook. If you use Facebook Messenger, always activate “Secret Conversation”, although the consequence is that you can read your messages on one device only.
Google Allo is the new intelligent instant messenger by Google, with a virtual assistant. It is able to learn and thus to give a “Smart Reply”.
Once more there is optional end-to-end encryption based on the Signal Protocol, but when you activate this security feature, it is not possible to make use of the smart assistant anymore.
Unencrypted conversations are read, indefinitely stored and analyzed by Google, to facilitate machine learning. Apparently, there is the possibility to delete them from the server.
End-to-end encryption is opt-in only (Incognito Mode). When encryption is enabled, the features of “Smart Reply” and “Google Assistant” are, of course, no longer available. There is no encrypted group chat. The Google Assistant, which joins the conversations, is sort of a “man in the middle” itself.
Of the above mentioned instant messaging services, WhatsApp clearly is the all-rounder, which also contributed considerably towards a wider use of encryption. Their solution apparently works well, regarding that they actually cannot view messages, as a dispute between WhatsApp and a judge in Brazil indicates. WhatsApp refused to hand over chat logs, pointing out that the company is no longer able to access the documents, even if they wanted to.
The big upside to WhatsApp is its usability and its popularity. A downside is that, if not treated with caution, there could be unencrypted backups ending up in the cloud. Another disadvantage is the fact that WhatsApp is owned by Facebook and that these two companies would like to exchange data. If this looks suspicious to you, you might be better off relying on the alternatives Signal or Threema.
As for Facebook Messenger and Google Allo, end-to-end encryption can only be used at the expense of usability. However, data protection and privacy are guaranteed only when encryption is activated. Due to the discussion mentioned above, Telegram should be treated with caution as well.
You may choose your messenger according to what features you value the most.
From our point of view, the most important things are: end-to-end encrypted, nobody is able to spy on you or scan your messages, what you write is private and just between you and your friends. All these points are offered by WhatsApp, Signal and Threema.
Did you find this article helpful?
Share it with your friends and see what they think about it: