Encrypted Communication Apps (OSAC)

Why Use an Encrypted Communications App?

Human behavior is typically one of the biggest cyber vulnerabilities an organization faces; encrypted communication apps help protect against the potential exploitation of human error while also combatting malicious actors. Constituents may have robust cyber and physical security measures at the organizational level, but individual employees and mobile devices can still expose the organization to cyber threats. These threats may be exacerbated when operating or traveling abroad due to differences in the threat environment. As a result, safeguarding the organization at the employee level is critical, and ensuring secure communications among employees is a vital part of this process.

Apps for encrypted communication provide a layer of security at the employee level and reduce the opportunity for hacking or manipulation by malicious actors. Various apps help protect users against multiple cybersecurity threats, including communications/signal-interception, voice-call tapping, and hacking.

Factors to Consider

Users should consider a number of app-related issues, including security features, app prevalence, quality of service, and platform availability. Three crucial security features to protect information and ensure privacy in communications are end-to-end encryption, protected metadata storage, and anti-screen scraping measures. Many new secure-communication apps have built-in technology that focuses on these three features; however, older forms of communication and some apps do not have these as a default setting and/or offer suboptimal protection due to outdated technology, which may include inherited vulnerabilities that malicious actors have discovered and could exploit. Users must carefully examine the available and default features of communications apps when deciding which to use.

End-to-end encryption allows data to be passed only between intended individuals, and enables encryption at all other points. When a message is in transit between the sender and recipient, it remains protected; encryption prevents outside actors from reading the contents if intercepted. Even the app developer and the mobile network cannot see what information is being shared via their own technology.

Preventing access to metadata, which includes contact phone numbers and the number and times of messages, allows for increased privacy for the communicating parties. This can prevent third parties from discovering who is involved in a conversation, where the parties are located, and when messages were exchanged. Often, metadata is used by third parties to track activities and movements of a target.

Screen-scraping prevention technology protects individuals from having their online activity accessed by a third party. Screen scraping involves the transfer of all the contents on the screen of another computer, which is a security problem regardless of the sensitivity of captured information.

App Comparison

The table below provides a brief feature-based comparison of four free apps widely used by OSAC constituents, based on the benchmarking survey. OSAC notes that this is not a recommendation; numerous additional reputable and quality apps, both free and fee-based, are widely available. Some encrypted messaging apps that are popular with security professionals include Signal, WhatsApp, and Wickr. However, there is no one-size-fits-all messaging app that will meet every security and communications need. Which encrypted communications apps private-sector organizations choose to use often depends on their specific organizational needs and the needs of their employees, as well as their exposure to the product.

 

Signal

Major security organizations and private security companies routinely tout Signal as the most secure app because of its numerous security features. Signal allows use across multiple platforms, has default end-to-end encryption, includes a blocker that stops screen scraping, allows for self-destructing messages, and does not save metadata. The app is built on open-source code that is routinely inspected by experts to help eliminate security flaws. Signal also controls data exchange across Wi-Fi to reduce the likelihood of information being hacked.

 

WhatsApp

According to Heimdal Security, WhatsApp is one of the most popular and secure apps on the market. It is compatible with numerous devices and provides service for multiple platforms. The app has a variety of built-in security measures, including default end-to-end encryption and user security codes to ensure messages aren’t intercepted and passed on (man-in-the-middle attack). However, in early 2018, a report by Ruhr University found an unlikely scenario whereby individuals that physically controlled WhatsApp servers could insert new people into an otherwise private group, allowing those individuals to read and selectively block messages, reducing the efficacy of end-to-end encryption. By default, WhatsApp backs up a user’s data to the cloud, including chat history. This feature can be disabled, but not doing so (the default setting) could mean users are unintentionally transferring data to third parties.

 

Skype

In a January 2018 platform preview, Skype began providing end-to-end encryption for audio calls, text, and multimedia messages through its Private Conversations feature. Skype uses Signal Protocol encryption, though the encryption feature is not on by default. This encrypted feature does not support video chat and Skype-owner Microsoft can still access user metadata.

Telegram

Telegram is a cloud-based platform used for messaging across many compatible devices. The app does not have screen-scraping blockers, its default setting does not include end-to-end encryption, and it stores messages on unencrypted servers. Telegram does include a “secret chat” feature that provides end-to-end encryption and enables users to have a message self-destruct on all devices involved. In 2017, Telegram received negative press coverage when it was revealed that ISIS used the app in its recruiting efforts by mass-sharing news and videos through a broadcast feature. In 2018, Telegram was briefly pulled from the Apple App Store due to app users having used it to transmit illegal content -- specifically, child pornography. Additionally, Russia banned the use of Telegram in April 2018, and attempted to block all IP addresses associated with the app.

 

 

Many companies and individuals are migrating to more secure means of communication to safeguard their information. While the highlighted apps are not exhaustive of what is available on the market, they represent some of newest and widely used options, with an array of features. It is important to note that each of the above-mentioned apps has been restricted or banned for various reasons in multiple countries. Users should consider the availability of the app in specific countries when developing security and communications protocols.

Selecting an encrypted communications app that meets an organization’s needs is one part of a security improvement process. This process also includes regular and appropriate use and maintenance of these apps, and recurring employee training on proper security practices, as patches to vulnerabilities within existing programs and apps need to be updated and installed periodically. At a minimum, technology companies advise users to download recommended updates regularly and routinely check and update security settings for their devices and apps.