Thinking About What You Need In A Secure Messenger
All the features that determine the security of a messaging app can be confusing and hard to keep track of. Beyond the technical jargon, the most important question is: What do you need out of a messenger? Why are you looking for more security in your communications in the first place?
The goal of this post is not to assess which messenger provides the best “security” features by certain technical standards, but to help you think about precisely the kind of security you need.
Here are some examples of questions to guide you through potential concerns and line them up with certain secure messaging features. These questions are by no means comprehensive, but they can help get you into the mindset of evaluating messengers in terms of your specific needs.
We can’t capture every person’s concerns or every secure messaging feature with a handful questions. Other important issues might include corporate ownership, country-specific considerations, or background information on a company’s security decisions.
The more clearly you understand what you want and need out of a messenger, the easier it will be to navigate the wealth of extensive, conflicting, and sometimes outdated information out there. When recommendations conflict, you can use these kinds of questions to decide what direction is right for you. And when conditions change, they can help you decide whether it’s time to change your strategy and find new secure apps or tools.
This post is part of a series on secure messaging.
Find the full series here.
End-to-end encryption ensures that a message is turned into a secret message by its original sender (the first “end”), and decoded only by its final recipient (the second “end”). This means that no one can “listen in” and eavesdrop on your messages in the middle, including the messaging service provider itself. Somewhat counter-intuitively, just because you have messages in an app on your phone does not mean that the app company itself can see it. This is a core characteristic of good encryption: even the people who design and deploy it cannot themselves break it.
Do not confuse end-to-end encryption with transport-layer encryption (also known as “network encryption”). While end-to-end encryption protects your messages all the way from your device to your recipient’s device, transport-layer encryption only protects them as they travel from your device to the app’s servers and from the app’s servers to your recipient’s device. In the middle, your messaging service provider can see unencrypted copies of your messages—and, in the case of legal requests, has them available to hand over to law enforcement.
One way to think about the difference between end-to-end and transport-layer encryption is the concept of trust. Transport-layer encryption requires you to trust a lot of different parties with the contents of your messages: the app or service you are using, the government of the country where the service is incorporated, the government of the country where its servers sit. However, you shouldn’t have to trust corporations or governments with your messages in order to communicate. With end-to-end encryption, you don’t have to. As a matter of general privacy hygiene, it is generally better to go with services that support end-to-end encryption whenever possible.
If you are concerned that someone in your physical environment—maybe a spouse, teacher, parent, or employer—might try to take your device and read your messages off the screen directly, ephemeral or “disappearing” messages might be an important feature for you. This generally means you are able to set messages to automatically disappear after a certain amount of time, leaving less content on your device for others to see.
It’s important to remember, though, that just because messages disappear on your device doesn’t mean they disappear everywhere. Your recipient could always take a screenshot of the message before it disappears. And if the app doesn’t use end-to-end encryption (see above), the app provider might also have a copy of your message.
(Outside of messenger choice, you can also make your device more physically secure by enabling full-disk encryption with a password.)
Using your phone number as your messenger “username” can be convenient. It’s simple to remember, and makes it easy to find friends using the same service. However, a phone number is often a personally identifying piece of information, and you might not want to give it out to professional contacts, new acquaintances, or other people you don’t necessarily trust.
This can be a concern for women worried about harassment in particular. Activists and others involved in subversive work can also have a problem with this, as it can be dangerous to link the same phone number to both the messenger one uses for activism and the messenger one uses for communicating with friends and family.
Messengers that allow aliases can help. This usually means letting you choose a “username” or identifier that is not your phone number. Some apps also let you create multiple aliases. Even if a messenger requires your phone number to sign up, it may still allow you to use a non-phone number alias as your public-facing username.
Depending on your situation, it’s likely that the last thing you want is to send information unencrypted that you meant to send encrypted. If this is important to you, messengers that encrypt by default or only support encrypted communication are worth looking into.
When a messenger does not encrypt by default and instead offers a special “secret” encrypted mode, users may make mistakes and send unencrypted messages without realizing it. This can also happen because of service issues; when connectivity poses a problem, some apps may provide an unencrypted “fallback” option for messages rather than wait until an encrypted message can be sent.
Are you more worried about the possibility of losing your messages forever, or about someone else being able to read them? The “Puddle Test” reflects the first concern, and the “Hammer Test” reflects the second.
Messaging developers sometimes talk about the “Puddle Test”: If you accidentally dropped your phone in a Puddle and ruined it, would your messages be lost forever? Would you be able to recover them? Conversely, there’s the “Hammer Test”: If you and a contact intentionally took a Hammer to your phones or otherwise tried to delete all your messages, would they really be deleted? Would someone else be able to recover them?
There is a tension between these two potential situations: accidentally losing your messages, and intentionally deleting them. Is it more important to you that your messages be easy to recover if you accidentally lose them, or difficult to recover if you intentionally delete them?
If the hypothetical “Hammer Test” reflects your concerns, you may want to learn about a security property called forward secrecy. If an app is forward-secret, then you could delete all your messages and hand someone else your phone and they would not be able to recover them. Even if they had been surveilling you externally and managed to compromise the encryption keys protecting your messages, they still would not be able to read your past messages.
Cloud backups of your messages can throw a wrench in the “Hammer Test” described above. Backups help you pass the “Puddle Test,” but make it much harder to intentionally "hammer" your old messages out of existence. Apps that backup your messages unencrypted store a plaintext copy of your messages outside your device. An unencrypted copy like this can defeat the purpose of forward secrecy, and can stop your deleted messages from really being deleted. For people who are more worried about the “Puddle Test,” this can be a desirable feature. For others, it can be a serious danger.
Most people can be reasonably sure that the contact they are messaging with is who they think it is. For targeted people in high-risk situations, however, it can be critical to be absolutely certain that no one else is viewing or intercepting your conversation. Therefore, this question is for those most high-risk users.
Apps with contact verification can help you be certain that no one outside the intended recipient(s) are viewing your conversation. This feature lets you confirm your recipient’s unique cryptographic “fingerprint” and thus their identity. Usually this takes the form of an in-real-life check; you might scan QR codes on each other’s phones, or you might call or talk to your friend to make sure that the fingerprint code you have for them matches the one they have for you.
When one of your contacts’ fingerprints changes, that is an indicator that something about their cryptographic identity has changed. Someone else might have tricked your app into accepting their cryptographic keys instead—or it might also just mean that they got a new phone. Apps can deal with this in two ways: key change notifications, which alert you to the change while not interfering with messages, or key change confirmations, which require you to acknowledge the change before any messages are sent. The latter generally offers a higher level of protection for vulnerable users who cannot risk misfired messages.
This post is part of a series on secure messaging.
Find the full series here.