In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 million users, according to the platform’s founder Pavel Durov.
While the Facebook outage was due to a routine maintenance error, the event led many to wonder about messaging app breaches and other issues. If someone switched from WhatsApp to Telegram, did they really end up with a more secure app? What makes a messenger app more secure? And what about the risks of using instant messages for business?
These questions matter, since we use messaging apps more and more in day-to-day life. This is especially relevant among international teams where rapid, affordable communication helps people work faster.
Messaging app security comparison
While there’s no consensus, messaging app security comparisons exist. But beware. What one source says is secure, another source might say otherwise.
Meanwhile, cybersecurity researcher Natalie Silvanovich from the Project Zero team at Google found a serious glitch in the Signal app. Using a modified client, she sent a peer-to-peer connect message to a device running Signal. This enabled a voice call to be answered, even though the callee never touched the device.
Silvanovich found similar gaps in Facebook Messenger, Google Duo, JioChat and Mocha. After her report, all these vulnerabilities have since been fixed.
Messaging app with privacy: What do threat actors use?
What about threat actors? What app are they chatting on? Is it secure? Recent research described a burgeoning network of cyber criminals on Telegram, where data leaks have increased in frequency. Some illicit Telegram channels host tens of thousands of subscribers, and the content looks like what one might find on darknet hubs. Still, what attracts threat actors might not be the app’s security, but rather the lack of platform moderation.
Security-wise, Telegram uses its own MTProto encryption protocol, rather than the more widely accepted Transport Layer Security (TLS) protocol. Some cryptographers consider MTProto to be a cryptographic weakness. While any encryption is better than none, the MTProto security requirement building blocks (hash functions, block ciphers, public-key encryption, etc.) are untested.
We dare you to attack us
Telegram isn’t worried about its encryption security, though. In fact, the platform recently held a contest to crack Telegram’s encryption. Despite offering a $30,000 bounty, nobody cracked the platform’s Secret Chats code. Note that the Telegram Secret Chats mode is not on by default, and it doesn’t function in group chat, either. During standard chat and group chat, end-to-end encryption remains inactivated on Telegram.
Up to 740 billion SMS messages per year exposed
What about SMS messages? Are they more secure? Syniverse is a company that routes hundreds of billions of text messages every year for hundreds of carriers, such as Verizon, T-Mobile and AT&T. In May 2021, the company told government regulators that attackers had been breaching its databases for five years. Syniverse processes over 740 billion messages each year for over 300 mobile operators worldwide.
What information did the attackers expose? The company did not say, but SMS text message content may have been targeted.
Big name messenger app security
Google Messages, Apple iMessage and Facebook Messenger (and Meta’s WhatsApp) have also been scrutinized for their application security. Google and Apple turn on encryption by default, as does WhatsApp, but Facebook Messenger does not.
Other criticisms about security surrounding Google and Facebook include the collection of user information. Since they collect user data, they must also secure it. This implies added risk. In addition, Apple uses a closed-source app and backend server code. This calls into question the quality of the code, including the strength of encryption or if vulnerabilities exist.
Get the signal?
Of all the messaging apps out there, Signal appears to be one of the more secure. Yes, it was found to be at risk for eavesdropping attacks as mentioned earlier, but that weakness has reportedly been fixed.
Meanwhile, Signal has many traits to look for in a secure messaging app, such as:
- It’s an open-source project supported by grants and donations. This means there should be no ads, affiliates or hidden tracking.
- End-to-end encryption by default means only the parties involved in the conversation can see the messages. No one else, not even the app owners, can see chat content.
- A self-destructing, disappearing messages feature removes messages forever after a set period of time.
- Minimal user data collection means messages, pictures and files are stored locally on your phone, unlike Google or Facebook apps which harvest information for other business purposes.
Messenger application hygiene
Beyond the intrinsic security of the messenger platform, how your teams interact with the app greatly affects security. For example, phishing campaigns and social engineering attacks have affected third-party messenger apps for years. Attackers simply send a tempting message to targets to get them to click on a link or download an infected file.
While breaching a corporate network from a smartphone app might be difficult, many users also install a desktop version of their messaging app. Any malicious link or download accessed from the desktop app version could open the door to malware.
No perfect messenger app
It’s likely that companies — especially ones with international teams — will continue to use popular messaging apps. While no application is 100% secure, some implement better security measures than others. End-to-end default encryption is one example of good security practice. It also pays to remind teams that online phishing scams are just as dangerous when they target you from your app.
Freelance Technology Writer