Recent legal proceedings involving President Trump's former lawyer Michael Cohen and former campaign chairman Paul Manafort referenced messages that were thought to have been secure and private. Both men used apps claiming to be encrypted such as WhatsApp (iOS, Android), Signal (iOS, Android), and Telegram (iOS, Android). It's not confirmed that the app's protections were broken, or if authorities merely gained access to the men's devices. But if the encryptions were compromised, it could be a big deal for everyone else using the apps.
Cohen and Manafort data
Two Blackberry devices were seized from Cohen on April 9, one device contained about 315 MB of data, the other has yet to be cracked. Authorities also pieced back together a 16-page document that was shredded. More than 700 pages of messages and call logs were collected from the WhatsApp and Signal apps against Cohen.
WhatsApp assured Download.com that their app is secured with end-to-end encryption.
"This ensures only you and the person you're communicating with can read your messages or listen to your calls, and nobody in between, not even WhatsApp," a representative said.
The team also noted that the encryption is always activated and there's no way to turn it off.
The United States District Attorney of Southern New York's June letter to Judge Kimba Wood said the FBI's electronic extractions didn't capture anything "related to encrypted messaging applications, such as WhatsApp and Signal."
Messages the authorities found in Manafort's iCloud account showed that he tried tamper with witnesses in the Mueller investigation.
Apparently backing up messages to the cloud is a common method used by WhatsApp, and what could possibly be its achilles heel in security, according to the Electronic Frontier Foundation. We gave WhatsApp the opportunity to comment on the charge that its backups are insecure, but the company did not respond.
The trouble with backing up messages to the cloud is that users don't need a passphrase to restore them in the future. After installation, WhatsApp will ask how often you'd like to backup your messages (daily, weekly, monthly, or never). EFF advises not to backup messages to the cloud because the provider gains an unencrypted copy.
The viability of secure messaging apps
So, how truly safe are these apps purporting fortress-level protections?
The Telegram Messenger app runs on Android, iOS, Windows, and other platforms. Telegram promises users protection from hackers and heavily encrypted messages with self-destruct features. Their FAQ claims algorithms keep users secure even over poor connections. The data is encrypted with server-client encryption in Cloud Chats and client-client encryption in Secret Chats
Signal does warn users who are nervous about personal security to only use Secret Chat and the self-destruction feature for sensitive conversations. They also said no amount of encryption can protect users against someone finding their unlocked phone and gaining access. In Cohen's case, it's possible the authorities simply found a way to unlock his BlackBerry and then parsed his messages.
The Signal private messenger app claims end-to-end encryption for Android and iOS. The software is also available on Linux, Windows, and Mac. On the app's homepage, several public figures give glowing reviews of the app--including whistleblower Edward Snowden.
"Use anything with Open Whisper Systems," Snowden said on the site. OWS is a software organization that maintains the encrypted communications protocol on Signal.
The SHA factor
Much of the security of an app is determined by the bit length of the secure hash algorithm, or SHA. The newer the version of SHA the more protected your information is. The older the version of SHA is, the more susceptible your information is to a breach. A possible catch to newer versions of SHA are some devices might not be able to handle it.
Most programs have migrated to SHA-2 because SHA-1 suffers from severe cryptographic weakness according to CSO online. SHA-1 was the most frequently used cryptographic signing mechanism until last year. SHA-2 hasn't had any breaches yet.
"A strong cryptographic hash is considered to be as strong as its stated effective bit length minus 1 bit," CSO reported. "Anytime someone can submit provable math that the hash can be broken in less than its effective bit length minus one, the hash is considered weakened. Generally, or at least so far, all generally accepted hashes have become weaker over time, as cryptographic attacks improve the ability to shorten the hash's effective bit length. As the effective bit length is shortened, the hash becomes less protective and less valuable."
SHA-1 was due for replacement by SHA-2 back in 2002, long before it had been deemed broken. It wasn't until early 2017 that SHA-1 was ruled useless and SHA-2 was fully implemented.
Judging from WhatsApp's encryption overview, the app appears to operate on SHA256, or SHA-2. Telegram's security analysis said it still runs some portions of its app on SHA-1 despite knowing the insecurity. Lastly, Signal uses SHA256 (SHA-2).
Why it matters
Encrypted messaging apps have one main feature: privacy. On the surface, yes, they are private and encrypted. But users need to know upfront about what happens when their messages are backed up and the ease at which they can potentially be accessed.
Private messaging apps are often used by investigative journalists to shine light in dark corners and hold leaders accountable. Activist groups often use these apps to plan, mobilize, and discuss demonstrations. The security of the messaging system is vital for people and groups that might be operating in Russia, China, the Middle East, or North Korea, for example, where press freedoms and freedom to assemble aren't always guaranteed.
For some, having their private messages revealed would be embarrassing. For others, it's life and death.
FOLLOW Download.com on Twitter for all the latest app news.
1. President Trump's former lawyer Michael Cohen and former campaign chair Paul Manafort used private messaging apps like WhatsApp, Signal, and Telegram.
2. Evidence leading to both men's guilty charges was compiled through messages collected from the apps, leading to questions about the apps' security and privacy.
3. Some of the apps aren't upfront about how they operate in terms of message backup, which is dangerous for activist groups who use the apps in potentially hostile areas.
- WhatsApp fighting the spread of fake news with new feature
- Report: People are now using WhatsApp three times as much as Facebook
- Security researchers claim some WhatsApp messages and usernames can be faked
- What to look for in a messaging app
- Chummy app is a friendship 'Bat Signal' for developing better than social media
- WhatsApp's new forwarding feature may actually save lives (CNET)
- WhatsApp to cap message forwards in India (ZDNet)
- WhatsApp could be a bad choice for your encrypted business messages (TechRepublic)