How secure are social media messaging apps?

Did we think that our social media messaging devices are so safe that they cannot be hacked or snooped? If so, then we were silly. We now know that a bug in WhatsApp’s audio call feature allowed hackers to install a commercial spyware of Israeli company NSO Group on Android and iOS phones just by calling the target. 

No doubt, most messaging apps are not easy to crack. In an opinion piece in The Daily Telegraph in July 2017, the then UK Home Secretary Amber Rudd opined that “real people” are not really interested in security features that stop the government and criminals from reading their messages. Her claim has been called “dangerous and misleading” by many critics. However, the idea somehow persists.

This October, US Attorney General William Barr, acting US Homeland Security Secretary Kevin McAleenan, UK Home Secretary Priti Patel and Australia’s minister for home affairs, Peter Dutton, co-signed an open letter to Facebook, urging it to halt its plan to roll out end-to-end encryption across its suite of messaging products. Such demands, however, completely ignore the choices of billions of “real people” who are present and future users of such messaging apps. And, the recent outrage following the episode involving the spyware Pegasus shows that real people do care about their security.

In April 2016, the Facebook-owned messaging service, WhatsApp, rolled out end-to-end encryption across all devices supporting the platforms: “WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp.” This is because all messages are secured with a lock, and only the recipient and sender have the special key needed to unlock and read them. But, that security is certainly not absolute. And Pegasus has also exposed WhatApp’s limitations around its end-to-end encryption. If the spyware is installed, it can access the targeted users’ private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.

Interestingly, “end-to-end” encryption has become a buzzword which is now widely used to emphasise the security of any such product, mostly to make it more attractive to users — so much so that common people tend to believe that the encryption between the two “ends” is simply unbreakable. Is end-to-end encryption a magic bullet for security?

Certainly, some messaging apps encrypt messages between the user and them. However, aren’t most encryptions end-to-end? Still, they are always vulnerable at the two ends, as is clear from the Pegasus episode. In addition, who says that they’re 100 per cent secured in-between? We know the encrypted message is scrambled. But, is it impossible for an interceptor to decode it? Do we think that cryptography systems are based on mathematical problems so complex that they cannot be solved without a key? Certainly not. A classic example was British mathematician Alan Turing’s cracking, during the Second World War, of Enigma, an enciphering machine used by the German armed forces to send messages securely, by changing the cipher system daily.

The security of the encrypted message no doubt depends on the strength of the encryption, and the computing power and efficiency of the interceptor. With more and more powerful computers, and quantum computers around the corner, encrypted messages using standard encryption methods are bound to become increasingly vulnerable. Also, one must keep in mind that the proof of security of the encryption algorithms is often based on several “assumptions”, whose validity is never tested. Overall, an end-to-end encryption maybe sufficiently secured, but its not a panacea. All digital messages in social media can be hacked, even if they are deleted. Almost everything connected to the internet is at risk of cyberattacks.

There are other vulnerabilities; for example, WhatsApp offers the option to back up chats to Google Drive or iCloud, but those back-up copies are not protected by end-to-end encryption.

WhatsApp, with over 1.5 billion users worldwide, including 400 million in India, might be most vulnerable due to its large user base. What about other messaging apps such as Signal, iMessage, GroupMe, Viber, LINE and Telegram? Most of them are also encrypted end-to-end, but complete security is possibly a hypothetical and non-existent state in cryptology. LINE is incredibly popular in East Asia. This writer has seen a 2018 article by two Japanese researchers on breaking the message integrity of an end-to-end encryption scheme of LINE.

Telegram has been widely used by the Hong Kong protestors to organise protests while hiding their identities. A few months ago, a group of Hong Kong engineers observed that a feature in Telegram’s design might have allowed mainland Chinese or Hong Kong authorities to learn the real identities of users. Telegram tried to fix this bug to allow users to disable identity matching by phone number.

Cyber-security is often a game of cat and mouse. In fact, two major directions of research in cryptology are breaking the available security, and devising more efficient security. If “non-breakable” security can at all be devised, that will be the end of cryptology, indeed!

However, security is just a belief. It is better to understand this, and act accordingly. One of my cryptologist friends believes that an app or an encryption is safe as long as it is not hacked or snooped. I disagree. I think that safety is ensured until we know that it has been hacked or snooped.

The quest for devising more secure encryption and stronger security, however, continues.   
The writer is professor of statistics, Indian Statistical Institute, Kolkata 

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel