• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

BATTLE OF THE SECURE MESSAGING APPS: HOW SIGNAL BEATS WHATSAPP

Status
Not open for further replies.

tungfa

Well-known member
Foundation Member
Masternode Owner/Operator
BATTLE OF THE SECURE MESSAGING APPS: HOW SIGNAL BEATS WHATSAPP
https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/


Micah Lee

June 23 2016, 1:49 a.m.
THIS SPRING, TEXT messages got a lot more private. In April, the world’s most popular messaging service, WhatsApp, announced it would use end-to-end encryption by default for all users, making it virtually impossible for anyone to intercept private WhatsApp conversations, even if they work at Facebook, which owns WhatsApp, or at the world’s most powerful electronic spying agency, the NSA. Then in May, tech giant Google
announced a brand new messaging app called Allo that also supports end-to-end encryption.

Making the news even better from a privacy standpoint is that both WhatsApp and Allo use a widely respected secure-messaging protocol from Open Whisper Systems, the San Francisco-based maker of the messaging app Signal.

To recap, there are now at least three different instant-message services that implement robust encryption: WhatsApp, Signal, and Allo. How is someone who cares about their privacy and security to choose between them?

In this article, I’m going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud — and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I’m going to advocate you use Signal whenever you can — which actually may not end up being as often as you would like.

What’s up, WhatsApp?
With
more than 1 billion users, WhatsApp is the world’s most popular messaging app. Which is why it was huge news among encryption advocates when the company a year and a half ago announced a partnership with Open Whisper Systems to integrate the Signal protocol into its product. The rollout was gradual, starting only on the Android version of WhatsApp and only for one-on-one text communication, but by this past April, WhatsApp was able to announce it was using the Signal protocol to encrypt all messages, including multimedia messages and group chats, for all users, including those on iOS, by default.

So if a government demands the content of WhatsApp messages, as in a
recent case in Brazil, WhatsApp can’t hand it over — the messages are encrypted and WhatsApp does not have the key.

But it’s important to keep in mind that, even with the Signal protocol in place, WhatsApp’s servers can still see messages that users send through the service. They can’t see what’s inside the messages, but they can see who is sending a message to whom and when. And according to the
WhatsApp privacy policy, the company reserves the right to record this information, otherwise known as message metadata, and give it to governments:

WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect.

A WhatsApp spokesperson told the Committee to Protect Journalists, “WhatsApp does not maintain transaction logs in the normal course of providing its service.” However, the company makes no promises and could easily record and hand over metadata in response to a government request without violating its own policy.

When you first set up WhatsApp, you’re encouraged, but not required, to share your phone’s contact list with the app. This helps the WhatsApp service connect you with other users quickly and easily. A WhatsApp spokesperson confirmed to me that the company retains contact list data, which means that WhatsApp could also hand over your contact list in response to a government request.

Finally, online backups are a gaping hole in the security of WhatsApp messages. End-to-end encryption only refers to how messages are encrypted when they’re sent over the internet, not while they’re stored on your phone. Once messages are on your phone, they rely on your phone’s built-in encryption to keep them safe (which is why it’s important to use a
strong passcode). If you choose to back up your phone to the cloud — such as to your Google account if you’re an Android user or your iCloud account if you’re an iPhone user — then you’re handing the content of your messages to your backup service provider.

By default, WhatsApp stores its messages in a way that allows them to be backed up to the cloud by iOS or Android. WhatsApp does let you remove your chats from these cloud backups if you go out of your way to do so, which I recommend you do, if you use WhatsApp to discuss anything sensitive.

Allo, World


The first thing to understand about Google’s forthcoming Allo app is that, by default, Google will be able to read all of your Allo messages. If you want end-to-end encryption via the Signal protocol, you need to switch to an “incognito mode” within the app, which will be secure but include fewer features.

It’s 2016. We should be moving toward a future where the conversations we have on our phones are private, but Allo’s lack of default encryption is clinging to the past. Google releasing a new messaging app without default end-to-end encryption is like Tesla announcing a brand new model that only lets you use the airbags when you’ve disabled the entertainment system. As NSA whistleblower Edward Snowden put it, Allo’s defaults are “dangerous” and “unsafe.”

On the other hand, Google is trying something brand new, applying so-called machine learning techniques directly to your conversations. Allo hooks into an artificial intelligence called Google Assistant, which will read all of your messages and offer suggested responses, in your own slang, that it thinks you would likely write yourself. It also brings Google search directly into your conversations — you and your friends could, for example, search for a restaurant, pick one out, and make a reservation without having to leave the app.

Allo’s machine learning features prevent Google from turning on end-to-end encryption for all messages, since Google needs to be able to ingest the content of messages for the machine learning to work, a Google spokesperson told me. The spokesperson also said Google isn’t ready, until Allo is released later this summer, to make any promises about where user data will be stored or for how long.

The technology behind Allo looks very cool, but it’s moving in the wrong direction with regard to privacy. If privacy is important to you, you should use a messaging app that encrypts messages by default instead.

Along with Allo, Google is also releasing a new video calling app called Duo. Unlike Allo, all video calls in Duo will be end-to-end encrypted by default. Google isn’t releasing details — how the encryption works, if it’s possible for users to independently verify that it’s secure, or if metadata of the calls will be retained on Google’s servers — until it’s publicly released.

Allo and Duo will both be covered under
Google’s privacy policy. Unfortunately, this policy doesn’t break out details about specific Google products.

Signal in the Noise
The first thing that sets Signal apart from WhatsApp and Allo is that it is open source. The app’s code is freely available for experts to inspect for flaws or back doors in its security. Another thing that makes Signal unique is its business model: There is none. In stark contrast to Facebook and Google, which make their money selling ads, Open Whisper Systems is entirely supported by grants and donations. With no advertising to target, the company intentionally stores as little user data as possible.

Like WhatsApp, all messages sent over Signal are end-to-end encrypted, and Open Whisper Systems doesn’t have the keys to decrypt them. What about message metadata, your phone’s contact list, and cloud backups?

Signal’s privacy policy is short and concise. Unlike WhatsApp, Signal doesn’t store any message metadata. Cryptographer and Open Whisper Systems founder Moxie Marlinspike told me that the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second.

Signal users must share their contact list with the app in order to find other users — in WhatsApp, this is optional but recommended. But Signal doesn’t directly send your contact list to the server. Instead, it uses what’s known as a cryptographic hash function to obfuscate phone numbers before sending them to the server. (It also truncates the hashed phone numbers, if we’re being precise about things.) The server responds with the contacts that you have in common and then immediately discards the query, according to Marlinspike.

If you back up your phone to your Google or iCloud account, Signal doesn’t include any of your messages in this backup. WhatsApp’s gaping backup issue simply doesn’t exist with Signal, and there’s no risk of accidentally handing over your private messages to any third-party company.



Of course, this also means there’s no way to back up your Signal data to the cloud — a feature that some users find useful. If you lose your phone and restore a new one from backup, you simply lose all of your chat history. The Android version of Signal lets users locally export and import app data, for example if you’re switching to a new phone but still have your old one, but the iOS version of Signal does not support this.

In short, if a government demands that Open Whisper Systems hand over the content or metadata of a Signal message or a user’s contact list, it has nothing to hand over. And that government will have just as little luck requesting backups of Signal messages from Google or Apple.

From a user privacy perspective, Signal is the clear winner, but it’s not without its downsides.

Compared to WhatsApp’s 1 billion users, Signal’s user base is minuscule. Marlinspike said that they don’t publish statistics about how many users they have, but Android’s Google Play store reports that Signal has been downloaded between 1 and 5 million times. The iPhone App Store does not publish this data.

This means that if you install the Signal app, chances are you’ll have to convince your friends, family, and colleagues to install it as well before you can benefit from Signal’s top-grade privacy protection. If you install WhatsApp, chances are a lot of your contacts are already using it, and you can begin having encrypted conversations with minimal effort.

Signal also has fewer features and gets improved at a slower pace than its corporate competitors. For example, an early version of Signal Desktop has been available since the end of 2015, but it’s only available for Android users — iPhone support has not yet been developed, and it’s unclear when it will be finished. WhatsApp has a desktop version that works regardless of the type of phone you use.

Marlinspike told me that Open Whisper Systems has three full-time staff: two software developers and one person who handles user support and project management. With such incredibly limited resources, it’s surprising that they’ve accomplished as much as they have.
 

Attachments

  • TheIntercept-secureapp-battle.gif
    TheIntercept-secureapp-battle.gif
    878.4 KB · Views: 155
Last edited:
ja I like signal
no desktop app yet - is that correct ?
 
I am reluctant to believe privacy exists yet it is wonderful there is still talk of unicorns, rainbows, and fairy dust.
rc
 
Secure communications on mobile phones is pretty tough. I can share some of my knowledge in this area for fellow Dashers.

First and foremost you need to think about the security of the hardware and its operating system. Absolute 100% security is unachievable. The best you can do, IMO, is not use any GSM/cell radio product, and stick to an older wifi-only device (or better yet, rip out the wifi and go bluetooth-internet only!). Wifi only devices don't come pocket-sized though. All pocket-sized devices nowadays are also phones with closed-source multi-function CPU firmware blobs, which carry an unavoidable privacy risk if you're uber-paranoid.

If you're using the stock software on any iPhone or Android, it does not matter what software and encryption you use, if you're worried about absolute privacy. Authorities can probably listen in and even screen-record both your device and your friend's device, if it was worth their effort.

Much better mobile security would be to put AOSP on your Android phone, do NOT install Google Apps, and only use apps from F-Droid. With that configuration, you can enjoy a pretty high level of text communication security, especially if you use a wifi-only device which does not have a mobile phone radio inside For this setup, I recommend the Conversations app with an anonymous securejabber.me XMPP account connected through Orbot (tor), and select the OMEMO encryption method, which is an improvement over the Snowden-approved OTR from a few years ago. Can't communicate with iPhones though (why would you want to? remember, messaging to someone whose phone has less security than yours means whatever you type will appear on their potentially-compromised screen). The biggest drawback to this setup is lack of voice communication. If you want encrypted voice calling, see my recommendation below.

But for all the name-brand apps to work you need to install OpenGapps (Play Store, Gmail, Google account, etc), which lowers your security level immensely (google apps has low-level access to your OS and can auto-update itself). Still better than using stock rom, though!

If you've got the Play Store installed or are using an iPhone, I recommend Wire. It's at least as secure as Signal (formerly RedPhone), and offers way more features, namely video chat, multi-person conferencing, file and picture sharing, not to mention superior voice quality, ALL end-to-end encrypted! If you think it seems to good to be true you can read up on Wire and let me know. It seems it was started by a former Skype guy who is a privacy advocate.

But regardless whether you use Signal or Wire, you can't use any encrypted voice chat app without installing the play store (for google cloud messaging PUSH functionality, I believe). So don't expect to be ultra private government resistant if you're connected to Google.

So in conclusion,

For best security, use a wifi-only android device flashed with AOSP and use a text communications app and OTR or better yet OMEMO encryption. No voice; rip the microphone and camera out!

Encrypted voice over IP apps all require Google Apps to be installed, or are VERY difficult to set up and use (try setting up your own anonymous Mumble server and teaching all your friends to use it--over tor! not fun at all)

If you want convenient voice calls with the rest of the world (stock androids and iphones) but still want to maintain a somewhat high level of security, you might as well try Wire, which is the most feature-rich and user-friendly encrypted communications app at the moment, and communicates between iphones and Androids very well with higher sound quality (better than Signal, IMO).
 
Last edited:
Signal is fine if...you have people using Signal and frankly most of us know this problem is acute: most people simply have no interest in using privacy apps.

Best to just stick with Pidgin OTR and chuck your privacy friends on your buddy list.
 
When someone says; do you have WhatsApp? I say; no, but I have Signal.
That is the end of my communication with that person...oh well.
Pretty much all my family uses Signal now as I refused to use WhatsCrap.
There is a desktop program, but from what I remember it only does instant messaging and not encrypted voice.
 
But even Signal is not the best one these days. Blockchain based messengers become more and more popular as they don't have access to any of your data and they don't store anything on a server. The connection is end-to-end encrypted and even developers don't have an access to your correspondence.
 
What about Telegram?
Does this messenger not so good as Signal?
I thought it's the most secured one.
It's totally NOT secured! And you can't compare them. There are messengers even better than Signal is.
And I don't know what is worse than Telegram.. Maybe Skype only.
 
What is the problem to get yourself a new messenger unknown to anyone, of which there are now a great multiplicity? Now all and sundry do them.
 
And Viber.
But look, we are talking about new messengers that are produced in the few past years.
There are some good ones, you know.
Don't be so skeptic.
I am sure you didn't even tried half of them.
I'm watching after new messengers and check some of them that seem the most interesting and suitable for me.
It's just hard to choose the best one as there are plenty of them and mostly offer nothing really interesting.
 
Have you tried Dust?
For me it's good one.
Do you think it doesn't have enough functions?
I've tried it but I don't like the point that it automatically erases all the data in 24 hours.
As I need to have some business chats there I need some of them to be stored on my phone at least as there's very important information which I can't lose.
 
So then try something like Signal.
I am sure there are lots of messengers which suit your needs.
Signal is the same as Telegram is from the point of view of privacy. It's not much better really as it also collects all the data and has an access to users' correspondence...
 
Why does anyone even now compete with the Signal to be safe? This is now the best app for private correspondence.
 
Status
Not open for further replies.
Back
Top