Follow the content below to learn how to protect chats on your phone and understand why encryption alone is not enough.

On the Kaspersky Blog, we have published several comparisons of secure messaging apps with end-to-end encryption, shared recommended settings and described the respective shortcomings of these apps. But what about people who want secure apps but are not exactly tech-savvy? This blog post is for them – based on an extensive study and published report entitled What is Safe? carried out by a group of experts from the agencies Tech Policy Press and Convocation Research and Design.

The report contains recommendations for both users and developers. But since not everyone will read all 86 pages of text, we’ve summarized the paper’s key takeaways below.

Object of study

Researchers interviewed user groups in Louisiana, USA, and Delhi, India, to determine the strengths and weaknesses of current messaging apps. The following popular apps were examined:

• Apple iMessage
• Meta Messenger (Facebook)
• Google Messages
• Signal
• Telegram
• Whatsapp

The study focused on how people respond to the app’s prompts and how they understand the meaning of each feature. Most importantly, respondents were asked about any specific fears they have and how they think secure messaging apps are or could be useful in their lives. Some respondents said they were concerned about the possibility of physical violence, such as domestic violence, in relation to messaging, while others feared persecution by authorities. This had a significant impact on their perception of “safety.”

Key discovery

End-to-end encryption is just one aspect of security. Encrypted messaging won’t solve all the problems a threatened user is having, so you need to think about a strategy against motivated adversaries. Is there a risk of your phone being seized? Are you at risk of being forced to unlock it? Are you worried that someone will try to get your data from the company that owns the app through litigation or a court order? Or infect your phone with spyware? Would it be easier for bad guys to try to extract the data from the person you’re chatting with? For many, the answer to each of the above questions is no, so an encrypted messaging app provides sufficient security on its own. And even if your answer is yes, there’s no reason to give up on encryption and secure messaging: they just need to be one layer of your defenses.

As additional tips, the researchers recommend that vulnerable user groups take several technical measures (more on that below), but most importantly, not carry their phones in places where they could be physically seized or forcibly unlocked. They suggest getting a second phone for these dangerous places.

General tips on secure messaging

The biggest secrets are best revealed face to face. No method of digital communication is completely secure. Therefore, the most risky information – especially if it poses a threat to health or even life – should be discussed in person, not in a chat.

Don't make decisions blindly. Users make conscious efforts to protect their privacy, but they often rely on popular opinion about security—not verified sources. Few read the documents that come with messaging apps: terms of use or government transparency and data sharing reports. Carefully research what your messaging service actually stores and where and with whom it shares data and has shared in the past. This information can be found in transparency reports.

Please carefully review your application settings. Understand each setting and enable all the most secure options. Keep in mind that parts of the privacy settings may be scattered throughout the general phone settings (especially for iMessage on iOS and Google Messages on Android) or sections of the app settings (typical of Telegram).

Avoid hybrid modes. Several messaging apps support both encrypted and unencrypted messages. In iMessage and Google Messages, you can send both open texts and encrypted messages in the same chat; however, this is a bad idea, as these types of messages always get confused. Both Messenger and Telegram have separate encrypted and unencrypted chats, with unencrypted mode used by default. The paper recommends using messaging apps that rely on full encryption: Signal or WhatsApp.

The more resources – the greater the risk. Extra features such as stories, bots, or links to social media services provide additional channels for surveillance and data leaks. It is best to disable these types of features.

Disable link previews, geolocation sharing, and GIFs. These features are sometimes useful, but they can be used to track you across multiple parties, including linked websites. Another potential leak channel is finding and sharing GIFs in chats.

Messaging apps that work without a phone number are useful. This includes Telegram, Messenger, and iMessage to some extent, though it will take some effort to configure each of them to use your internal username or email as your identifier during chat. According to the report, WhatsApp and Signal are also planning to add a feature like this.

Use disappearing messages. The more squeamish among us can enable chats to be automatically deleted after a short period of time, such as one minute. Unfortunately, not every messaging app has options like this, and in some, the shortest visibility period is 24 hours. Disappearing messages do little to protect you from screenshots or other ways in which chats can be saved. Automatically deleting messages is useful if you think strangers might be rummaging through your phone soon.

Encrypt chat backups. Standard cloud backups are a frequent leak channel, so it’s imperative that they’re either encrypted (something that needs to be manually enabled in WhatsApp and iMessage), saved locally (e.g. to an SD card if you’re using an Android phone), or turned off entirely. Any local backups should also be encrypted.

WCompare encryption keys with the people you chat with. This process is called Contact Key Verification (in iMessage), Security Numbers (in Signal), Security Code (in WhatsApp), and Encryption Key (in Telegram), and it helps ensure that you’re chatting with the right person – using the right device. Encryption keys can be verified for each chat by comparing codes or meeting face-to-face.

Protect yourself from account takeover by enabling two-factor authentication. This feature goes by many names, such as two-step verification, registration PIN, or whatever, but the essence remains the same: logging into the same account on a new device requires an extra verification step.

Train the people you talk to. This is critical for groups that discuss sensitive topics. It requires all members to share and observe the following ethical and safety rules:

• Do not forward messages with confidential information
• Do not take screenshots or copies of information in the chat
• Support a culture of privacy within the group
• Use application settings wisely.

SOURCE: Kaspersky Blog

We are Software.com.br, the Official Representative of Kaspersky in Brazil and also a reference in technology solutions for the corporate world in Latin America. Count on our consultants specialized in Software Licensing, Cybersecurity, DevOps, Infrastructure and Data Analytics.

See more about Kaspersky on our website: Software.com.br