Defeating Encryption: Are popular messaging apps REALLY that secure?

Texting has become a large part of all our lives – in fact, texting is the most prevalent form of communication for under 50’s. We trust in the security of these applications with handling our sensitive chats, personal details, and all kinds of private communications – often without giving it any thought.

Problems with Implementation

WhatsApp suffered a significant security breach in 2019. This breach would have allowed a hacker to access all content on a users phone.

The app itself uses end-to-end encryption, which means the phone and the WhatsApp server have public and private encryption keys. The public key is used to encrypt messages, and the private key is used to decrypt messages.

Only the public key is sent out – so other people (in this case, the WhatsApp servers) can encrypt messages using the public key, but nobody can decrypt them unless they have the private key. The private key never leaves your phone.

This is the same technology used by the vast majority of messaging apps – and it’s advertised as their main security feature – and people feel comfortable with it. There’s more to keeping information safe than simply encryption, though – and this breach is a prime example of that.

Government Surveillance

Key disclosure law is an important aspect of keeping your messages secure. In the UK, we have the Regulation of Investigatory Powers Act 2000. This denotes, among other things…

Enables mass surveillance of communications in transit.
Enables certain public bodies to demand that ISPs fit equipment to facilitate surveillance.
Enable certain public bodies to demand that someone hand over keys to protected information.
Allows certain public bodies to monitor people’s Internet activities.
Prevents the existence of interception warrants and any data collected with them from being revealed in court.

This is not just limited to the UK – government surveillance is epidemic worldwide.

Insecure default settings

In China, police arrested a Telegram group administrator on suspicion of intent to cause public nuisance. Like the US, China has law which doesn’t allow someone to incriminate theirselves, and so they cannot be forced legally to reveal encryption keys.

However, the end-to-end encryption on Telegram is not enabled by default, and even if it were, authorities are able to force detainees to unlock their handsets using facial recognition or fingerprints. This is a feature commonly used on the majority of modern phones.

Social Engineering

Another vulnerability which exists in all kinds of online communication is phishing. It’s easy to get personal information about someone by posing as someone else. For example, a government agency may pose as an individual associated with a movement, and infiltrate their ranks – obtaining information vital to their investigation.

Or, someone could make a fake account posing as an acquaintance, and obtain your personal information via this avenue.

We offer simulated phishing attacks for your organisation to test training against these kinds of attacks. We also offer free educational materials and phishing courses.

State Sponsored Attacks

State actors are commonly being accused of making cyberattacks against organisations and individuals. Perhaps the most infamous example, In 2017, the Russian government was accused of mitigating Ransomware in Ukraine [PayWall Content]. In fact, recently, cyberattacks against banks reported to be “state-sponsored” have been on the rise[2].

Telegram accuses the Chinese government of DDOSing (flooding a server with requests so it is inaccessible) their servers in relation to the previously mentioned protests[3].

Conclusion

The events and ideas in this article are just a small snippet of reality. It shows how important it is for a business to keep a strong understanding of the extent of state intervention and legislations in place with regards to the territories said business operates in. Businesses need to do this in order to protect their private and commercial data, and to meet contractual requirements.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.