Hey WhatsApp switcher

23rd February 2014 | Comments

Just some lines about the current situation and why switching to alternatives is possibly more reasonless than you might think.

First of all, WhatsApp is not even very secure. Indeed it was dangerously insecure. For a long time, traffic between your phone and the WhatsApp servers wasn't encrypted and everyone on the same network could listen and manipulate all your data. Also your never-shown WhatsApp password was quite easy to guess and therefore anyone could have hacked into your account with just a little research. Later on they switched to using transport encryption, so that at least the traffic between you and their servers was secured. And still you have to fully trust that company and their server infrastructure. There is no way to proof they are secure and WhatsApp had a lot of security flaws in its short history.

Now that Facebook has bought WhatsApp, people seem to get hysteric. Which is for no reason cause those users trusted WhatsApp before and WhatsApp still claims in their privacy notice that they don't collect your messages and delete everything after delivery. So actually, nothing has changed yet. Additionally, I guess WhatsApp has to get your legal approval in case your data gets merged with the Facebook database.

Now we have two common announced alternatives, Threema and Telegram.

Telegram is a free service from two brothers who are also know for founding Russia's largest social network. The protocol itself and the phone clients are open source and also look quite similar to WhatsApp. But for default usage, only traffic between you and the servers is encrypted and you have to trust their servers (which are still closed source), just like in case of WhatsApp. You could use an end-to-end encryption by choosing the quite hidden option of a "Secret Chat", though. Sadly this isn’t well explained within the app. Additionally you should meet personally to conduct that, what you likely don't do at that point deep within the user interface. Also Telegram is criticized for using unusual cryptographic patterns. That doesn't mean that it is insecure, but it is also hard for experts to say that this is likely secure. Instead of providing good explanations and proofs, Telegram initiated some disputable hacker contest which is out of real-life situations. No, just that someone doesn't hack you at that point doesn't mean you are secure. And the reward of $200,000 seems high, but actually might be pretty low if you compare it to selling information about such a strong security hole on the black market.

Threema might look better at a first glance since they claim to always use end-to-end encryption. But all they do is closed source and behaves like a black box. Only the end-to-end encryption could be checked with some guide they provide. This is not enough. The client apps could provide side-channel attacks. What does a secure connection help if the password is badly generated or additionally sent in an insecure way? No proof for that. Also we still have to trust the server for e.g. not fiddling around with our contact list and giving fake contacts a positive verification status. No word on how secure that is implemented either. Some technical blame: Only using Forward Secrecy for the transport encryption is strange, too, since its message is: "Trust our servers.“ Something no secure solution should ever expect from its users.

Also some people think that XMPP with the OTR plugin might fit perfectly for that use case. Nope. We are talking about messengers, including asynchronous communication (your dialogue partner might be offline while you send something), group chats and push notifications for low battery usage. There is no solution using that technology and solving the described points yet. Let alone having a good implementation on multiple mobile platforms.

The problem with security is, there is nothing like "a little secure". There is only security or insecurity on the current knowledge base of attack possibilities. You could restrict security to specific parts, e.g. full encryption between client and client or just client and server. But either it's broken or it's not. And using something in the belief that it is secure while it isn't at all is quite dangerous.

My conclusion it that there is no end-user solution out yet that I could really recommend for mobile phones. Telegram might be one in the future, if they rethink their whole security structure, only use the end-to-end encryption and that with an intuitive user guidance, too. Most importantly: Don't assume that any of those named solutions is more secure than SMS or WhatsApp, even if they try to advertise that.

You might say I'm paranoid, but the point is: In all current solutions you have to trust the service provider just like you already had for WhatsApp. And how to rate trust?

If you switch, do it to score off WhatsApp and its unsympathetic CEO, not because of bogus security.

For a theoretical article about that topic, I recommend reading "How to choose your secure messaging app" by Geoffroy Couprie.

blog comments powered by Disqus