Your End-to-End Encrypted Messages Are Not As Secure As You Think.

Posted on by

In early May, the Texas Attorney General’s Office filed a lawsuit against Meta for deceiving users about the level of security provided by WhatsApp’s end-to-end encryption.

Meanwhile, Apple and Google just announced that text messaging between Android and iOS users will now support end-to-end encryption. However, this only works when RCS is enabled on the smartphone; it doesn’t apply to traditional SMS or MMS. In apps like Telegram, end-to-end encryption isn’t enabled by default for all messages, and you need to initiate a “secret chat” each time to ensure true end-to-end encryption in the text conversation.

My point: E2EE is used as a general term to describe secure messaging features in many different applications, but each application uses different implementation standards, and the level of security is never the same. You shouldn’t assume that all your messages are secure from interception just because your messaging application supports E2EE.

You may also like

In fact, there are other security features you can optionally enable if you want to have true peace of mind when exchanging sensitive information via text messages. Understanding all of this can be tricky, so here’s my simplified explanation of how this encryption works across different devices and apps, what it protects, and what it doesn’t.

How does end-to-end encryption (E2EE) work?

End-to-end encryption (or E2EE) works by scrambling your messages and data as they leave your device, so that only the recipient with the correct security key on their device can decrypt them.

At its core, end-to-end encryption (E2EE) prevents anyone who might try to intercept your messages, including employees of the company that owns your messaging app, from accessing the content of your messages. Although the messaging app’s owners see that the message has been sent, they cannot read it because they lack the decryption key needed to decrypt it.

This is a good security measure for exchanging sensitive information, such as financial or medical data, that shouldn’t be publicly available. However, it’s not completely foolproof. End-to-end encryption only works on the content of the message itself. It doesn’t encrypt associated metadata, such as the sender and recipient’s identities, their geolocation, or the timestamps of various messages.

Furthermore, messaging apps have other vulnerabilities that end-to-end encryption doesn’t cover, such as backups. When you back up your messages to a third-party cloud storage provider, they are no longer end-to-end encrypted. Therefore, when you upload your WhatsApp message history to Google Drive or iCloud, there’s a short window of time during transmission when your messages can easily be intercepted by WhatsApp, Apple, or Google.

The implementation of end-to-end encryption (E2EE) also varies depending on the messaging app. Apps like Telegram and Signal offer a higher level of security than WhatsApp or Messenger. Meanwhile, WhatsApp enables basic end-to-end encryption for all your messages by default, while Telegram requires you to enable encryption each time you want to use it.

End-to-end encryption (E2EE) does not always work the same way.

The term “encrypted” can mean many things. Depending on the architecture of your messenger, the security features associated with it, and the quality of the encryption used, your level of security can vary greatly.

WhatsApp encrypts messages, but not backups.

I’ve already mentioned that WhatsApp doesn’t use end-to-end encryption for your cloud backups—there’s a short window of time while you’re uploading your messages to the cloud when they can be easily intercepted without the decryption key. However, there’s no direct evidence that Meta is secretly reading your messages while WhatsApp is backing up, so this part is just speculation.

Encryption in Telegram is enabled only at the user’s discretion.

When the Texas government sued Meta over WhatsApp’s encryption, Telegram pointedly positioned itself as a more secure alternative offering stronger encryption. But that’s only part of the truth.

In reality, Telegram encrypts all your messages both in transit and at rest, but the same company also holds the keys to decrypt your correspondence. Unless, of course, you opt for “Secret Chats,” which allow you to create a more secure communication chain where your messages are truly end-to-end encrypted and cannot be decrypted by Telegram. Meanwhile, group chats and channels in Telegram do not have end-to-end encryption at all.

What do you think at the moment?

iMessage has a blind spot in iCloud backup.

When exchanging messages between iPhones, all messages are end-to-end encrypted by default, but if you’re connected to iCloud backup, your backup also contains the decryption key. This means Apple could theoretically decrypt your messages if it wanted, unless you enable a hidden feature called “Enhanced Data Protection” in your iPhone settings.

Signal is your best choice for strong encryption.

Of all the messaging apps reviewed so far, Signal has the best possible implementation of end-to-end encryption (E2EE) by far: everything, including sender data and even group chats, is encrypted by default both in transit and at rest. This was publicly demonstrated when Signal received subpoenas, but the company had virtually no data to provide.

However, there is a drawback: Signal only works if the person you’re communicating with also has it installed on their device. Furthermore, it’s not as popular as WhatsApp or Telegram, so this can be a significant drawback.

What is not protected by end-to-end encryption?

Regardless of the messenger you use, there are certain types of information that are not covered by end-to-end encryption, at least by default.

First, metadata. This is all the recorded information about who you message, how often, at what times, and on what dates. Even without the actual content of your messages, these details are often enough to reveal your relationships, job searches, doctor appointments, and so on. Signal is an exception; they keep virtually no server logs and aggressively encrypt sender identities, contact lists, profile information, and group names. But none of the apps I mentioned will provide you with the same level of privacy.

Then there’s your device. End-to-end encryption (E2EE) doesn’t protect you from spyware, keyloggers, or other types of malware attacks aimed directly at your phone or workstation. Pegasus has repeatedly used exploits that allow encrypted messages to be read directly from the screen, without relying on your messaging app.

Finally, group chats present another serious vulnerability. Most messaging apps don’t offer end-to-end encryption for group chats with multiple participants. Even in apps that encrypt group chats, the number of participants poses a whole new threat, as any one of them could be vulnerable to device-specific attacks, rendering end-to-end encryption useless.

Increase your privacy in your messenger.

While many of these are disabled by default, WhatsApp, Telegram, and other messaging apps have begun to implement advanced security features that can be enabled for additional encryption and privacy protection.

  • Encrypted backups ensure that your messages aren’t exposed during cloud backup, a known vulnerability affecting both WhatsApp and iMessage. However, there’s a simple solution. In WhatsApp, you can go to Settings > Chats > Chat Backup > End-to-End Backup Encryption to enable end-to-end encryption during the backup process. This will prevent your message data from being leaked during transfer, but you’ll still need to separately configure the appropriate security settings for your cloud storage. If you use iMessage, in your account settings ( iCloud > Advanced Data Protection ), there’s an “Advanced Data Protection” feature that allows you to extend end-to-end encryption to your backups.

  • If you need complete privacy, use Signal. It’s the only messaging app that offers complete end-to-end security (E2EE) with virtually no metadata tracking and no storage of any identifying information. Not everyone uses it, but for private messaging, it’s worth it.

  • Disappearing messages can protect you from future spyware attacks by deleting your chat history after a set period of time. This won’t protect you from real-time threats, but it does provide additional protection.

  • Apps like WhatsApp, Signal, and iMessage offer a 60-digit security key or QR code that you can compare with the sender’s or recipient’s code to ensure your messages aren’t intercepted by third parties. Each encrypted one-on-one chat is assigned its own security code (also known as a security number or contact key). It’s generated based on data from the sender and recipient’s devices. It doesn’t change unless one of you switches devices.

More…

Privacy

Leave a Reply