{"id":6806,"date":"2014-11-20T10:28:42","date_gmt":"2014-11-20T15:28:42","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=6806"},"modified":"2020-02-27T03:51:15","modified_gmt":"2020-02-26T16:51:15","slug":"11_unsecure_messengers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/11_unsecure_messengers\/6806\/","title":{"rendered":"11 Unsecure Mobile and Internet Messaging Apps"},"content":{"rendered":"<p>Last week we took a look at <a href=\"https:\/\/www.eff.org\/secure-messaging-scorecard\" target=\"_blank\" rel=\"noopener nofollow\">the Electronic Frontier Foundation\u2019s secure messaging scorecard<\/a> and made <a href=\"https:\/\/www.kaspersky.com.au\/blog\/nine-secure-messengers\/\" target=\"_blank\" rel=\"noopener\">a list of nine mobile and Internet messaging services that scored well on privacy and security<\/a>. This week we\u2019ll take a look at the services that scored poorly.<\/p>\n<p>Interestingly, if last week\u2019s list of messengers that put security and privacy first seemed obscure, then this week\u2019s list of apps and services that are sleeping on security will, unfortunately, seem all too familiar. For that reason, we\u2019ll focus primarily on the most popular messengers, though we\u2019ll also note the poor-scoring, less popular ones as well.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>11 mobile and Internet messaging services offering weak #security and #privacy controls<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fh7dp&amp;text=11+mobile+and+Internet+messaging+services+offering+weak+%23security+and+%23privacy+controls\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<h3>Context<\/h3>\n<p>The EFF issued high or low grades to each service for seven categories. For our purposes, service providers earned failing grades when they only received zero, one or two \u2018yeses\u2019 in the following categories:<\/p>\n<ol>\n<li>Is data encrypted in transit?<\/li>\n<li>Is data encrypted so that even the service provider can\u2019t read it?<\/li>\n<li>Can you identify the true identity of contacts?<\/li>\n<li>Does the provider practice what is known as perfect forward secrecy, meaning crypto-keys are ephemeral so a stolen key won\u2019t decrypt existing communications?<\/li>\n<li>Is the service\u2019s code open-source and available for public review?<\/li>\n<li>Are cryptographic implementation procedures and processes documented?<\/li>\n<li>Has there been an independent security audit in the last 12 months?<\/li>\n<\/ol>\n<p>The seven points are designed to measure which services offer the best (or worst) protection against government surveillance, criminal snooping and corporate data collection. That said, neither the EFF nor Kaspersky Daily are officially denouncing or endorsing any of the programs discussed. The list merely indicates which applications are consistently not following best practices.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">9 mobile and Internet messaging services offering strong <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> and <a href=\"https:\/\/twitter.com\/hashtag\/privacy?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#privacy<\/a> controls <a href=\"https:\/\/t.co\/30xBpa0kSb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/30xBpa0kSb<\/a> <a href=\"http:\/\/t.co\/GWm1XtGFs3\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/GWm1XtGFs3<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/533667115019296771?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 15, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>The Really Bad: Zero Checkmarks<\/h3>\n<p>Only the Mxit and QQ mobile messengers received zero checks, but there\u2019s a decent chance that you\u2019ve never used either anyway. Given all seven categories, the fact that Mxit and QQ aren\u2019t encrypting data in transit is why we are recommending that you do not use either of them, because your communications on both apps can be viewed in plain text as they travel from sender to recipient.<\/p>\n<h3>The Still Pretty Bad: One Checkmark<\/h3>\n<p>Unfortunately, there are four messaging services that nearly all of us have used that received just one out of seven checks.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042123\/Yahoo-Messenger-logo.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6808\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042123\/Yahoo-Messenger-logo.jpg\" alt=\"Yahoo-Messenger-logo\" width=\"200\" height=\"118\"><\/a>A longtime encryption laggard, Yahoo\u2019s messenger service only encrypts user communications in transit. This means that Yahoo (the company) can read your messages or hand them over to law enforcement if they choose to do so. To be fair, they do issue <a href=\"https:\/\/threatpost.com\/government-requests-for-yahoo-data-down-slightly\/108580\" target=\"_blank\" rel=\"noopener nofollow\">biannual transparency reports<\/a> detailing how much information they grant upon government request.<\/p>\n<p>You also cannot verify the identities of your contacts with Yahoo! Messenger. It doesn\u2019t practice perfect forward secrecy, open its code to independent review nor document its security design properly. Finally, the company has not performed a recent code audit. However, <a href=\"https:\/\/www.kaspersky.com.au\/blog\/yahoo_end_to_end_encryption\/\" target=\"_blank\" rel=\"noopener\">Yahoo\u2019s broader Web offerings have come a long way<\/a> from where they were two years ago in terms of encryption, so there may be hope yet for its messenger as well.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042122\/skype-logo.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6809\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042122\/skype-logo-300x177.jpg\" alt=\"skype-logo\" width=\"200\" height=\"118\"><\/a>Microsoft\u2019s as close as-it-gets-to-ubiquitous Internet calling and messaging service, Skype, scored just as poorly as Yahoo! Messenger, receiving only one (and the same) checkmark for encrypting data in transit. It did not receive a second passing mark across any of the subsequent categories. Skype has had a bit of a sordid record in terms of communications integrity and surveillance accusations, namely that the service has taken fire from critics for<a href=\"https:\/\/www.kaspersky.com.au\/blog\/skype-government-surveillance\/\" target=\"_blank\" rel=\"noopener\"> its alleged susceptibility to snooping<\/a>. Microsoft has denied these claims.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042121\/Blackberry-Messenger-Logo.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6810\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042121\/Blackberry-Messenger-Logo-300x176.jpg\" alt=\"Blackberry-Messenger-Logo\" width=\"200\" height=\"118\"><\/a>BlackBerry Messenger received the exact same score as both Yahoo! Messenger and Skype. The service run by the company formerly known as Research In Motion \u2013 or RIM \u2013 does encrypt communications in transit, which is good. But, it does not encrypt communications so that the provider (BlackBerry) can\u2019t read them, allow users to verify contacts, protect past communications in the event that your keys are stolen, open its code to independent review, properly document security design, nor has it allowed a code audit in the last year.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042120\/AIM-Logo.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6812\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042120\/AIM-Logo.jpg\" alt=\"AIM-Logo\" width=\"200\" height=\"118\"><\/a>AIM, perhaps better known as America Online\u2019s Instant Messenger, has been around for a long time. It\u2019s safe to say that from the late 90\u2019s through the mid-2000\u2019s, AOL\u2019s Instant Messenger was peerless. While its popularity isn\u2019t what it used to be, particularly among the kids, it is still widely used. Unfortunately, like those mentioned above and below, it encrypts data in transit but doesn\u2019t do a whole lot more.<\/p>\n<p>For what it\u2019s worth, the cross platform Secret Message app touts itself as secure and the Hushmail email client calls itself private while each only encrypts data in transit. The Kik and eBuddy XMS platforms don\u2019t outright advertise their security postures, but they both received the same checkmark as everyone else in this category.<\/p>\n<h3>The Better but Still not Good: Two Checkmarks<\/h3>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042118\/SnapchatLogo.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6815\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042118\/SnapchatLogo-300x176.jpg\" alt=\"SnapchatLogo\" width=\"200\" height=\"118\"><\/a>The popular ephemeral image- and video-sharing application, SnapChat, comes in with two checkmarks. One is for encrypting data in transit as it passes from the sender, through SnapChat\u2019s servers, to the recipient. The second check is for having performed an audit in the previous year. Like many of the services on this list, SnapChat has been the subject of much criticism, not so much for lacking security, but <a href=\"https:\/\/www.kaspersky.com.au\/blog\/again-snapchats-are-not-fleeting\/\" target=\"_blank\" rel=\"noopener\">for failing to follow through on its central premise<\/a>.<\/p>\n<p>The core idea behind SnapChat is that messages, photos or videos appear for an amount of time, determined by the sender, before disappearing forever. However, the recipient can save images by taking screen grabs, though the sender would be notified. Even more troubling, an application called SnapHack circumvents SnapChat\u2019s ephemerality altogether, by allowing recipients to simply save \u2018snaps\u2019 (that\u2019s what they\u2019re called). Lastly, <a href=\"https:\/\/www.kaspersky.com.au\/blog\/snapchat-deletion\/\" target=\"_blank\" rel=\"noopener\">researchers have repeatedly claimed that the images never really go away<\/a>, but merely become harder to find.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042117\/Hangouts_Icon.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6817\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042117\/Hangouts_Icon-300x176.jpg\" alt=\"Hangouts_Icon\" width=\"200\" height=\"118\"><\/a>Likely in the top three in terms of popularity for apps on the EFF\u2019s scorecard, <a href=\"https:\/\/www.kaspersky.com.au\/blog\/google-privacy-hangouts\/\" target=\"_blank\" rel=\"noopener\">Google\u2019s Hangouts<\/a> received two checkmarks. Hangouts is cross-platform. It\u2019s not only the built-in Gmail chat client, but it\u2019s also the native chat client for Google Plus as well as for Android devices. Google encrypts data in transit for Hangouts and has had an audit in the last year. But, it can read your messages, users can\u2019t verify contacts\u2019 true identities, it doesn\u2019t deploy perfect forward secrecy, its code is not open to independent review and its security design is not properly documented.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042115\/FacebookMessenger.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6818\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042115\/FacebookMessenger-300x176.jpg\" alt=\"FacebookMessenger\" width=\"200\" height=\"118\"><\/a>Facebook\u2019s Chat, which is the mobile variety of the Facebook messaging service, gets two checkmarks as well. As popular as any service on the scorecard, Facebook Chat encrypts data in transit and has been audited, but fails across the other categories.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042112\/viber-logo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6828\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042112\/viber-logo.png\" alt=\"viber-logo\" width=\"246\" height=\"118\"><\/a><\/p>\n<p>Viber is surely the least popular service among the two-checks category. While it\u2019s apparently known as a private messenger, it only gets checks for encrypting in transit and carrying out an audit.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042114\/WhatsApp-Logo.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-6819\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06042114\/WhatsApp-Logo-300x176.jpg\" alt=\"WhatsApp-Logo\" width=\"200\" height=\"118\"><\/a>This brings us to the increasingly curious case of WhatsApp. WhatsApp is a very popular mobile text messaging service. WhatsApp is so promising that the social media goliath, Facebook, spent a cool <a href=\"http:\/\/www.forbes.com\/sites\/parmyolson\/2014\/10\/06\/facebook-closes-19-billion-whatsapp-deal\/\" target=\"_blank\" rel=\"noopener nofollow\">$19 billion acquiring it earlier this year<\/a>. It\u2019s a sort of data alternative to the SMS texting protocol (as in: it works over the Internet rather than over the cellular network itself). While the EFF gave the service the same two checks that it gave to everyone else in the category, I suspect that could change.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/WhatsApp?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#WhatsApp<\/a> adds <a href=\"https:\/\/twitter.com\/hashtag\/encryption?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#encryption<\/a> by default to <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> app. Other OS to follow: <a href=\"https:\/\/t.co\/VxoCSGeh9V\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/VxoCSGeh9V<\/a> <a href=\"http:\/\/t.co\/9lFMEJ6OCi\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/9lFMEJ6OCi<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/535043350693289984?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 19, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The reason for that change is that just this week, WhatsApp partnered with Open Whisper Systems, adding default encryption to its Android app. As a point of reference for why we think things could change for WhatsApp given this partnership, Whisper Systems\u2019 Signal, RedPhone, SilentText and SilentPhone offerings passed on all seven checks on the EFF\u2019s score card. In other words, it appears that WhatsApp will become considerably more secure in the coming days and months.<\/p>\n<p>At the moment though, the crypto is only implemented on Android devices for one-on-one communications. So iPhone users will have to wait and group message chains are not as secure yet. However, WhisperSystems says they are working on both of those problems right now.<\/p>\n<p>The bottom line with the WhatsApp crypto announcement is this: WhatsApp is among the most popular and valuable pure messaging services around. That they are starting to take <a href=\"kas.pr\/Vj2M\" target=\"_blank\" rel=\"noopener\">security and privacy very seriously<\/a> is great news, and hopefully WhatsApp\u2019s competitors will soon follow WhatsApp\u2019s lead.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Electronic Frontier Foundation recently graded a slew of mobile and Internet messaging services based on security and privacy. Here we list the low scorers.<\/p>\n","protected":false},"author":42,"featured_media":6807,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[1243,218,43,873,97,715,768],"class_list":{"0":"post-6806","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips","8":"tag-cybersavvy","9":"tag-mobile-security","10":"tag-privacy","11":"tag-secure-messaging","12":"tag-security-2","13":"tag-spying","14":"tag-surveillance"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/11_unsecure_messengers\/6806\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/11_unsecure_messengers\/4384\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/11_unsecure_messengers\/4312\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/11_unsecure_messengers\/4850\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/11_unsecure_messengers\/6806\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/11_unsecure_messengers\/5569\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/11_unsecure_messengers\/6806\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/cybersavvy\/","name":"cybersavvy"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/6806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=6806"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/6806\/revisions"}],"predecessor-version":[{"id":26574,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/6806\/revisions\/26574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/6807"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=6806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=6806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=6806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}