Your Industry  

App encryption: R U protected?

App encryption: R U protected?

Calls for the government to share communications surrounding its decision to shut down parliament, some of which were shared on WhatsApp, have put encrypted messaging services in the spotlight again. 

Many people seem to believe their comments will remain private by messaging on apps that offer end-to-end encryption – WhatsApp is the most well-known, but there are other popular ones such as Telegram and Signal.

But, to me, as an investigator, the sense of security these apps engender has always seemed like the emperor’s new clothes.

The end-to-end encryption provided by WhatsApp is very good and strong, my colleagues in cyber security tell me.

So too is the encryption on many similar apps.

However, the fundamental flaw is that the encryption is only end-to-end, so anyone who has access to the handset can read all of the messages as easily as the user can.

If you are arrested, the police will ask you for the passcodes to your phone and may raise it at trial if you do not hand them over.

In some cases, they will seize the phone before you have a chance to lock it.  

The illusion of security from end-to-end encryption at such a moment is laid bare. They can see everything.  

Unencrypted messages, sitting on a handset, are easy prey to less visible actors, too.

Key points

  • Many people use internet messaging services, believing the encryption protects them
  • Law enforcement agencies can force people to open their phone
  • Just throw the phone away if you are really worried

Well-known security flaws have allowed apparently benign apps to monitor messages stored elsewhere on a phone, including inside the so-called encrypted apps.

Then there are the malicious apps, hackers and intelligence services, who share similar techniques to get into phones through software vulnerabilities and back doors.

Once inside, they have the keys to the kingdom and can read everything.

The Financial Times reported this May that malicious code developed by the Israeli company NSO Group could be used to exploit a WhatsApp vulnerability to install surveillance software on to both iPhones and Android phones by calling targets using the app’s phone call function.

There’s a strange anomaly here though, in that deleted messages have become more private rather than less.

Until recently, all deleted messages on phones could be easily recovered.

Now, thanks to security features introduced by both Apple and Android, that ability is profoundly reduced, particularly in the weeks after a software upgrade when the tools need to be updated.

Be warned though: investigators can still see that items were deleted, they often just cannot see what.

So, whether it is on WhatsApp or not, if you send a message you later regret, or think could be a liability,delete it.

But do not delete messages after you have been told not to during an investigation or litigation, because that surely makes it a whole lot worse.

Legal rights

Of course, few of us fear being arrested, or worry too much about criminals or intelligence agencies.