The Myth of End-to-End Encryption in Messaging Apps
End-to-End Encryption (E2EE), is safe! So say WhatsApp, Telegram, iMessage, and too many others. Every time a user sees this message, they think they’re protected:
You too, as a developer, have learned to trust this kind of brand. But does end-to-end encryption really protect user data or is it just a false sense of security created by brands that we trust? Let's find out.
What is End-to-End Encryption?
End-to-End Encryption is a difficult word for a fairly easy concept in the end. It basically means that all the messages are encrypted from the sender to the receiver, End-to-End. They are the only ones who can read the messages, so in theory, no third party can decrypt them.
WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient’s and your device has the special key needed to unlock and read them. All of this happens automatically: no need to turn on any special settings to secure your messages;WhatsApp end-to-end encryption
To make you understand better, the entire message is scrambled in such a way that no one will be able to under stand it, except for the person who has the ‘key’ to unscramble it. And the only device with the ‘key’ to unscramble the message is the recipient’s device. This is a technique that was used in the Second World War, but just as Alan Turing was able to decipher the messages of the Axis Powers, WhatsApp can do that. It's even easier! They do not need to decipher your messages, they just have to grab the content out of the cloud. And some third party software can access your messages freely.
What Is Wrong With Messaging Apps Like WhatsApp?
Their FAQs are clear, as also the fact that they comply with the Protection of Personal Information Act (POPI). For WhatsApp, once your messages are delivered, they are deleted from their servers. But, they just announced they would require data sharing with Facebook. Here comes the first question: if they can not read your messages, photos, videos and audios, what data do they want to send to Facebook? Contact names? Yet, last time I sent a photo of the Maldives to one of my friends, an advertisement on the flights to the Maldives bounced back to me online, one wonders how.
They also say that only the sender and the recipient can access them. Here the first proved deal: what if someone accesses one of the two smartphones? This does not mean that they steal the user’s phone, but just take possession of his cloud space, or as the police do, clone the phone. You know, WhatsApp asks monthly, weekly or even daily to save your messages in the cloud. You can never be sure.
The Problem with Media Previews
Another big problem of E2EE, with WhatsApp and many other messaging apps, is the intervention of third parties. When your user shares an online news article, for example, your messaging app will fetch the content from a remote server, without asking the user permission or masking his/her identity. So this third party has full power over your users' chat data.
The biggest risk exists when a chat app deals with mass distribution (a lot of users) or with users at risk, meaning activists, journalists, or politicians. This third party could be in close contact with an authoritarian government for example. But more simply, they can sell your data to large companies to send targeted advertisements to your users.
Also, less famous apps or in-development apps that use chat can face lots of issues that lead to bad user data protection. The most important is a bad design of the chat or inappropriate management of the back-end. That can lead to storing messages decrypted, leaving unencrypted backups, or leaving the core data to unprotected devices. Which is why, we at CometChat take every precaution when it comes to user data protection. Our APIs and services are compliant with all data protection regulations such as GDPR, and HIPAA.
Talk to our experts to learn more about how you can use CometChat’s APIs to ensure your users data is protected
The last problem, less important, is when facing hackers. Fortunately, E2EE is quite safe in this area, even if there is always the problem of man-in-the-middle attacks. Someone can steal the recipient key, passing himself off as one of the two, for example. He can then decrypt all the messages, and even worse, send messages on their behalf. This can be solved with strong authentication, such that only verified users in trusted ways can send or receive the key. For E2EE, you also need a good backup plan: here encryption key management is crucial when facing security issues.
How To Ensure Safety?
As we saw above, it’s very important to keep your chats secure. So, here are few tips on how to keep user conversation data safe on messaging apps. First as a user, then as a developer who’s building their own in-app chat.
As a User - Choose wisely
We, the users, can change things by acting wisely. We don’t have to always use the same apps. Firstly, not all the apps have end-to-end encryption by default. If it’s possible to choose it as an option, do it. If not possible, change apps or accept the risk. If you really care about it, you should also read the TOS, FAQs, and privacy policies. Also, if you share your messages in social networks or groups, you can’t prevent them from being shared or saved by the receiver. You should always keep this in mind. Moreover, some messaging apps have a reputation for being more secure than others. Signal, for example, recently became popular for its data protection practices.
As a Dev - (Learn), Update, Test, Update again
Even before the user, there is you, the developer, who can change things. Especially in small businesses and startups, it's easier to change and move towards improvement. Here are some features or ideas that can help you build your app, and be on the safe side!
Free Your User, Not Their Messages
Not only in E2EE but in general, the more customizations you leave to the user, the more they will feel free to spend time on your app. So the first piece of advice we give you is to leave the user the possibility to customize their chat.
You can also take examples for the Telegram “secret chat” feature, the Facebook Messenger “secret conversations”, or how Signal works in general. Some features you can provide are self-destructive messaging, saved locally, not in the cloud.
If your PC can access WhatsApp messages, why can't someone else do that if they want to steal your users’ data?
If your messages are saved without special encryption in the cloud, your information is completely vulnerable.
Keep Yourself Informed
Don’t rush with the most popular products and services, always inform yourself before making a decision. All the components of your app are important - from the service managing your entire app to the third parties that interact with it. Providers with an independent but safe and trusted third party audit are more reliable and trustworthy. Do research before choosing your data storage technology, for example.
pCloud is a good option, with its many security features, such as TLS/SSL channel protection, 256-bit AES encryption for all files, and the possibility to have 5 copies of files on different servers.
Also, hiring someone or learning about security, database and key management is a must when you care about the safety of your users. For example, you need a good backup plan to manage the recovery operation of your keys, in case of major disaster in your database.
Pay Attention to Documentation
This is a point that people underestimate too much, especially developers. Not just for the legal value, but even more for the reputation you want to build. An important value for all brands is safety and trust, and you can’t build those without good public documentation that’s carefully written.
Remember that End-to-End Encryption is not as safe as it seems. Even if it’s considered to be one of the best encryption systems, it actually has plenty of challenges, as discussed above. As an alternative, we’d recommend using other encryption methods such Client-Side Encryption, the safer Homomorphic Encryption. Another option is to focus on leaving customization possibilities to the user, keeping yourself and your users informed, and paying attention to documentation. Stay transparent with your users. It’s the best way to build trust.
All this can be very complicated, our recommendation would be to use a readymade Chat service such as CometChat, so you don’t have to worry about these. But it’s still important to stay informed.
Our APIs provide you the best chat service to build full-fledged text, voice and video chat with minimum effort. Sign Up to start building for free.
About the Author
Hello World, My name is Dev-Lorenzo Satta Chiris 👋🏻 I'm a young man working to be a full stack developer. My goal is to create a programming community for exchanging ideas and foster innovation. Blogger at dev.to, I send a weekly newsletter about programming and productivity tips!