A review of 39 of the top messaging apps by the Electronic Frontier Foundation has found that only six are truly secure.
The six – ChatSecure + Orbot, TextSecure, Silent Text, Silent Phone, RedPhone and Cryptocat – meet all seven of the EFF's Secure Messaging Scorecard guidelines. The organization tested each app by asking these questions:
- Is your communication encrypted in transit?
- Is your communication encrypted with a key the provider doesn't have access to?
- Can you independently verify your correspondent's identity?
- Are past communications secure if your keys are stolen?
- Is the code open to independent review?
- Is the crypto design well documented? And
- Has there been an independent security audit?
According to a PC Magazine story, the EFF examined many of the popular services, including those offered by Apple, Google, Facebook, BlackBerry, Microsoft and Yahoo!. Of those, Apple came closest to hitting all the criteria, but could not verify contacts' identities or open its code to independent review.
Some of the more popular services – WhatsApp, Snapchat, Skype, Google Hangouts and Facebook Chat – could only meet two criteria, most often encrypting in transit and having code audited; AIM, BlackBerry Messenger and Yahoo! Messenger, meanwhile, could only prove that their data was encrypted in transit.
A couple – QQ and Mxit – didn't meet any of the EFF's criteria.
"Most of the tools that are easy for the general public to use don't rely on security best practices –including end-to-end encryption and open source code," the EFF said in its report. "Messaging tools that are really secure often aren't easy to use; everyday users may have trouble installing the technology, verifying its authenticity, setting up an account, or may accidentally use it in ways that expose their communications."
The EFF is publishing the results in collaboration with Joseph Bonneau at the Princeton Center for Information Technology Policy and Julia Angwin at ProPublica as part of a "campaign for secure and usable crypto."
"Our campaign is focused on communication technologies - including chat clients, text messaging apps, e-mail applications and video calling technologies," the organization said in its report. "These are the tools everyday users need to communicate with friends, family members, and colleagues, and we need secure solutions for them."
"We chose technologies that have a large user base - and thus a great deal of sensitive user communications - in addition to smaller companies that are pioneering advanced security practices," the company said, adding that it will update its findings often. "We’re hoping our scorecard will serve as a race-to-the-top, spurring innovation around strong crypto for digital communications."
