Think twice before sending your next text message. Or better yet, make sure you use end-to-end encryption.
Consumers regularly use different types of messaging technology from the largest tech companies including apple, alphabet and Meta platformsincluding iMessage, Google Messages, WhatsApp, and SMS, but the level of protection varies. Now, the US government is expressing its greatest concern after the recent massive hack of the country's largest telecom companies.
Last month, the Cybersecurity and Infrastructure Security Agency and the FBI revealed a campaign carried out by China-linked hackers, called Salt Typhoon, that compromised cybersecurity. AT&T and VerizonAnd others, and it was one of the largest US infrastructure hacks in history. Following this warning, the NSA, the FBI, and international partners published a joint guide to help protect Americans. One suggestion is to use end-to-end encryption, a method that makes communications more secure.
End-to-end encryption helps ensure that only intended recipients can read your messages as they travel between your phone and someone else's phone. Secure messaging apps use end-to-end encryption to protect communications from hackers, surveillance, and unauthorized access, so not even messaging app providers can read your messages.
“All things being equal, if you have the opportunity to use an end-to-end encrypted platform, you should do it,” said Michael Hughes, chief business officer at Duality Technologies, which allows organizations to share and analyze sensitive data using encryption.
Many consumers don't know what options they have to communicate securely via messaging apps. Here are the basics.
WhatsApp and Signal are among the best overall options
Consumers use different messaging apps for different purposes, often without giving a second thought to security. However, there are notable differences between the platforms that people should be aware of.
From a security perspective, free messaging apps like Meta's WhatsApp and Signal — whose co-founder was one of the creators of WhatsApp — are best because end-to-end encryption is built into them. This makes these apps highly preferable over SMS and SMS. MMS, two older methods of messaging, doesn't offer end-to-end encryption, said Trevor Horowitz, founder of TrustNet, a cybersecurity and compliance services provider.
Even the platforms considered best for end-to-end encryption have downsides. Signal is a favorite among many privacy enthusiasts because its mission emphasizes not collecting or storing sensitive information. This could be especially compelling for people who are wary of Facebook, WhatsApp's parent company, and its privacy practices. The downside to Signal is that it's not as widely used as WhatsApp, and if your contacts aren't on it, you won't be able to communicate, said Roger Grimes, an analyst at KnowBe4, a security platform provider.
There are also paid messaging apps that are end-to-end encrypted, such as Threema. It's private by design and no phone number or email address is required, but it does cost a few bucks, and convincing your friends and family to join when there are already popular free options can be a challenge.
Grimes said most people would use encryption “if it was by default and they didn't have the slightest inconvenience.”
RCS and iMessage
Many messaging platforms now use RCS, which stands for Rich Communications Services. It is the successor to SMS and MMS that has enhanced features and also provides the ability for end-to-end encryption, but not by default on all devices. For example, RCS messages using Google Messages are automatically upgraded to end-to-end encryption, but Apple's implementation of RCS on iPhones is not end-to-end encrypted, Horowitz said.
For any Apple device user, the company's iMessage app is end-to-end encrypted, but for users sending RCS messages through other text plans, such as the carrier's text option, end-to-end encryption is not offered. As Apple explains sending messages through non-iMessage RCS options: “They are not protected from being read by a third party while they are being sent between devices.”
Additionally, not all devices are RCS compatible and it is not universally supported by carriers. Additionally, there are compatibility issues between some iPhone and Android devices that are still being worked on, Horowitz said.
Facebook Messenger encryption vulnerabilities
It's even more complicated because tech companies have multiple messaging products and not every app from a given provider supports end-to-end encryption in the same way. For example, Facebook Messenger offers end-to-end encrypted messaging, but not in all cases. According to Facebook, some products do not currently support end-to-end encryption, such as community conversations for Facebook Groups, conversations with businesses or accounts using business messaging tools, Marketplace chats, and others.
Consumers should try to dig deeper into the applications they use to understand how end-to-end encryption works for a particular application, said Deirdre Connolly, cryptographic standardization research engineer at SandboxAQ, an AI application developer. This information is often available in the support or privacy section of the service provider's website. But even then, it can be difficult to find and decipher. “You have to get into the nitty-gritty,” Connolly said.
Google vs Apple
Google Messages is the default messaging app on many Android devices and many people use it to communicate, but consumers need to understand that not all messages sent or received using the app are fully encrypted. The app supports end-to-end encryption when messaging other users using Google Messages via RCS, according to the company. But messages are not end-to-end encrypted when communicating with an iPhone user, for example. Text messages appear in dark blue for RCS and light blue for SMS/MMS. Users will also see a lock icon when end-to-end encryption is active in the conversation.
In Apple's case, communications between two iMessage users are end-to-end encrypted, but iMessage is Apple's own platform. This means that, currently, communications between iMessage users and Android device users are not end-to-end encrypted. A green message bubble instead of blue indicates that the message was sent using MMS/SMS instead of iMessage.
In fact, the Justice Department's antitrust case against Apple highlights the failure to offer end-to-end encryption outside of its iOS messaging app as a monopoly concern.
Protocols are being developed to allow end-to-end encryption between different communications platforms using RCS, but this is still a work in progress. A spokesperson for the GSMA, the industry organization leading the effort, said: “Work with key industry stakeholders is progressing well and we look forward to updating the market in the coming months.”
Phone settings and the ongoing risk of hacking
The only thing people need to do is check the settings on their phone. Many consumers have older phones, and those who don't have automatic updates enabled may miss out on important security updates, which can include messaging apps that allow end-to-end encryption, said Chris Henderson, senior director of threat operations at Huntress, a cybersecurity firm. a company. Also, with a new phone, the settings of the transferred apps may not carry over. If you enabled end-to-end app encryption on your previous phone, it's also a good idea to check that the settings are enabled on the new phone as well, Henderson said.
End-to-end encryption isn't foolproof because hackers can intercept users' communications in other ways, such as by compromising the device itself, Horowitz said. For security purposes, it is also important to keep your devices healthy by installing all software updates, avoiding sketchy downloads, and performing reboots periodically.
However, it is a good practice to use end-to-end encryption, when available. “Threat actors go where the crowd goes,” said Corey Daniels, global chief information security officer at Trustwave, a cybersecurity firm and managed security services provider. “If audiences are still using unencrypted communications,[bad actors]will continue to exploit the opportunity until users begin to evolve their digital behaviors.”