Scarcely a day passes in the news cycle that cybersecurity isn’t making headlines. From accusations of wire tapping by the sitting president to another to a tenuous investigation into alleged Russian intrusion into the American electoral process, even the most unsophisticated consumers are starting to sit up and pay more attention to what it means to secure data in an increasingly digital, interconnected and at-risk world.
One of the more promising developments in this category is secure messaging, apps that encrypt texts and phone calls to prevent hackers from accessing personal data. Both the health care and online banking industries have been using encryption for years to protect data. Only more recently is the potential for this technology being adopted in more consumer-friendly ways, most notably on social media.
Countering Data Stealing
“The growth in secure messaging apps – both in number of apps and usage – is a natural reaction to the current cyber-threats landscape,” said Andra Zaharia, marketing and communication manager for Heimdal Security A/S and Heimdal Security SrL in Bucharest. Zaharia is focused on issues related to cybersecurity and startups for the company, which provides IT services to clients around the world. As such, she has been spending more time evaluating the relationship between data encryption and mobility among a variety of users.
Zaharia said in an email interview that almost every cyber-attack or piece of malware created and launched in the past year includes some sort of data-stealing component. Secure messaging is becoming a realistic, arguably affordable way to counter these most common threats.
“Information is a powerful weapon and cybercriminals have known this for a long time,” Zahria said. “Today, their malicious activities are focused on using data as a key leverage in cyber-fraud, whether it’s financial malware, ransomware, doxxing or other types of cyber-attacks.”
According to last year’s Data Breach QuickView report by Risk Based Security, more than 4.2 billion records were exposed in 2016 alone. This actually beats the all-time record of nearly one billion in 2013. Practically speaking, the threat to data – both personal and corporate – is making the need for secure messaging and other options a priority for many IT professionals who are looking for newer, smarter ways to develop defense plans.
“Unfortunately,” Zaharia said, “many Internet users make it a priority only after they’ve become victims of a data breach or have had their personal information used against them in one way or another. For those looking to protect their data going forward, finding trustworthy apps can present a bit of a challenge, depending to their level of technical skill.”
How Do These Apps Really Work?
Simply put, secure messaging apps provide encryption of data to make it unreadable. “In the best-case scenario,” Zaharia said, “these apps should provide end-to-end encryption to secure data from the sender all the way to the receiver. The end-goal is that the confidentiality of the data remains intact at all times.”
Does that mean all apps are created equal? Unfortunately, no.
But one of the more promising apps currently on the market is ChatSecure, a free and open source encrypted chat client for iPhone that supports OTR encryption.
Chris Ballinger, founder of ChatSecure in San Francisco, says the target audience for this type of app is still somewhat niche, mostly comprised of tech-literate users and IT pros in the Silicon Valley. When it comes to the average consumer, he hazards a guess that most people don’t realize how open they are to hacks in the first place.
“Most people didn’t have a good idea how poorly their communications, [such as] email, SMS, Facebook, Gchat, etc., were protected until it was covered more heavily in the media,” said Ballinger in an email interview, pointing to the NSA revelations as an example.
He said there are important questions anyone should be asking when considering adopting this secure messaging technology:
- Is the code open source?
- Does it use well-known, forward-secret, end-to-end crypto, like OTR or Double Ratchet?
- Does the company’s marketing material use vague terms like military grade encryption? If so, trust it less.
- Has there been a recent security audit?
- How is the project funded? What is the business model?
- How much metadata is harvested? This includes everything but the message content itself – things like contact lists, social graphs, message times, etc.
- Can you run your own server?
ChatSecure iOS was admittedly difficult to use at first until Ballinger added both push messaging and OMEMO encryption within the past few months. The goal is to improve features like file sharing and group chat. He also plans to release a desktop port of the app in the future that could change the way companies encrypt data if the apps become more seamless and, ideally, user friendly.
“I don’t think our software will ever be completely mainstream,” Ballinger said, “but I think it fills an important role; of which we currently see little competition. Most apps want to have a centralized database of users so they can monetize that data somehow. Our goal is to know absolutely nothing about our users and put that power back in the hands of end-users.”
This “power to the people” approach is being mirrored in other secure apps that are finding their way into more familiar networks like Facebook Messenger. Apps like Allo and WhatsApp that use end-to-end encryption are also ultimately the ones that may have a competitive advantage down the road. At the very least, they may help make the technology a bit more mainstream.
Challenges and Benefits
Encryption, though it’s been used in many ways, is still a relatively new concept for mainstream consumers. What can make it difficult for people to want to adopt or even consider using these secure messaging apps is confusion over encryption itself. “That’s because encryption can be quite tricky to understand if it’s your first time facing a technical topic,” Zaharia said. “But the good news is that more and more mainstream apps provide end-to-end encryption, so that’s an important step forward.”
In terms of keeping up with cyber-threats, both Zaharia and Ballinger seem to agree that end-to-end encryption is actually one of the best ways to secure data at present. These apps do not purport to solve all security issues. But they offer a healthy start. It’s one part of a bigger security puzzle.
“Encryption technology itself can keep up with current and future challenges,” Zaharia said, “but the users have to do the same. Data security includes many layers and encryption is only one of them. As a result, every person who aims for better information security should keep this in mind.”
IT pros, said Zaharia, may want to guide their colleagues towards using these apps because it not only secures company data, but also protects them as employees. “Teaching and developing fundamental cybersecurity skills has a positive impact both on professional and private lives,” she said, “and I believe this is something we should all keep in mind.”
Ballinger also believes that putting security into the hands of consumers is important in the advancement of cybersecurity.
“In an ideal world,” he said, “there isn’t a market for secure tools because all tools are secure by default.”
Natalie Hope McDonald is a writer and editor based in Philadelphia.