Most secure communicator for smartphones
What is most secure communicator for smartphones under the phrase? Many popular applications, instead of protecting our data, tend to spy on us, eavesdropping on conversations or browsing through sent messages. The services may take over the contents of our conversations and sent messages during tax proceedings, investigations or explanations. CBA, CBŚ or police collect data even on the SIM card. Eavesdropping is essential to fight organized crime. But it turns out that everyone is being listened to - private persons, entrepreneurs and politicians.
Last year, WhatsApp, belonging to the Facebook family, forwarded 1,000 recordings of conversations to Polish law enforcement agencies. Now, according to the New York Times daily, Check Point experts have discovered a vulnerability in this application, which allows fraudsters to capture messages sent as part of group discussions or private conversations and manipulate their content.
Researchers say the gap is important. Responsible for contact with the media, Carl Woog from WhatsApp claims that Check Point's find has nothing to do with the vulnerability because it does not apply to end-to-end encryption. And in fact this is the case - the discovery of experts is not an unknown attack on the protocol, but the use of an already available function of citing text in a group chat that is vulnerable to manipulation.
According to the findings, the "vulnerability" allows three types of attacks:
1. Modifying the answer in such a way that the author is given words that he did not actually say.
2. Quoting a message in response in a group conversation in such a way that it seems that it comes from a person who is not even a member of a given group.
3. Sending a member of a message group that appears to be a group message, although it was actually sent only to that one member of the group. However, the group member's response will be sent to everyone in the group.
Encryption of WhatsApp
As you know, WhatsApp encrypts any message, photo, connection, video or any other type of content sent. Using the Burp Suite software to analyze traffic between the application and the server, the researchers managed to decrypt the WhatsApp communication and learn that the protobuf2 protocol uses encryption for communication. Now when converting this data to Json, we managed to see the parameters sent and gain control over them.
So, to carry out an effective attack, at least one condition must be met:
- The cheater must eavesdrop on the transmitted packets from the phone to the cell phone transmitter, i.e. use the man-in-the-middle attack with such a device.
- The fraudster will do exactly the same if he manages to substitute his wireless network.
- Cheater must be in the group of chatting users.
In order to start thinking about an attack at all, you need to obtain the necessary hardware and software. The entire effort of the criminals would fail if the victim would use any VPN connection.
So, most secure communicator for smartphones is?
Such a comparison was prepared by Mk My Data in the "Technology in a reward" report. Do not you associate this company? We also do not, but specialize in recovering data from hard drives and from the memory of mobile devices. Interpreters were taken into account: WhatsApp, Signal, Facebook Messenger, Viber, Hangauts, Message and Usecrypt developed by a Polish company. It should be noted that there is a whole range of mobile applications for exchanging correspondence on the market, however, Mk My Data decided to focus on those messengers that it most often contacts during orders or expert opinions, as well as tasks related to extracting information from devices mobile.
The conclusions read:
We prioritize the use of the UseCrypt application that guarantees the highest security and effectiveness of the solutions offered. It can be clearly stated that among the currently used messengers on the market there is no comprehensively safer solution.
The following communicators were included in the conducted experiment:
- It offers an increased level of information exchange security through end-to-end encryption.
Unfortunately, it is possible to extract messages from the theft of an active device using the available methods of obtaining data.
- The data goes to the servers of the American company Open Whisper System, ie the manufacturer of the communicator.
- The messenger is free and does not really provide access to knowledge about what data and content are stored on its servers.
- The downside is quite vague premises, which from time to time come to light and raise the question of whether the creators of this messenger do not stand any powerful corporations or even special services (behind such theory can speak many facts, including the fact that the product it is free and is not advertised in any way, although the development of such phenomena in the field of secure communication requires really large investments and financial expenditures).
- According to the available information, the project only survives from grants and financial grants.
The Signal messenger uses the key Diffie-Hellman protocol in the negotiation process, for which the group multipulative modulo p has been adopted a group generator with a value of 2. In fact, the generator of this group is the number 5. As a result of using the wrong value, the protocol operates only on a subgroup of the indicated multiplicative group, which significantly reduces the security of the entire protocol and, as a consequence, its communication.
- Full encryption in group chats is only active when all users of the group have the current software and the latest version of the application. Lack of updates for even one of the group's members destroys the plan of being safe and anonymous.
- Conversation data in WhatsApp is encrypted, but their metadata no longer. So, recipients, senders, call dates, IP numbers, phone numbers, nicknames or the so-called nick names as well as file sizes are available for the manufacturer.
- Data is collected on Facebook servers. Correlating this information with recent events or scandals with Facebook in the main role, we can draw conclusions about the safety of using this application.
- Encryption in WhatsApp is also somewhat illusive, as it does not protect against spyware and keyloggers.
In WhatsApp, there are no methods of authentication and confirmation of whether our interlocutor is the one with whom we definitely want to correspond.
- It offers full encryption between users and relatively high security using end-to-end encryption.
- It has the ability to confirm the identity of the interlocutors.
Imessege, Facebook Messenger and Hangouts
- They have security in the form of encryption and offer the same functionalities as described above.
- They give their producers the opportunity to obtain the content of correspondence from mobile devices in which they are installed.
- By physically holding a telephone or tablet of a user, you can access complete, complete correspondence, including items that have been deleted. After obtaining such a device and making its physical copy, it is possible to read the complete correspondence of the device owner.
- This messenger is a visionary solution created by Polish engineers.
- In UseCrypt Messenger connections are made through an intermediate server that does not participate in any cryptographic operations. This guarantees full anonymity to the user. What's more, it is the only application that allows you to check whether the phone is not an object of surveillance.
- The service provider does not store user data on the server. In the case of Usecrypt Messenger, when registering a user, only cryptographic shortcuts are compared (a shadowed string from which the phone number can not be played), so-called a one-way function that allows you to tell the user which of his contacts is using the service.
- The communicator offers the possibility of extending the protection by the option of setting the application access code and, especially useful in crisis situations, the "PANIC CODE" function. This function gives the possibility of completely removing data from the device's memory concerning conversations, the history of calls made and the list of contacts. This operation results in the commencement of the next customer registration.
- It uses a mechanism that encrypts voice calls (the CBR encryption method).
- The protocol used in UseCrypt Messenger provides full end-to-end encryption. It also introduces a mechanism for detecting man-in-the-middle attacks.
- The AES encryption algorithm was used to encrypt communication.
- The product of the Polish company Usecrypt S.A. allows you to anonymize the network address of users of this service.
It is very difficult to verify the technical information provided by the producers of each communicator. The issue of encryption and privacy should be approached very carefully, without favoring any of the available programs. WhatsUp, Signal and Telegram are just some of the applications considered so far as secure communicators, and now eavesdropped by the services of selected states. What's more, recent months have shown that their producers must legally hand over the keys that deciphered local intelligence - recently American company Continental has banned employees from using the WhatsUp app on business phones - because of the concern for data security.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.