How secure is your favorite messaging app? In all probability, not very. According to the Electronic Frontier Foundation, only six applications were able to pass its security test. That's out of a total of 39 services (including those from Apple, Google, Facebook, BlackBerry, Microsoft, and Yahoo) that EFF examined.
EFF looked at seven issues:
- Is data encrypted in transit?
- Is it encrypted so the provider can't read it?
- Can the service verify contacts' identities?
- Are past communications secure if keys are stolen?
- Is the code open to independent review?
- Is security design properly documented?
- Has the code been audited?
Each of the 39 apps tested encrypted content in transit, but only six satisfied all of the EFF's requirements on its Secure Messaging Scorecard. Those apps were ChatSecure + Orbot, Cryptocat, RedPhone, Silent Phone, Silent Text and TextSecure.
Apple actually fared well, hitting five out of the seven requirements. It lost points for not verifying contacts' identities or opening its code to independent review.
Most other popular services only checked off two boxes (WhatsApp, Snapchat, Skype, Google Hangouts, Facebook chat) -- usually encrypted in transit and having code audited. AIM only satisfied the encrypted in transit bit.
"In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers," the EFF's report said. "Many companies offer 'secure messaging' products -- but are these systems actually secure?"
Will Anyone Notice?
We reached out to Rick Holland, principal security and risk management analyst for Forrester, about the study's significance. Holland suggested the results will be of greater interest to industry insiders and observers than to the man or woman on the street.
"Unfortunately, consumers have a short memory," he told us. "I think this will have a minimal impact to non-techie/tinfoil-hat consumers. Tech-savvy individuals will certainly change their behavior based on the performance."
The report is part a campaign that EFF ran with Julia Angwin at ProPublica and Joseph Bonneau from the Princeton Center for IT Policy. The idea is to promote technologies that are both secure and easy to use.
"Our campaign is focused on communication technologies -- including chat clients, text messaging apps, e-mail applications, and video calling technologies," EFF said. "These are the tools everyday users need to communicate with friends, family members, and colleagues, and we need secure solutions for them."
At least one tech giant is taking visible steps to step up its security game. Google's Android Security Team recently offered the nogotofail tool, which lets users confirm that devices or apps are safe against known TLS/SSL vulnerabilities.
Forrester's Holland cautioned users to do their homework so that they are using genuinely secure services rather than those that are heavily promoted.
"Consumers should be aware that the marketing of privacy is very different than the reality of privacy," he said. "The mainstream media coverage of the iCloud celebrity hacking raised general consumer awareness around security and privacy of messaging apps."
The EFF's Secure Messaging Scorecard is available online for more details.
Posted: 2014-11-06 @ 7:55am PT
App sandboxing isolates apps from the critical system components of your Mac, your data and your other apps. Even if an app is compromised by malicious software, sandboxing automatically blocks it to keep your computer and your information safe. And Gatekeeper makes it safer to download apps by protecting you from inadvertently installing malicious software on your Mac. So we now know that sandboxing and Gatekeeper will protect you from any nasties. Phew. But hang on. If you download a malicious app via uTorrent (for example), Gatekeeper won't bat an eyelid. If you try to install an app infected by iWorm, XProtect will block the install but it won't go looking to see if you are already infected with it. And sandboxing makes no difference as it is limited to certain apps/plugins. Apple security- the gift that keeps giving.