Overview of popular messengers’ security measures

It feels good when all data are secure, and you can be more or less sure that services provide you with reliable privacy politics and security measures. It feels good to know how companies dispose of users’ data in this or that case. You should to be aware of companies’ thoughts on these cases. The Analytical department of Falcongaze did its best and analyzed 5 popular messengers to make it easier for you to choose. There are overviews of Viber, WhatsApp, Telegram, Facebook Messenger, and Signal.

Viber

On its site, Viber informs that it considers its main mission to protect users’ privacy so that they are not to choose what to speak about via Viber. That is the reason the company uses end-to-end encryption in private chats and group chats. It means that messages are encrypted when sent, and they are decrypted only when received by an addressee. Chats are also safeguarded with SSL-encryption.

Even Viber cannot gain access to users’ messages. Correspondence is not stored on servers. But messages in chat-bots are not encrypted.

However, Viber guarantees the operation of technology only on the latest app version for iOS, Android, and desktop.

Viber informs that each voice call session has its own key. It is valid only during this certain call, then it is removed.

Viber has the feature of secondary device registration. It means that if you have the app installed on some other device except your mobile phone (PC, iPad, Tablet), your mobile phone will be synchronized with it. What is more, the encryption key is generated for each of devices. If you have the app installed on PC and mobile phone, then different encryption keys are generated for both of them.

To authenticate, an ID-key is generated for one account. It doesn’t matter if a user has several devices. One account has one ID-key. The main device generates it and spreads on secondary devices. This process minimizes the risk of Man-in-the-middle attack.

By the way, there is no 2FA in Viber.

Viber informs that it doesn’t read or store users’ messages. The company tracks the following information: registration data (name, e-mail address, birth date, age, telephone number, billing data), social media data (if you access Viber through social media, you provide the company with information from these sites – your profile, list of friends, information about your work, interests etc.), activity info (connection status, whether a user received and seen a message or not etc.), device data (telephone’s ID, session IP-address, info about OS, browser etc.).

  • Any hacks, leaks, breaches?

Apparently, Viber didn’t have any leaks or breaches over the past few years. Only in 2013, Syrian Electronic Army informed users about having Viber hacked, accused the company of spying, and suggested to remove the app. It happened because of phishing attack occurred to one of the employees. But Viber stressed that users’ data weren’t compromised.

WhatsApp

  • Security measures

WhatsApp states that security and privacy are in its DNA.

WhatsApp uses end-to-end encryption. It guarantees that only participants of a conversation can see content of their correspondence. The company uses Signal’s encryption protocol that is designed not to allow third-parties and the company itself to read users’ messages and listen to their calls.

To begin communication, a client, at first, creates an encrypted session. After that, clients exchange messages. Messages are secured with specific Message Key which includes AES 256 (Advanced Encryption Standard) in CBC mode for encryption and HMAC-SHA256 (hash-based algorithm) for authentication. Audio and video calls are also encrypted.

Each WhatsApp chat has its own security code. It looks like a QR-code or a 60-digit number. To make sure that messages are encrypted, participants of a conversation can compare their codes. As WhatsApp states, security code is a visible version of a chat’s key. The key is kept in secret.

Payment data are stored encrypted. But while payment processing, end-to-end encryption is not used.

WhatsApp is equipped with two-step verification. It is a 6-digit PIN-code which users create by themselves. You can use your e-mail address in order to recover your PIN-code in case you forget it. Remember that this code differs from a registration code that you receive in SMS.

  • Privacy policies

WhatsApp tracks information from a user’s account (phone number, contacts, name, profile photo, status), information about service use (diagnostic info, performance info), payment data (payment confirmation), device data (model, OS, browser data, IP-address, network, phone number, ID), location data (if the function is on), and cookie files.

In case law enforcement demand WhatsApp for providing them with information about a certain user, WhatsApp will notify a user unless otherwise provided by law.

At the beginning of 2021, WhatsApp updated its privacy policies. All users were to choose: either share their data with Facebook or stop using the messenger. Many users replaced WhatsApp with other platforms such as Signal, Telegram etc. The company tried to convince users that these changes won’t influence their privacy.

  • Any hacks, leaks, breaches?

In May 2019, WhatsApp was hacked through video calls. Using the vulnerability in the system, fraudulent actors sent malware to users’ devices. A user did not need to answer a call to became an attack victim. The company updated the system’s security to fix the vulnerability.

In June 2020, a security expert found out that one of WhatsApp’s domain (wa.me) was leaking users’ phone numbers, and Google indexed them. The expert stated that the incident happened because the file robot.txt was absent. It would command robots not to index phone numbers.

Telegram

  • Security measures

As other companies, Telegram says that it is more secure than other messengers.

It is based on MTProto protocol designed for access to a server API from mobile applications. The protocol consists of 3 independent components: high-level component (API query language), cryptographic (authorization) component, and transport component (defines a method to transmit messages).

Telegram has secret chats that are end-to-end encrypted. They are equipped with the function of self-destruct. However, if an interlocutor isn’t online, a message won’t be delivered. If you create a secret chat on a mobile phone, you won’t be able to use it from desktop and vice versa.

There are two layers of encryption in the app. As Telegram explains, private and group chats are client-server encrypted, secret chats have an additional layer of client-client encryption.

“Our encryption is based on 256-bit symmetric AES encryption, 2048-bit RSA encryption, and Diffie–Hellman secure key exchange.”

There is 2-Step Verification in Telegram. If you want your account to be more secure, you can enable the feature and use an additional password.

It seems like Telegram has good security measures, but in 2018, experts from SecurityLab figured out that the messenger had problems in protocol. They managed to connect to other contacts and see communication intervals using command line.

  •  Privacy policies

The company informs that it has 2 fundamental principles: it doesn’t use users’ data to show them advertisements, and it stores those data that Telegram needs to function.

Telegram stores account information (phone number, profile name, photo, and additional info). When you enable 2-step verification or store data using Telegram Passport, you can set up a password recovery e-mail. The company promises that it will only be used with this purpose, no “we miss you” messages.

Telegram also stores users’ messages, but, as it is stated in privacy policy, everything is stored encrypted.

Secret chat messages are not stored on company’s servers. Documents, photos, and videos are stored encrypted, but the company periodically purges these files to save place on disks.

There is also a possibility to create chat-bots which are independent from Telegram, that is why they can track additional information about a user. But they have to ask permission on that. It is better to read their privacy policy to be aware of what data you provide them with.

  • Any hacks, leaks, breaches?

In 2020, security experts found out that web-skimmers managed to steal users’ data via Telegram channels. Implemented scripts collected payment data that then Telegram-bot received and sent to chat as usual messages.

Also, in 2020, Telegram had users’ data leaked. 70% of them belonged to Iranian users, 30% - to Russians. As Telegram explained, it happened because of the feature of contacts imports misuse. The company also said that 60% of that data were outdated. However, SecurityLab informed that there were several leaks. The first breach happened in May when 2 databases leaked, the second one occurred in June, and it was widely spoken about.

Facebook Messenger

  • Security measures

On Facebook official web-site, the company states that a user is the one to be aware of messages content and who they communicate with. Facebook works on making Messenger private and secure.

There is 2FA. To set it up, you will need to choose one of security methods: either a code from a third-party app or SMS-code. Then you can choose an optional method of authentication. It can be one of recovery codes or tapping a security key on a compatible device.

Providing security, the company uses the so-called “defense-in-depth” approach. It means that there are multiple security layers to prevent and address vulnerabilities from different angles. So, there are 5 components:

  1. Secure frameworks (security experts develop libraries and design new programming languages to get rid of many bugs – that was the way how the company updated PHP-language into Hack);
  2. Automated testing tools (tools of constant code analysis; they scan new and existing code for issues);
  3. Peer & design reviews (experts review all code changes);
  4. Red team (it is a team of experts who try to hack the app);
  5. Bug bounty program (to enhance its product, the company involved information security community).

Messenger is equipped with Secret Conversations feature, which, by the way, doesn’t support group messages, audio and video calls, payments. Messages are encrypted in secret conversations. It is also linked to a device. If you enter an account from different device, you won’t see secret conversations there.

  • Privacy policies

Facebook collects information that a user provides it with, communities a user follows, finance information, device data (OS, software version, battery charge level, signal strength, available memory, browser type, apps’ types and names, device ID, IP-address, cookie files).

These data are used to customize company’s products and enhance them.

In 2019, Facebook changed the strategy relating to users’ data, because less and less people used company’s products. Zuckerberg wrote a post in which described new company’s principles: private correspondence must stay private, use of end-to-end encryption, reducing permanence, safety, interoperability, secure data storage.

  • Any hacks, leaks, breaches?

In September 2018, hackers discovered a vulnerability which put at risk 50 million users’ data. It allowed to gain access to private information. Mark Zuckerberg stated that no accounts were compromised. Facebook logged out users so that they log in once again. It was made to reset tokens.

In March 2019, a vulnerability was discovered in Messenger. It allowed hackers to use user’s browser to see who they communicated with. The issue was fixed by November.

In November 2020, the Google Project Zero expert Natalie Silvanovich found a vulnerability in Messenger    . It allowed malicious actors to connect to users’ calls and make calls without their concern. The problem was in Session Description Protocol, part of WebRTC. Now the vulnerability is fixed.

Signal

  • Security measures

Each Signal chat has its own safety number. If it was changed, Signal will notify you. The company informs that it helps users to check the privacy of their communication with an interlocutor. It also minimizes the risk of Man-in-the-middle attack.

You can compare safety numbers by scanning your partner’s QR-code. It also can be compared visually or audibly, or you can use a share icon to copy it to your clipboard.

Signal shared all software libraries they use. The company also described their encryption method in 4 documents:

  • XEdDSA and VXEdDSA (it describes creating and verifying EdDSA-compatible signatures using public key and private key);
  • Extended Triple Diffie-Hellman (it is a protocol that creates secret key for both parties; authentication is based on a public key);
  • Double Ratchet (it is an algorithm to exchange messages using secret key; every new key is designed in the way that it cannot be calculated from later ones);
  • Sesame (it is an algorithm for managing encrypted sessions in an asynchronous and multi-device setting).

Signal provides users with a special PIN-code which helps to recover your account in the future. It is not linked to phone number or Signal’s servers. It is not a chat backup as well.

As the company states, audio and video calls are end-to-end encrypted.

  • Privacy policies

Signal informs that it doesn’t collect or store users’ data. All messages are encrypted – that is why nobody can gain access to them, except an owner. Everything you send is stored on local device.

You provide Signal with the following information: account data (phone number), randomly generated authentication tokens, keys, push-tokens, and data that are necessary to make calls and send messages. Signal minimizes this information as much as possible.

The company interacts with third-parties to provide users with its services. For instance, company itself doesn’t send a verification code, but third-parties do. They have their own privacy policy to protect users’ data.

If you use such services as YouTube, Spotify, Giphy along with Signal services, then third-parties’ privacy policy prevails.

  • Any hacks, leaks, breaches?

In 2019, security expert discovered a vulnerability in Signal. It allowed to call a victim who didn’t even need to accept the call. A fraudulent actor did it themselves remotely. So, hackers could eavesdrop what was going on around a victim.

In December 2020, on BBC web-site Israeli company Cellebrite stated that it managed to hack messenger’s encryption. Later, Signal published a refutation saying that Cellebrite couldn’t do that, and it had never declared that. Signal said that what Cellebrite described was a simple operation which demanded physical access to a device.

The Analytical department of Falcongaze cares for users’ security and privacy. That is why we hope this overview will help to choose the messenger to communicate. Be aware of what data you ensure services with. 

Important publications

What is UBA? 6 August 2019
What is DLP systems? 13 February 2019