- Joined
- May 15, 2016
- Messages
- 4,789
- Likes
- 2,574
- Points
- 1,730
A lot of these "secure" messaging apps aren't as safe as you think.
Stay safe out there & make sure you use OPSEC.
iMessage
iMessage is Apple’s instant messaging service. It works across Macs, iPhones, and iPads. Using it on Android is hard because Apple uses a special end-to-end encryption system in iMessage that secures the messages from the device they’re sent on, through Apple’s servers, to the device receiving them. Because the messages are encrypted, the iMessage network is only usable by devices that know how to decrypt the messages. Here’s what the document says it can access for iMessage:
* Message content limited.
* Subpoena: Can render basic subscriber information.
* 18 USC §2703(d): Can render 25 days of iMessage lookups and from a target number.
* Pen Register: No capability.
* Search Warrant: Can render backups of a target device; if target uses iCloud backup, the encryption keys should also be provided with content return. Can also acquire iMessages from iCloud returns if target has enabled Messages in iCloud.
Line
Line is a freeware app for instant communications on electronic devices such as smartphones, tablets, and personal computers. In July 2016, Line Corporation turned on end-to-end encryption by default for all Line users, after it had earlier been available as an opt-in feature since October 2015. The document notes on Line:
* Message content limited.
* Suspect’s and/or victim’s registered information (profile image, display name, email address, phone number, LINE ID, date of
registration, etc.)
* Information on usage.
* Maximum of seven days’ worth of specified users’ text chats (Only when end-to-end encryption has not been elected and
applied and only when receiving an effective warrant; however, video, picture, files, location, phone call audio and other such
data will not be disclosed).
Signal
Signal is a cross-platform centralized encrypted instant messaging service. Users can send one-to-one and group messages, which can include files, voice notes, images and videos. Signal uses standard cellular telephone numbers as identifiers and secures all communications to other Signal users with end-to-end encryption. The apps include mechanisms by which users can independently verify the identity of their contacts and the integrity of the data channel. The document notes about Signal:
* No message content.
* Date and time a user registered.
* Last date of a user’s connectivity to the service.
This seems to be consistent with Signal’s claims.
Telegram
Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) system. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. There are also two official Telegram web twin apps—WebK and WebZ—and numerous unofficial clients that make use of Telegram’s protocol. The FBI document says about Telegram:
* No message content.
* No contact information provided for law enforcement to pursue a court order. As per Telegram’s privacy statement, for
confirmed terrorist investigations, Telegram may disclose IP and phone number to relevant authorities.
Threema
Threema is an end-to-end encrypted mobile messaging app. Unlike other apps, it doesn’t require you to enter an email address or phone number to create an account. A user’s contacts and messages are stored locally, on each user’s device, instead of on the server. Likewise, your public keys reside on devices instead of the central servers. Threema uses the open-source library NaCl for encryption. The FBI document says it can access:
* No message content.
* Hash of phone number and email address, if provided by user.
* Push Token, if push service is used.
* Public Key
* Date (no time) of Threema ID creation.
* Date (no time) of last login.
Viber
Viber is a cross-platform messaging app that lets you send text messages, and make phone and video calls. Viber’s core features are secured with end-to-end encryption: calls, one-on-one messages, group messages, media sharing and secondary devices. This means that the encryption keys are stored only on the clients themselves and no one, not even Viber itself, has access to them. The FBI notes:
* No message content.
* Provides account (i.e. phone number)) registration data and IP address at time of creation.
* Message history: time, date, source number, and destination number.
WeChat is a Chinese multi-purpose instant messaging, social media and mobile payment app. User activity on WeChat has been known to be analyzed, tracked and shared with Chinese authorities upon request as part of the mass surveillance network in China. WeChat uses symmetric AES encryption but does not use end-to-end encryption to encrypt users messages. The FBI has less access than the Chinese authorities and can access:
* No message content.
* Accepts account preservation letters and subpoenas, but cannot provide records for accounts created in China.
* For non-China accounts, they can provide basic information (name, phone number, email, IP address), which is retained for as long as the account is active.
WhatsApp, is an American, freeware, cross-platform centralized instant messaging and VoIP service owned by Meta Platforms.[ formerly FaceBook] It allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and other content. WhatsApp’s end-to-end encryption is used when you message another person using WhatsApp Messenger. The FBI notes:
* Message content limited.
* Subpoena: Can render basic subscriber records.
* Court order: Subpoena return as well as information like blocked users.
* Search warrant: Provides address book contacts and WhatsApp users who have the target in their address book contacts.
* Pen register: Sent every 15 minutes, provides source and destination for each message.
* If target is using an iPhone and iCloud backups enabled, iCloud returns may contain WhatsApp data, to include message content.
Wickr
Wickr has developed several secure messaging apps based on different customer needs: Wickr Me, Wickr Pro, Wickr RAM, and Wickr Enterprise. The Wickr instant messaging apps allow users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments. Wickr was founded in 2012 by a group of security experts and privacy advocates but was acquired by Amazon Web Services. The FBI notes:
* No message content.
* Date and time account created.
* Type of device(s) app installed on.
* Date of last use.
* Number of messages.
* Number of external IDs (email addresses and phone numbers) connected to the account, bot not to plaintext external IDs themselves.
* Avatar image.
* Limited records of recent changes to account setting such as adding or suspending a device (does not include message content or routing and delivery information).
* Wickr version number.