Are Your Messages Really Secure? How to Use Encrypted Apps Safely

Political media were sent into a tizzy after Jeffrey Goldberg, editor-in-chief of The Atlantic, published a story on March 24 revealing that weeks earlier, he had been accidentally added to a group chat on encrypted messenger app Signal. What made this group chat remarkable was that it featured several senior officials from the Trump administration, including Vice President JD Vance and Defense Secretary Pete Hegseth, discussing plans to bomb targets in Yemen. The incident instantly ignited fiery criticism over the Trump administration’s security practices. Former transportation secretary Pete Buttigieg wrote on Threads that “from an operational security perspective, this is the highest level of fuckup imaginable.” So, what are encrypted messaging apps, when should you use them in your business, and how can you prevent screwups like this epic one from the White House? Here’s a brief guide. What are encrypted messaging apps? Encrypted messenger apps enable people to send text messages that are protected with end-to-end encryption, a process in which an outgoing message is scrambled into gibberish, sent over the internet, and then unscrambled on the recipient’s device. This process is achieved by using “keys,” which are lines of code that encrypt and decipher text; they prevent anyone other than the sender and recipient from reading messages, even the platform being used to send them. Two devices with matching keys can securely pass messages to each other. Many messaging apps offer end-to-end encryption as table stakes: Apple’s iMessage added end-to-end encryption in 2011, and WhatsApp switched to the security measure in 2016. What makes Signal unique is that it’s a nonprofit powered by an open-source protocol, funded by grants and donations. This means that, unlike 23andMe for example, there’s no risk of Signal getting acquired by a profit-seeking company. A good example of a form of smartphone-based communication that’s not end-to-end encrypted? An old-fashioned SMS text. In summary, if you want to avoid the snooping eyes of a third party, consider using an app with end-to-end encryption, like iMessage, WhatsApp, or Signal. What are the best practices for using these apps? Just because you’re using a messaging app that offers end-to-end encryption, it doesn’t mean that your conversation is totally secure. “We should all be very careful not to assume that encryption equals security,” says Matt Howard, senior vice president and chief marketing officer at data security platform Virtru, which helps enterprise clients (including the Department of Defense) control the flow of data within their organizations. Using end-to-end encryption is necessary for keeping your communications secure, he says, but it’s just the start of a healthy security strategy. The most important security measure you can take, according to Howard, is to ensure all of your devices have strong password protection and multifactor authentication. “Oftentimes, the importance of basic hygiene around passwords is overlooked,” he says, adding that poor password hygiene is a leading cause of data breaches. Howard also says that when you use end-to-end encryption services like Signal, you should be intentional about your data retention policies. Apps like Signal and Discord allow users to set messages to auto-delete after a certain period of time. But your business may want to preserve encrypted text for future records or to stay in compliance with any external vendors you may be working with. There are other common-sense steps to take too. For example, if you’re looking at your phone in a public place, all the encryption in the world isn’t going to stop someone from potentially reading your messages over your shoulder. And a screenshot from an otherwise private conversation could be shared more widely, too. One more piece of advice: Be deliberate when adding people to the conversation. When sharing sensitive information with others, Howard says, “just make sure you know the identities of the people you’re choosing to share it with—maybe double check the people who have been invited to the group chat before you hit send.” BY BEN SHERRY @BENLUCASSHERRY

Signal, WhatsApp, and iMessage: Which Messaging App Is Most Secure?

I don’t know very much about what goes into war planning, but I assume that the communications infrastructure that supports that kind of thing is a solved problem for the government. There are secure telephone and video systems, as well as Secure Compartmented Information Facilities (SCIF) that allow the key players to review the most sensitive information about military activities. Typically, I assume, those sorts of conversations aren’t had using consumer messaging platforms on the Secretary of Defense’s iPhone. Also, I sort of assume that the people involved are smart enough and tech-savvy enough to notice that a journalist has entered the group chat. Apparently, not. There are a lot of questions raised by what is now certainly the most infamous group chat in the world, in which the Vice President, Secretaries of Defense and State, the Director of National Intelligence, CIA Director, and National Security Advisor were messaging about plans to bomb Houthi rebels in Yemen. We know about the chat because someone accidentally added Jeffrey Goldberg, the editor of The Atlantic. One question that a lot of readers might be wondering is just how secure the most popular messaging apps are. Here’s a rundown. Signal Signal, the app in question in this case, is end-to-end encrypted (E2EE). That means that messages are sent in an encrypted format and can only be read by the recipient. At the core of its encryption is the Signal Protocol, and open source protocol that allows for public inspection. That decreases the chances of hidden vulnerabilities. Signal also uses a form of encryption that ensures that even if a session key is compromised, previous messages stay encrypted. Signal also allows the most privacy since you don’t have to link a phone number to use the service (unlike other apps on this list). It also allows for contact verification so that you can ensure that the person you’re messaging is who they say they are. In general, Signal is widely considered the most secure consumer messaging app because third-parties can verify its security claims, and the company does not have access to metadata about your conversations. iMessage If you only send messages to other iPhone users, Apple’s iMessage platform is arguably the best and most secure option. Unlike Signal, Apple’s protocol is proprietary and not open for inspection by third-party security researchers. That makes it harder to verify that it is as secure as it claims, but Apple is well known for its commitment to security and privacy. One advantage is that Apple uses a 1:1 encryption model for group chats, which means that every message is encrypted individually for each member of the group. This is technically more secure than Signal’s Sender Key method, though it means that iMessage group chats are much more limited in terms of group size (due to the resources required for all of that individual encryption). Apple also says its encryption is designed for post-quantum computing. The idea is that eventually quantum computers will be able to break encryption easily enough to read protected messages, but Apple is designing its algorithm to resist those types of future capabilities. There are, however, two main drawbacks to Apple’s messaging platform. The first is that once you start messaging anyone with an Android device, it will fall back to RCS, or, worse, SMS—neither of which are encrypted within the Messages app. RCS supports E2EE, but Apple has not implemented the ability to send encrypted messages to Android devices. The other is that if you use iCloud backup for your messages, and aren’t using Advanced Data Protection, a copy of your messages is stored on Apple’s servers. While they are encrypted at rest, the company is able to turn them over if requested by law enforcement because it retains a key. WhatsApp WhatsApp uses the Signal Protocol (see above), meaning it offers a reliably secure form of protection for messages by default. One problem with WhatsApp is that, while the content of your messages may be encrypted, the metadata about the messages you send, and who you send them to, is not. That information is collected and stored by WhatsApp. Some people are also less than enthusiastic about using an app owned by Meta, which isn’t exactly known for its ability to keep its hands off of user data. It does, however, have the benefit of a massive user base, which means that there’s a good chance that the person you want to message with will be using WhatsApp. The app also has the best feature set for group messaging by far. Telegram To be clear, Telegram is not an E2EE messaging platform by default. Every regular message you send is encrypted in transit, and is encrypted as it is stored on Telegram’s servers, but that’s not the same thing as being encrypted so that only the recipient can read your message. This makes your messages vulnerable to anyone who has access to those servers. The app does allow you to create a “Secret Chat,” which is encrypted, and you can even set these to delete after a period of time. Still, if you care about protecting your text conversations, there are far better options on this list. Messenger Meta’s “other” messaging platform started rolling out E2EE last year, which should eventually put it on par with WhatsApp. The drawback here is that the rollout is happening over time, which means that not every user will immediately have it turned on by default. In addition, you might have some chats that are protected, and others that aren’t, and the average user isn’t going to know how to tell the difference. The bottom line It’s worth mentioning, however, that it does not matter how private or secure the encryption is on a messaging platform—if you include someone in a group chat and send a message to that group, they’re going to be able to read the message. Or, put another way, the problem here has nothing to do with encryption, and everything to do with human error. Most of these apps offer a secure form of E2EE for consumers, but there is no guarantee your messages will stay secret if you text them to a journalist. EXPERT OPINION BY JASON ATEN, TECH COLUMNIST @JASONATEN