Popular messaging apps fail EFF's security review

The organization ranked 39 digital communication tools based on security features and best practices

Some of the most widely used messaging apps in the world, including Google Hangouts, Facebook chat, Yahoo Messenger and Snapchat, flunked a best-practices security test by advocacy group the Electronic Frontier Foundation (EFF).

The organization evaluated 39 messaging products based on seven criteria it believes such tools should meet in order to ensure the privacy and security of digital communications.

The reviewed products included mobile texting apps, instant messaging clients, voice and video calling software and email services. The results were published Tuesday under the form of a Secure Messaging Scorecard.

The EFF did not perform vulnerability assessments or in-depth technical analyses of the encryption implementations in the reviewed products. Instead it judged them based on principles and features it felt are necessary to protect communications from widespread Internet surveillance by governments, which includes data collection in transit or from online service providers.

When reviewing the products, the EFF asked the following questions:

-- Does the application encrypt data in transit?

-- Is the communication encrypted with a key the provider doesn't have access to? This requires the use of encryption keys negotiated directly between user clients, also known as end-to-end encryption.

-- Can users independently verify the identity of contacts they are speaking to even if the service provider is compromised?

-- Do previous communications remain secure even if users' long-term private keys are compromised? This property, known as forward secrecy requires cryptographic implementations that use ephemeral encryption keys for every session.

-- Is the product's code for communication and encryption open to independent review?

-- Is the product's cryptographic design well documented? This requires listing the product's encryption and authentication algorithms; documenting the key generation, storage and exchange mechanisms; describing the process of revoking and changing keys; stating the protections the software aims to provide and the scenarios where it might not be secure.

-- Has the product's design and implementation been subjected to an independent security audit in the previous twelve months? An audit by a security team that is independent of the product's development team within the same organization is sufficient.

Six applications, most of them open source, met all of the EFF's requirements: CryptoCat, a Web-based instant messaging application; ChatSecure, an encrypted chat client for iPhone and Android; TextSecure, a text messaging app for Android; RedPhone, an encrypted calling app for Android and Signal, its version for iOS; Silent Text and Silent Phone, the encrypted texting and calling apps by secure communications provider Silent Circle.

There were other apps that came close, failing on just one criteria -- the annual code audit or the forward secrecy requirements. These products were Mailvelope, RetroShare, Subrosa, Jitsi, Adium and Pidgin.

Of the mass-market products, Apple's iMessage and FaceTime scored the highest, failing on only two requirements -- the availability of code for independent review and the out-of-band contact identity verification. This means they don't currently provide complete protection against sophisticated, targeted forms of surveillance, the EFF said.

Other widely used communication tools scored much worse, meeting only one or two of the seven requirements. This was the case of Google Hangouts, Facebook chat, Yahoo Messenger, Snapchat, WhatsApp, Viber, AIM, BlackBerry Messenger and several others. None of these products offer end-to-end encryption making communications through them susceptible to surveillance on the provider's side.

South African mobile social network Mxit and widely used Chinese instant messaging service QQ don't provide encryption at all, making them the least secure products of the 39 that were tested.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetyGooglesecurityencryptiondata protectionprivacyElectronic Frontier FoundationFacebookSilent CircleApple

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?