Nicolas Neu

dies & ditt.

The Sad State of (Secure) Mobile Messaging

People don’t trust facebook. After the recent announcement that facebook bought Whatsapp I have heard a lot of people around me voicing their discontent with this situation, wanting to change for a different messaging platform. For me this came as a small surprise as there was no shift whatsoever to move to more secure platforms after the Snowden leaks, but I take what I can get. If this acquisition can motivate people to move somewhere else, away from an application which showcased severe security problems I will gladly take this opportunity. The fact that Threema, an alternative messaging app which promises end to end encryption, doubled its user base overnight shows that not only people around me are feeling uneasy about the situation. Granted, 400.000 Threema users compared to 430.000.000 whatsapp users doesn’t sound like much, but it’s a start. So why don’t I switch?

I make extensive use of whatsapp and its groupchat function to stay in touch with my friends in germany. As the resident nerd, I was told to figure out what to do. Where to now? So I started considering different applications that would be worth switching to. Spoileralert: They all suck. You don’t get people to switch away from their favorite apps that often, so better take this chance and make it right. For me, this primarily means a secure end-to-end encryption when using the app. Also, it needs to be easy to use. My friends are in business, banking, one of them is a nurse. They never experienced the joy of recompiling a kernel just to get a graphics card driver to work. Manual handling of keys or overly complicated account management would be a tough sell. So what’s out there at the moment?

Threema

Lets start with Threema as it seems to be one of the two most popular contenders in the field right now. It has been on the market for quite some time now, so the app is quite polished. It uses encryption, the servers are located in switzerland and not the states (although I doubt that this makes much a difference at this point), supports groupchat and a couple other nice features. It costs about two bucks which might slightly hinder adoption among my peers but I am not too concerned about that. More severe is the fact that it requires Android 4.0 or higher. Whatsapp, how horrible it might be, still has the big advantage to run on every crappy android phone out there. The real problem however, is that it is not open source. Safe encryption without scrutiny by 3rd parties is not possible and I am not willing to blindly trust some guys who promise that their crypto is secure. Even if there is no evil intent, the danger of a weakness introduced by a programming error is still there.

I’d rather have no security than a false sense of it.

Telegram

Currently in the toplist on the appstore, telegram also promises secure messaging. Now, I don’t know how I should feel to abandon whatsapp because it was bought by facebook only to use something developed by the VK founders. If the crypto works this is fine I guess. Sadly it isn’t. I am no expert so I will just link to this nice blogpost by cryptofails, explaining the issues in details.

Surespot

Surespot although a bit ugly looks quite promising and I might consider using it some time from now. Right now some quintessential features like groupchat are lacking which immediately disqualifies it. The surespot developer promised group chat in two months from now. If they can also get rid of the message log limit of 1000 and implement voice memos this might actually become usable.

Whistle.im

I will just link to this analysis by the CCC hamburg, completely dismantling the whistle.im crypto. The developers have since patched their software to address the mentioned issues but as some of the flaws have shown a lack of basic cryptographical knowledge I am not convinced that the software is working as intended now. If no further reports pop up in the future they might gain some trust back, but it will certainly take a lot of time (and maybe some independent verification of the code) before you should even consider using this.

Chatsecure

A mobile jabber client using otr for encryption. The app certainly isn’t the prettiest but I could use my desktop machine to continue chatting when I got my laptop with me. The setup process which would involve creating a jabber account somewhere is certainly more complicated than for the rest of the apps but nothing even not so computer savy people couldn’t manage with some help. The problem is that jabber on mobile devices sucks. The protocol was never intended to work with flaky mobile connections. There are extensions for mobile use, but the iPhone architecture doesn’t allow apps to continuously keep running in the background which means the app disconnects every ten minutes. Besides, otr needs both parties to be online for the key exchange. Messaging offline contacts in a secure way is not possible.

myENIGMA

No public sourcecode. NEXT!

Conclusion

Right now, nothing out there is really satisfying. I have some hope for Textsecure who are still working on an iPhone app (and I think switching to data channels for transport) and heml.is which is also still in development. Until then I don’t think I’ll be going anywhere. At least whatsapp has that awesome voice memo feature….