Messaging and end-to-end encryption

Unfortunately, the standards for mobile networks still allow for really weak encryption algorithms and cannot be considered to be really secure. Communication via SMS, for example, means that attackers can quite easily break the encryption and might be able to read your messages. In mobile networks, the traffic is generally only encrypted from your phone to the base station where the encryption is decrypted and the message is then transmitted in plaintext.

Two phones sending messages through an end-to-end secure tunnel
Two phones sending messages through an end-to-end secure tunnel

More and more applications nowadays support end-to-end encryption, which means that once the traffic is encrypted on your computer (or a phone) the information travels encrypted until the receiver receives and decrypts the message. If the encryption is implemented securely, outsiders cannot decrypt the message without the key that is only present in the receiver’s computer. For an attacker to decrypt the message they would need to either break into your or the receiver’s computer to be able to monitor the communication. Consider the cryptography examples in the previous chapter, if the encryption cipher is secure and the key is kept secret, only the intended recipients can decrypt the messages.

Example of communication apps using end-to-end encryption include:

  • Signal

  • Telegram

  • WhatsApp

  • Facebook Messenger

Of these applications, Signal uses open-source implementations which means they’re available for anyone to verify (the opposite of security by obscurity). The algorithms used by the Signal application are generally considered to be secure and they have been studied a lot. The benefit of an open-source and verified implementation is that once proven to be secure, the implementation can be used by others as well. The Signal protocol, for instance, is used by the WhatsApp application as well.


Due to the way WhatsApp groups are used, members added to an existing group are not secured end-to-end and are possible for an attacker who has access to WhatsApp servers to force.

Telegram instead did what many consider is breaking the first rule of cryptography (do not roll your own crypto) and created their own protocol. There has been a lot of critique for the protocol and some researchers consider it broken. Some vulnerabilities have been found in the protocol already. The known vulnerabilities have received fixes but regardless, some still think you should avoid relying on the secrecy of Telegram's cryptographic implementation. As it stands, at the moment there is no known vulnerability in Telegram’s cryptographic implementation.

Facebook Messenger has a mode called secret conversations which is end-to-end encrypted. However, it is opt-in and not the default. Group chats are not end-to-end encrypted and can’t be trusted to be secure.

If secrecy is what you’re looking for in a messaging application, right now Signal or with some caveats WhatsApp seem to be the most secure alternatives. SMS messages should not be used for any confidential communication.


Why do I need secure messaging?

You may be asking why even bother protecting your communications as you’re doing nothing illegal. Consider the contents of your communications for a while though. While most of the information might not be confidential there might be bits and pieces of information that, when combined, might give an attacker enough information to commit identity theft or even break into your accounts.

Examples of the data you might be exposing include:

  • banking information

  • credit card numbers

  • email and password combinations

  • social security numbers

  • addresses

  • phone numbers

  • answers to security questions you’ve protected your accounts with

  • cookies with which an attacker might be able to steal your session and access your account

While the above list contains items that you can leave behind by yourself, you might also want to consider the amount of information that is gathered by your devices. This might include details such as GPS coordinates, your usage of applications, times you’re active and health data such as heart rate. With these pieces of information, the attacker can form a pretty complete picture of your daily life from your home location to places you visit often, people you meet, where you might work, if you have any health issues and so on.

Some countries are assumed to monitor their own citizens’ communications to control the flow of information and to monitor dissidents. In some of these countries, end-to-end encryption can even be prohibited or governments can mandate backdoors or weaknesses to be included in the technology to make it possible for them to break the encryption and confidentiality of messaging. To determine if this is a risk factor for you, you should research the laws of the country you are in or will potentially be submitting/receiving data from.


Security dos and don’ts:


  • Verify you’re using encrypted connections, for example make sure you see the padlock icon in a browser.

  • Consider where you use your credit card: can the site be trusted?

  • Be mindful of what data your apps are exposing.


  • Don’t use security questions, they are really easy to find out.

  • Don’t let apps unknowingly track you, and prefer to set sharing of data to off if the app allows it.

  • Disclose any confidential personal information or data in SMS messages as they are not secure

Next section
III. The types of online attacks