The Myth of End-to-End Encryption in Messaging Apps

Messaging apps have led us to believe that user data is safe with end-to-end encryption. But does it really protect user data or is it just a false sense of security created by big brands? Let's find out.

Dev Lorenzo • May 12, 2021

End-to-End Encryption (E2EE), is safe! So say WhatsApp, Telegram, iMessage, and too many others. Every time a user sees this message, they think they’re protected:

https://uploads-ssl.webflow.com/5f3c19f18169b62a0d0bf387/609b8e669bb59b215d91e771_ki9Qa_WBNDyY9XOONZA8l4BKt02Gq6VkkNlErcPTtd7Lh5LsLJ_2oIPw1AM8e-ojnS0PHc907neeIQrluGOJyok4dtgN0wG_gp-bxUBspfX8CTi12OUcWGdVM7s2JK8isOZI18RV.png

You too, as a developer, have learned to trust this kind of brand. But does end-to-end encryption really protect user data or is it just a false sense of security created by brands that we trust? Let's find out.

What is End-to-End Encryption?

End-to-End Encryption is a difficult word for a fairly easy concept in the end. It basically means that all the messages are encrypted from the sender to the receiver, End-to-End. They are the only ones who can read the messages, so in theory, no third party can decrypt them.

To make you understand better, the entire message is scrambled in such a way that no one will be able to under stand it, except for the person who has the ‘key’ to unscramble it. And the only device with the ‘key’ to unscramble the message is the recipient’s device. This is a technique that was used in the Second World War, but just as Alan Turing was able to decipher the messages of the Axis Powers, WhatsApp can do that. It's even easier! They do not need to decipher your messages, they just have to grab the content out of the cloud. And some third party software can access your messages freely.

Theoretically:

https://uploads-ssl.webflow.com/5f3c19f18169b62a0d0bf387/609b8e67567a793c4aba1ca0_lFLn0rWrczsCPZ4Z8Ud1pn12-8HdjSaMrpzwCwA9C__b3I71ZT3HhCNsoje4agZ08ZDZFK1v383I4kXO9irDUfE7kls2ZQOGjkXVXK5ns9TNkzLo1eqBI6Lw1n867vLWu2yoM1_N.png

What Is Wrong With Messaging Apps Like WhatsApp?

Their FAQs are clear, as also the fact that they comply with the Protection of Personal Information Act (POPI). For WhatsApp, once your messages are delivered, they are deleted from their servers. But, they just announced they would require data sharing with Facebook. Here comes the first question: if they can not read your messages, photos, videos and audios, what data do they want to send to Facebook? Contact names? Yet, last time I sent a photo of the Maldives to one of my friends, an advertisement on the flights to the Maldives bounced back to me online, one wonders how.

Data Storage

They also say that only the sender and the recipient can access them. Here the first proved deal: what if someone accesses one of the two smartphones? This does not mean that they steal the user’s phone, but just take possession of his cloud space, or as the police do, clone the phone. You know, WhatsApp asks monthly, weekly or even daily to save your messages in the cloud. You can never be sure.

The Problem with Media Previews

Another big problem of E2EE, with WhatsApp and many other messaging apps, is the intervention of third parties. When your user shares an online news article, for example, your messaging app will fetch the content from a remote server, without asking the user permission or masking his/her identity. So this third party has full power over your users' chat data.

Third-Party Interference

The biggest risk exists when a chat app deals with mass distribution (a lot of users) or with users at risk, meaning activists, journalists, or politicians. This third party could be in close contact with an authoritarian government for example. But more simply, they can sell your data to large companies to send targeted advertisements to your users.

Poor App Design

Also, less famous apps or in-development apps that use chat can face lots of issues that lead to bad user data protection. The most important is a bad design of the chat or inappropriate management of the back-end. That can lead to storing messages decrypted, leaving unencrypted backups, or leaving the core data to unprotected devices. Which is why, we at CometChat take every precaution when it comes to user data protection. Our APIs and services are compliant with all data protection regulations such as GDPR, and HIPAA.

Hackers

The last problem, less important, is when facing hackers. Fortunately, E2EE is quite safe in this area, even if there is always the problem of man-in-the-middle attacks. Someone can steal the recipient key, passing himself off as one of the two, for example. He can then decrypt all the messages, and even worse, send messages on their behalf. This can be solved with strong authentication, such that only verified users in trusted ways can send or receive the key. For E2EE, you also need a good backup plan: here encryption key management is crucial when facing security issues.

How To Ensure Safety?

As we saw above, it’s very important to keep your chats secure. So, here are few tips on how to keep user conversation data safe on messaging apps. First as a user, then as a developer who’s building their own in-app chat.

As a User - Choose wisely

We, the users, can change things by acting wisely. We don’t have to always use the same apps. Firstly, not all the apps have end-to-end encryption by default. If it’s possible to choose it as an option, do it. If not possible, change apps or accept the risk. If you really care about it, you should also read the TOS, FAQs, and privacy policies. Also, if you share your messages in social networks or groups, you can’t prevent them from being shared or saved by the receiver. You should always keep this in mind. Moreover, some messaging apps have a reputation for being more secure than others. Signal, for example, recently became popular for its data protection practices.

As a Dev - (Learn), Update, Test, Update again

Even before the user, there is you, the developer, who can change things. Especially in small businesses and startups, it's easier to change and move towards improvement. Here are some features or ideas that can help you build your app, and be on the safe side!

Free Your User, Not Their Messages

Not only in E2EE but in general, the more customizations you leave to the user, the more they will feel free to spend time on your app. So the first piece of advice we give you is to leave the user the possibility to customize their chat.

CometChat’s APIs & SDKs give you and your users lots of customization opportunities.

You can also take examples for the Telegram “secret chat” feature, the Facebook Messenger “secret conversations”, or how Signal works in general. Some features you can provide are self-destructive messaging, saved locally, not in the cloud.

If your messages are saved without special encryption in the cloud, your information is completely vulnerable.

Keep Yourself Informed

Don’t rush with the most popular products and services, always inform yourself before making a decision. All the components of your app are important - from the service managing your entire app to the third parties that interact with it. Providers with an independent but safe and trusted third party audit are more reliable and trustworthy. Do research before choosing your data storage technology, for example.

pCloud is a good option, with its many security features, such as TLS/SSL channel protection, 256-bit AES encryption for all files, and the possibility to have 5 copies of files on different servers.

You should also look for things like Client-side encryption, Zero-knowledge privacy (no third party has access to your file) and Multi-layer protection.

Also, hiring someone or learning about security, database and key management is a must when you care about the safety of your users. For example, you need a good backup plan to manage the recovery operation of your keys, in case of major disaster in your database.

Pay Attention to Documentation

This is a point that people underestimate too much, especially developers. Not just for the legal value, but even more for the reputation you want to build. An important value for all brands is safety and trust, and you can’t build those without good public documentation that’s carefully written.

You should also pay great attention to your FAQs, which are more readable for the user. They represent the image you want to give of yourself to the world. If you need, you can take an example from CometChat's FAQs, Privacy Policy, and Terms Of Service.

Wrapping Up

Remember that End-to-End Encryption is not as safe as it seems. Even if it’s considered to be one of the best encryption systems, it actually has plenty of challenges, as discussed above. As an alternative, we’d recommend using other encryption methods such Client-Side Encryption, the safer Homomorphic Encryption. Another option is to focus on leaving customization possibilities to the user, keeping yourself and your users informed, and paying attention to documentation. Stay transparent with your users. It’s  the best way to build trust.

All this can be very complicated, our recommendation would be to use a readymade Chat service such as CometChat, so you don’t have to worry about these. But it’s still important to stay informed.

Our APIs provide you the best chat service to build full-fledged text, voice and video chat with minimum effort. Sign Up to start building for free.

About the Author

Hello World, My name is Dev-Lorenzo Satta Chiris 👋🏻 I'm a young man working to be a full stack developer. My goal is to create a programming community for exchanging ideas and foster innovation. Blogger at dev.to, I send a weekly newsletter about programming and productivity tips!

Dev Lorenzo

CometChat

Hello World 👋🏻I'm a young man working to be a full stack developer. My goal is to create a programming community for exchanging ideas and foster innovation. Blogger at dev.to, I send a weekly newsletter about programming and productivity tips!

Try out CometChat in action

Experience CometChat's messaging with this interactive demo built with CometChat's UI kits and SDKs.