The Electronic Frontier Foundation on Tuesday released its Secure Messaging Scorecard, which rates messaging app security based on seven capabilities. Only six of more than three dozen tools the organization audited met all seven security requirements.
They are ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text and TextSecure.
Apple’s iMessage and FaceTime were the best of the mass-market options, although the EFF found that neither provided complete protection against sophisticated, targeted forms of surveillance. The NSA comes to mind.
Many tools — such as Gmail, Facebook and Apple email products, as well as Secret and WhatsApp — did not have the end-to-end encryption needed to protect against disclosure by the service provider, the scorecard indicated.
It appears that developers are trading security for ease of use.
“Some security mechanisms, but not all, come at the expense of user convenience,” said Al Hilwa, a research program director at IDC.
While security is becoming an increasingly important priority for developers, “some of the biggest issues, such as password management, remain intractable from a user perspective,” he told the E-Commerce Times.
The Good, the Bad and the Ugly Apps
Among the tools the EFF evaluated were chat clients, text messaging apps, email applications, and technologies for voice and video calls.
They were measured in seven categories: whether the communications were encrypted in transit; whether the encryption used a key the provider didn’t have access to; whether users could independently verify the other party’s identity; whether past communications would be secure if the user’s key were stolen; whether the code was open to independent review; whether the crypto design was well documented; and whether there had been an independent security audit of the product.
Although it makes much of its security and has battled several governments that wanted access to its servers, BlackBerry didn’t come out very well. BlackBerry Messenger scored in only one category — encryption in transit. BlackBerry Protected scored in three — encryption in transit, inaccessibility to the service provider, and properly documented crypto design.
Skype scored in only two categories — encryption in transit and inaccessibility to the service provider.
Facebook Chat and Google Hangouts/Chat, Snapchat and WhatsApp also scored in only two categories — encryption in transit and having had their code audited.
Hushmail, Kik Messenger, Secret, AIM, Viber and Yahoo Messenger all scored in only one category — encryption in transit.
Deconstructing EFF’s Methodology
The strength of the EFF’s methodology lies in its take on encryption, Adam Kujawa, head of malware intelligence at Malwarebytes, told the E-Commerce Times. Its weakness is that it doesn’t take into consideration features like automatic logging.
“A lot of messaging apps might automatically save a log of your conversations to your system, which would be very bad if you were using a public computer or even if there was a conversation you didn’t want anyone else to read,” Kujawa explained. That could negate an app’s adhering to the EFF’s checklist.
Snapchat users can attest to this problem — their messages did not vanish after a preselected time as promised by the company.
The EFF’s scorecard doesn’t address the fact that many messaging apps with good security have a steep learning curve, usability issues, or “simply do not have a large user base,” Jean Taggart, senior security researcher at Malwarebytes, told the E-Commerce Times.
The EFF’s placing value on open availability of the source code “is a philosophical sticking point for businesses that view their software as a competitive advantage,” remarked Steve Hultquist, chief evangelist at RedSeal.
“One area I would like to see more attention paid to is encryption in-memory on the device or even on the server,” IDC’s Hilwa said.
Are Security and Ease-of-Use Mutually Exclusive?
Like Taggart, many security experts contend that making a product secure will result in a steep learning curve, and render it difficult to use.
However, “I believe the idea that an app has to be either secure or easy to use is a false dichotomy,” Hultquist told the E-Commerce Times, pointing to iMessage’s good score in the EFF’s tests as an example.
The root of the security vs. ease-of-use issue, said Kujawa, is whether developers pay more attention to the UI design or the security back end.