Two Tips to Keep Your Phone’s Encrypted Messages Encrypted
End -to-end encryption by default is quickly becoming the new standard for any communications app that claims to care about the privacy of those who use it. But not all encryption is created equal. And default doesn’t always mean default.
In just the month of April, both WhatsApp and Viber switched on that layer of protection from surveillance, which is designed to make it technically impossible for anyone to read the services’ messages other than the people in conversation: not eavesdropping hackers, not law enforcement, and not even the companies themselves. For the two companies’ massive userbases—more than 700 million phones run Viber, and more than a billion run WhatsApp—that switch seems to represent the start of a new era where strong encryption is no longer a privilege for geeks and paranoids, but an effortless mainstream tool.
But that effortlessness hasn’t arrived quite yet. In fact, despite the two companies touting their encryption as ready out-of-the-box, you actually need to flip a few subtle switches of your own to activate that level of security. From tweaking the apps’ settings to checking your backup configurations, there are a few quick steps you can take to make those apps’ end-to-end encryption significantly more secure. “Security is not magic, and using WhatsApp will not magically protect anyone from surveillance,” says Filippo Valsorda, a cryptographic engineer for Cloudflare who’s analyzed both WhatsApp and Viber’s crypto setups. “There are still things you need to be aware of to make sure you don’t undermine these apps’ end-to-end security…A lot of information is missing that the public needs to know.”
Tip 1: Enable Fingerprint Verification
In WhatsApp’s case, Valsorda points out there’s a nagging problem of authentication: For encryption to guarantee that only an intended recipient can decrypt a message, that recipient needs to prove they’re who they say they are. WhatsApp and other end-to-end encrypted messaging tools let communicators check each others’ “key fingerprints”—an abbreviated version of a unique key that WhatsApp stores on the phone to prove a person’s identity.
But in its default state, WhatsApp doesn’t alert a sender when the key fingerprint of a recipient has changed. A new fingerprint could merely mean that the recipient has started using a new phone or deleted and reinstalled the app. Or it could mean something more troubling: that a “man-in-the-middle”—such as a law enforcement agency with a wiretap order forcing WhatsApp’s cooperation—has inserted himself, and is intercepting and decrypting every message before passing it on to the intended recipient.
Luckily, WhatsApp offers a “security notifications” feature—not on by default—that automatically remembers all of your contacts’ fingerprints for you and alerts you if a fingerprint changes. To turn it on, flip the switch on the Security page under Accounts in the app’s settings.”Without that setting on, the fingerprint can change at any time, and the phone will say sure, I’ll use this new key,” says Valsorda.
“But if that setting is on, an attacker can’t decide at some point that you’re an interesting person and start intercepting from then on, because a warning will appear.”
Viber handles that key fingerprint verification with a different process that requires its own sort of manual verification. As the company explains in its security FAQ, a contact is only considered “verified” after you’ve called them through Viber’s voice-calling feature, both verified that you’re talking to the person you think you’re talking to, and then tapped a lock icon during the call. From then on, that person’s messages will appear in green. If that color changes to red, it’s an automatic warning that their key fingerprint has changed. But until the person is verified, their fingerprint is considered unverified and can change without any such alert.
Tip 2: Disable Cloud Backups
Beyond key fingerprints, anyone who backs up their data may face an even more glaring issue: those backups often aren’t encrypted—or at least not using an encryption system for which only you control the key. Both Whatsapp and Viber messages, for all their fancy end-to-end encryption, have that protection stripped away when they’re backed up to Apple’s iCloud servers or Google Drive. And that leaves your messages open to all the usual risks of exposure to hackers, to Apple or Google themselves, or to any government that can force those companies to turn over the data. “If you have an app that backs up to iCloud, that’s for the purpose of restoring that content to another device…End-to-end [encryption] suggests no other device can read those messages,” says iOS forensics consultant Jonathan Zdziarski. “To me, those two terms are mutually exclusive.”
On the iPhone, those backups can be easily turned off for specific apps under the Backup Options menu in settings. For iPhone owners using WhatsApp, which actually backs itself up two ways, you need to take an extra step: disable backups within the app itself under “Chat Backup” in the Chats menu in settings. Android owners can avoid the problem by not setting up Google Drive backups from WhatsApp in the first place. And the same advice holds for third-party cloud backups like Dropbox. If you want to keep your messages fully end-to-end encrypted, never sync WhatsApp or Viber with a cloud backup program.
The downside, of course, is that turning off backups means that messages can’t be recovered if your phone is destroyed or lost. With true end-to-end encryption, that’s almost considered a feature. Cryptographer Matthew Green has written about what he calls the Mud Puddle Test: If you drop your phone in a mud puddle, then slip in that puddle and crack your head, forgetting all your passwords, can you still recover your data? If you can—say, by using Apple’s password recovery feature to access an iCloud backup—the data wasn’t truly encrypted in the first place. The encrypted messaging app Signal, recommended by Edward Snowden and widely considered the most secure option for encrypted messaging, passes that test. If a phone running Signal is dropped in a mud puddle and destroyed, the messages are simply gone.
Not everyone is willing to risk losing their messages in exchange for the security of true end-to-end encryption. But that’s the tradeoff that fully secured end-to-end encryption requires. And those seeking privacy should know as much, rather than be lulled into a false sense of security by companies’ promises of of protection that don’t include caveats and edge-cases. “Chances are you’re making a compromise by backing up to the cloud,” says Zdziarski. “That has its place, and it’s useful. But the user needs to be aware that by doing that they’re probably exposing their data.”