WhatsApp alternatives

Update: Threema support responded: traffic-data is deleted when the message is delivered, or after two weeks, whichever is earlier.

The popular WhatsApp messaging service has been bought by Facebook last week. It is reassuring to see that many people are worried about this. It means Facebook can collect and combine even more data about you than they already do. They now have the posts that you share with all your friends, but now they also have the messages that you share with your best friend, or with the small selected groups of friends. The worrying means that people are now looking for alternatives, and below is my personal take on some of the alternatives that I’ve seen.

Telegram

By far the most heard alternative at the moment is Telegram, probably because it’s free. Telegram has been developed by two Russian guys, working for a German company based in Berlin. This means that they are bound by European privacy laws, which is encouraging. So some of the scares that using Telegram is trading the privacy threats of the NSA for those of mother Russia do not seem to be based on facts.

The strange thing about Telegram is that they have chosen to develop their own protocol and cryptography. This was already explained well by Telegram, AKA “Stand back, we have Math PhDs!” in December. The blog post has an update describing a flaw in the end-to-end encryption.

The privacy policy of Telegram starts with an odd “We never share your data with anyone. No.” Telegram has both ordinary and secure messaging, where the ordinary messages are stored in the cloud, and the secret chats only pass through. The public chats are stored encrypted, with the encryption keys distributed across datacenters in other jurisdictions. When you authorise Telegram to sync your contacts, it will store a copy of all of them in their cloud.

Threema

Another very popular choice is Threema, which costs €1,79. Threema is developed by a Swiss based company. Some of the European data protection applies, but importantly the data retention law is not in effect there. This means that metadata does not have to be recorded and handed over to law-enforcement.

The cryptography in Threema is based on the very sound NaCl cryptography library, developed by the well-respected Daniel J. Bernstein, Tanja Lange and Peter Schwabe. This library not only values strong cryptography, but also usability, making it hard for developers to shoot themselves in the foot.

Some of my students have also looked at the Threema application on Android, and have not been able to find obvious flaws in it, see also SSN Projects results. The students do recommend using a master-key in the application to secure your private key.

The privacy policy of Threema is very readable; they aim to keep only the absolutely necessary information, and then only for a time as short as possible. They do not share any information with other companies, the only exception being crash reports, and then only if you give permission. If you give Threema permission to sync your contacts the app will only send one-way hashes to find possible matching IDs, after which they are deleted. The only personal information stored by Threema is your email address and phone number, and only if you give them permission.

MyEnigma

Another alternative making the rounds is MyEnigma, which seems popular because it’s free and because Threema is not available on all Android platforms. It is also by a Swiss based company and the only alternative which extends to the BlackBerry platform, and also allows secure SMS on Android and BlackBerry.

The security in MyEnigma is based on the common TLS encryption between client and server. An added layer is that users are verified in a two-step process using both SMS and email. This makes impersonation harder, but not impossible. There is no verification process possible for the end-to-end encryption between users.

The privacy policy of MyEnigma states that they record metadata (IP address, time, time of messages sent and receive) and also allow them to share this metadata (emphasis mine):

c) To collect anonymous statistics of the service usage in order to improve and extend the service offering and for internal Company research activities. We may share these statistics with third parties and/or publish them for the purpose of understanding the service usage, for planning marketing strategies, promotions and/or campaigns, for educational purposes, for advertisement plans and/or for functional analysis of the service.

MyEnigma requires access to your address book to find your contacts. However, they do hash these before sending them to the server. This means that the server does not have access to information about contacts that do not use MyEnigma.

surespot

A completely free and open alternative is surespot, which has shared their complete code on GitHub. Their encryption is based on SSL using the Crypto++ library. The encryption is standard public key encryption, using the server as a public key storage. The security depends on the hard-coded key of the server with which other keys are signed.

surespot does not synchronise your contacts in any way, they only allow you to send others invitations. They do however store on the server with whom you are talking, your IP address and some other statistics. surespot is based in the US and thus the above information is also vulnerable to the PATRIOT act.

The privacy policy of surespot has the following statement:

Anonymous aggregate statistics will be kept and used by us for various purposes including analysis and reporting of usage patterns. Surespot reserves the right to use and disclose anonymous aggregate statistics for any purpose and to any third party in its sole discretion and without notice.

I am not certain whether it is possible to completely anonymise usage patterns for messaging applications (see T3, re-identifiabilty, etc).

Conclusion

Wrapping up we see some dubious behaviour by the serious contender Telegram. It appears that their homegrown crypto to has already been shown vulnerable, and they also store a lot of your contacts in their cloud accessible to them. MyEnigma does not seem any better than WhatsApp in terms of the protection of your metadata, they happily claim the right to resell that to advertising companies and others. While surespot does offer some more protection, they do store some metadata, and are based in the US. The only actual secure alternative appears to be Threema at this point. Their crypto is sound, and the privacy policy is sensible, storing only the bare minimum and for as short as possible.

6 comments on “WhatsApp alternatives

  1. “[Threema’s] crypto is sound”. How can you know? And even if it’s good crypto, how about the rest of the app? Good crypto equals bad crypto if the keys are exposed. It’s a closed source app, so the actual implementation of the crypto is secret. They may or may not have made grave mistakes, and they may or may not have added backdoors. I don’t know, and neither do you.

    Apple has recently shown that a very simple flaw in source code can render strong crypto completely useless, with the “gotofail” bug. Open source doesn’t guarantee good code, but it does at least make it possible to find those bugs and report them.

    • For any of the above solutions there must be some trust in place. For Threema this is indeed in their (closed) implementation. They are using the NaCl library, which makes it harder to perform a bad implementation of the crypto. As I mentioned earlier my students have tested the security, and have not found any mistakes so far.

      However, for other solutions you are going to have to put trust in the system somewhere. With surespot you are trusting the server and the key management of the server. With Telegram you’re trusting the crypto math skills of the coders (which apparently are not so great). With MyEnigma you are also placing trust in the server.

      Your point about open source code defeats itself already: The “goto fail;” bug was in an open source part of the OS, and nobody found it.

      Also, no amount of open source in surespot is going to make up for the fact that they are selling (supposedly anonymised) metadata, at least for me.

      • As I mentioned earlier my students have tested the security, and have not found any mistakes so far.

        That your students haven’t found any flaws, does not mean there aren’t any. Especially backdoors are hard (if not impossible) to find, but easily hidden, if the source is closed.

        However, for other solutions you are going to have to put trust in the system somewhere.

        It is most definitely okay to trust someone, and to indicate that currently users will have to do this, and it would have been fine if you said in your article that you trust the company that wrote Threema. Unfortunately, instead you chose to certify their crypto even though you haven’t actually seen it.

        For now, I use WhatsApp and Telegram, mostly because of the broad user bases. I’m aware that both are insecure. Telegram could become safe in the future, but only if the maintainers acknowledge the important flaws pointed out by crypto analysts. Currently they’re still on the defense.

        Your point about open source code defeats itself already: The “goto fail;” bug was in an open source part of the OS, and nobody found it.

        I already said that open source does not guarantee good code. As far as I know, it’s not known whether the bug was found by Apple employees or by someone who read the open code. In any case, open source crypto at least does enable unsolicited code reviews, whereas closed source simply makes such audits impossible.

        Also, no amount of open source in surespot is going to make up for the fact that they are selling (supposedly anonymised) metadata, at least for me.

        Agreed.

        • My blog, my opinion 🙂 this not only goes for Threema, but also for the others.

          About telegram, even if they wake up and fix their algorithm, it still seems fishy. The way they tried to be smart in the first place, and then the lame challenge ‘proving’ they are secure. No thanks.

  2. “However, they do hash these before sending them to the server. This means that the server does not have access to information about contacts that do not use MyEnigma.” Except, of course, for the possibility of simply generating hashes iteratively for all possible or likely phone numbers. Since mobile phone numbers have well-known prefixes, this is actually very feasible. If they didn’t add anything to the phone numbers or the algorithm, off-the-shelf rainbow tables can be used. But if they did, then still creating a new rainbow table could be doable. I’d like to tell you whether the hashing was good (slow) enough to prevent such brute force attacks, but MyEnigma too is closed source.

  3. Pingback: What is the value of verifying public keys? // Jaap-Henk Hoepman

Comments are closed.