Your End-to-End Encrypted Messages Aren’t As Secure As You Think


Source: Ritoban Mukherjee / lifehacker.com

End-to-End Encryption: The Misleading Security Promise

When it comes to secure messaging, the term ‘end-to-end encryption’ (E2EE) is often used to describe a level of security that protects your communications from prying eyes. However, a closer look reveals that the reality is far more complex and nuanced than this simple label suggests.

The recent lawsuit filed by the Texas Attorney General’s office against Meta, the parent company of WhatsApp, highlights the issue. The lawsuit claims that Meta deceived users about the level of security offered by E2EE on WhatsApp. Meanwhile, Apple and Google announced that rich text messaging between Android and iOS users will now support E2EE. But this only applies to users who have RCS enabled on their smartphones, and it doesn’t cover traditional SMS or MMS texting.

The problem is that E2EE is not a one-size-fits-all solution. Each messaging app has its own implementation standards, and the level of security is never the same. You shouldn’t assume that all your communications are safe from interception just because your messaging app supports E2EE.

How End-to-End Encryption Works

So, how does E2EE work? In essence, it involves scrambling your messages and data as they leave your device, so that only the recipient who holds the right security key on their device can unscramble it. By design, E2EE prevents anyone who might be trying to intercept your communications, including people who work at the company that owns your messaging app, from accessing its contents.

However, E2EE only works on the contents of your message itself. It doesn’t do anything to encrypt the associated metadata, such as the identity of the sender and receiver, their geolocation, or the timestamp on the various messages. This means that even if your messages are encrypted, your metadata can still be exposed.

The Limitations of End-to-End Encryption

Furthermore, E2EE implementation varies from messaging app to messaging app. Some apps, like Telegram and Signal, offer higher levels of security than WhatsApp or Messenger. On the other hand, WhatsApp enables basic E2EE on all your messages by default, whereas Telegram requires you to opt-in for the encryption every time you want to use it.

Additionally, E2EE doesn’t always work the same way. Depending on the architecture of your messaging app, its associated security features, and the quality of encryption it uses, your security level can fluctuate wildly. For instance, WhatsApp encrypts messages, but not backups. This means that there’s a brief window as you’re uploading your messages to your cloud drive when they can be freely intercepted without a decryption key.

The Blind Spots of End-to-End Encryption

Another issue with E2EE is that it doesn’t protect against certain kinds of attacks. For example, spyware, keyloggers, and other malicious attacks directed directly at your phone or workstation are not covered by E2EE. Pegasus, a notorious spyware, has repeatedly used zero-click exploits to read encrypted messages straight off the screen, without relying on your messaging app at all.

Furthermore, group chats are another serious vulnerability. Most messengers straight up don’t offer E2EE for chat groups involving several members. Even with the apps that do encrypt group chats, the number of members presents an entirely new threat because any of them could be exposed to device-specific attacks that render E2EE useless.

What Can You Do to Improve Your Security?

So, what can you do to improve your security when it comes to messaging? One solution is to use Signal, which offers complete E2EE protection with almost zero metadata tracking and no identifying details stored anywhere. However, Signal only works if the person you’re communicating with also has it installed on their device, and it’s not as popular as WhatsApp or Telegram.

Another solution is to enable encrypted backups. This ensures that your messages aren’t exposed during cloud backup, which is a known loophole that affects both WhatsApp and iMessage. You can enable E2EE during the backup process on WhatsApp by going to Settings > Chats > Chat Backup > End-to-End Encrypted Backup. On iMessage, you can enable Advanced Data Protection under your account settings (iCloud > Advanced Data Protection).

Ultimately, the key to secure messaging is to be aware of the limitations of E2EE and to take additional steps to protect your communications. By understanding how E2EE works, its limitations, and the blind spots it has, you can make informed decisions about your messaging security and take steps to improve it.