malware

Hygiene for your favorite chat app...

Do you use a chat apps like WhatsApp, Signal, or Telegram? You might benefit from a few moments focused on how the security features in these apps work and how various settings impact your privacy and security posture.

Many common apps, including WhatsApp, Signal, and Telegram have a feature called end-to-end encryption. This feature has a reputation for being "unhackable" and whether this is true or false
it may have lulled even some powerful and sophisticated people into a false sense of security.

The idea of end-to-end encryption is that your chats are encrypted on your phone before they leave and they stay encrypted until they get to their intended destination. Hopefully, this encryption keeps anyone who might be snooping in the middle from learning about your conversation - in particular, the server that drives the app only needs to handle this encrypted data and lacks the power to snoop on you. Such a system, however powerful, eliminates just one of the many ways an interloper might try to spy on you.

The problem is that there is much that can go wrong on your phone before anything gets encrypted.
For example, many of these chat apps will back up your conversations to the cloud, and these backups are typically not encrypted at all. It is not uncommon that an app backs up to the cloud by default and thus does so without the knowledge of many users.

While not well known among users, it is not a secret that these backups exist and that they’re not encrypted. The history is that they’re not encrypted in part because law enforcement complained that encryption would make these backups difficult to use in investigations.

The next layer is that a bad actor could conceivably put malicious software on your phone that affects how these backups are handled (or otherwise changes the function of the app). This is approximately how the notorious gangster El Chapo was brought to justice, and recently it was revealed that Jeff Bezos was hacked when he opened a malicious link sent to him by, of all people, the Crown Prince of Saudi Arabia.

If you're privacy conscious, please be aware of how your phone is storing data from your chat apps, if you are backing up this data to the cloud, and be very careful about opening any links that anyone might send you (even links from foreign royalty).