Hackerspot
Hackerspot Podcast
A Security Analysis of Chat Applications
0:00
Current time: 0:00 / Total time: -12:50
-12:50

A Security Analysis of Chat Applications

A security analysis comparison between Signal, WhatsApp and Telegram

Choosing the right messaging app is more important than ever. With increasing concerns over how data is hanadled, many users turn to secure messaging platforms to protect their communication. Among the most popular are Signal, WhatsApp, and Telegram, all of which offer some level of end-to-end encryption. However, the depth of their security features, encryption implementation, and overall privacy protections vary widely.

In this blog post, we want to delve into the detailed security analysis of these three apps based on an article published by researchers from Politehnica University of Bucharest to understand some details related to app security.

Signal

Signal has earned a reputation as the most secure messaging app available. It uses the Signal Protocol, widely regarded as the most secure encryption protocol. This protocol ensures that only the sender and the intended recipient can read the messages, effectively shielding the communication from prying eyes, including hackers and even the service provider.

Key Security Features:

  • End-to-End Encryption by Default: Signal encrypts messages before they leave your device and only decrypts them when they reach the recipient.

  • Open Source: Signal's code is publicly available, allowing security experts to scrutinize it and identify any vulnerabilities.

  • Advanced Privacy Tools: Signal offers features like disappearing messages, which automatically delete after a set period, and contact verification to ensure you are communicating with the right person.

While Signal’s encryption is highly robust, forensic analysis has revealed that certain types of data can still be vulnerable if physical access to the device is gained. For example, if an attacker gains physical control of the user’s phone, they may be able to retrieve deleted messages, timestamps, and contact information. However, Signal’s developers are constantly working to patch these types of vulnerabilities, maintaining the app’s position as the leader in secure messaging.

Forensic Analysis of Signal:

Forensics on Signal require advanced tools like the UFED Physical Analyzer. While Signal’s secure encryption keeps data safe from external attacks, physical attacks on the device can reveal deleted information, making physical security of devices essential. Certain smartphone models and operating systems may also have different levels of vulnerability.


WhatsApp

With over 2 billion users worldwide, WhatsApp is the most popular messaging app, but popularity comes with its own set of risks. WhatsApp also uses end-to-end encryption, but unlike Signal, it employs the WhatsApp Protocol, which is a slightly modified version of the XMPP protocol (Extensible Messaging and Presence Protocol). While encryption is strong during communication, WhatsApp has been the subject of scrutiny for its connection to Meta (formerly Facebook), a company with a well-known history of data collection.

Key Security Features:

  • End-to-End Encryption: Like Signal, WhatsApp ensures that messages are encrypted from sender to receiver.

  • User-Friendly Encryption: Encryption happens by default, without the need for users to enable any special features.

  • Backup Encryption Concerns: While WhatsApp encrypts messages in transit, backups stored on the cloud may not always be encrypted, especially when saved to services like Google Drive or iCloud.

The security issues with WhatsApp largely stem from its massive user base and its association with Meta. In recent years, vulnerabilities in the app have been discovered that allow attackers to execute malicious code via video calls or exploit flaws in the app’s memory management. This, combined with Meta’s data collection practices, can leave users feeling uneasy about their privacy, even though their messages are encrypted.

Forensic Analysis of WhatsApp:

WhatsApp stores backups locally and in the cloud. These backups can be decrypted if attackers manage to gain access to the backup files and encryption keys. Forensic analysis has shown that chat logs, contact information, and other personal data can be extracted from WhatsApp backups using tools like UFED Physical Analyzer. Vulnerabilities in AES encryption have also been exploited in the past, highlighting potential risks in Android-based WhatsApp implementations.

Notable Security Breaches:

In 2022, a massive data breach occurred when an API vulnerability allowed hackers to scrape and sell the phone numbers of active WhatsApp users, which were later used for phishing and vishing attacks. Other vulnerabilities include:

  • CVE-2021-24043: Out-of-bounds heap read during video calls.

  • CVE-2020-1909: A use-after-free error, potentially leading to code execution.


Telegram: Convenience with Security Trade-offs

Telegram is widely recognized for its speed and user-friendly interface, but it has faced criticism for its approach to security. Unlike Signal and WhatsApp, Telegram does not enable end-to-end encryption by default. Only its Secret Chats feature provides true end-to-end encryption, which means that most users’ regular chats are stored on Telegram’s servers and encrypted using the MTProto protocol. While MTProto provides encryption, storing encryption keys on the server introduces a potential vulnerability, as attackers could gain access to those keys.

Key Security Features:

  • MTProto Protocol: Telegram's custom encryption protocol secures communication between clients and servers, but not between users unless Secret Chats are enabled.

  • Cloud-Based Messages: Regular chats are stored in Telegram’s cloud, allowing users to access their messages from multiple devices. However, this raises concerns about data privacy.

  • Optional End-to-End Encryption: Only Secret Chats are encrypted from device to device, which means that users must manually enable this feature for enhanced security.

Forensics shows that Telegram stores a significant amount of user data in its internal memory, including chat logs, voice call logs, contact lists, and media files. This makes Telegram less secure than its competitors in cases where physical access to the device is obtained, as data can be extracted more easily.

Forensic Analysis of Telegram:

Forensic investigators have been able to extract user data from Telegram, including chat history, group memberships, and media files. This is particularly concerning given that Telegram’s encryption is not applied universally, leaving a majority of communications potentially vulnerable.

Security Breaches:

Telegram’s vulnerabilities, especially in its web version, have included:

  • CVE-2021-40532: Mishandling of characters in a document extension, allowing XSS (cross-site scripting).

  • CVE-2021-36769: Attackers could alter the order of messages, resulting in them arriving out of sequence.


Experimental Findings: Sniffing Packet Data

As part of the research, packet sniffing tools like Wireshark and Fiddler were used to capture and analyze the traffic of these messaging apps. Here’s what was found:

  • WhatsApp: The sniffing experiment on WhatsApp revealed traffic on TCP ports 443, 4244, 5222, and UDP port 3478. While most of the traffic was encrypted, tools like Fiddler could still capture metadata like the SSL handshake and STUN server details.

  • Signal: Signal was much more challenging to analyze due to its use of firewalls and encryption at multiple levels. Traffic analysis could not easily penetrate Signal's security layers.

  • Telegram: Similar to WhatsApp, Telegram's traffic over TCP port 443 was captured, and while the SSL handshake was encrypted, packet sniffers were able to capture certain metadata, including public images and server connections.

These experiments further highlight Signal's superiority in traffic obfuscation, making it difficult for even sophisticated tools to intercept or analyze communications.

Which Messaging App is Right for You?

If you prioritize security above all else, Signal is the clear winner. Its open-source nature, robust encryption protocol, and emphasis on privacy make it the best choice for users who are serious about protecting their communications. However, if you need a more widely-used platform and are willing to trade some privacy for convenience, WhatsApp remains a good option, albeit with a few security concerns. Telegram, while feature-rich and fast, falls short in security, particularly for users who are not utilizing its Secret Chat feature.

Ultimately, choosing the right messaging app depends on your specific needs:

  • If privacy is your top concern, Signal is the app for you.

  • If you want to balance convenience with some level of security, WhatsApp can serve you well.

  • If you're more focused on functionality and less concerned with encryption, Telegram offers the best user experience but with potential security trade-offs.

When selecting a messaging platform, consider the overall security architecture, recent security breaches, and the policies of the companies behind these apps. In an increasingly digital world, making informed choices about how you communicate can significantly enhance your privacy and security.

Discussion about this podcast