Written by Jake Foster and Julian Zucker
Most people believe that their phones, computers, and the digital data they compile is safe. We all think we can send messages and pictures, and the data will remain private as long as nobody shares it. For the most part, we are wrong.
Most think their phones are safe, but the security flaws that often plague the most highly-used apps prove them wrong. As Nicholas Weaver states, Apple devices are only secure if configured correctly, and are therefore not inherently safe. Apple’s iMessage sends encrypted messages automatically, meaning those messages are typically sent with a certain amount of protection. This involves public key encryption, a function that allows messages to be sent through a platform that is harder for external recipients or hackers to decode. If a program uses the correct ‘lock’ to protect a message, only the person with the correct key can ‘unlock’ it. There are, however, ways that messages can be forced ‘unlocked,’ but these methods are not as common.
While the buzzword “encryption” may allude to a certain level of protection, but there still exist security flaws. To encrypt a message, your phone first turns the message into a bunch of numbers. The next step uses two functions, one of which works as a lock, one of which works as a key. The public key, or lock, is on Apple’s servers, and the private key, which opens the lock, is stored on your phone. The first key makes the message nearly impossible to read when sent, because the phone sending the message will undo its own encryption; the message can then only be encrypted with the recipient’s own encryption. At this point, the message is turned from numbers back into words, and displayed in iMessage.
This method would be secure if both phones could have access to the entire encryption process and the keys involved. However, the way Apple’s encryption works is a security vulnerability because the phones depend on Apple’s servers to figure out what public and private keys to use. Thus anyone who has gained access to Apple’s servers, or can make a server that replicates that of Apple’s, could view all messages sent through iMessage.
There do exist secure alternatives to texting. Signal, an app for iOS, allows users to view their public keys, and the public keys of the people they are messaging. Users can verify that they have a public key that only the intended recipient can decode. This allows the same safety as the encrypted iMessage, but removes the server-side vulnerability. Furthermore, Signal is open-source, meaning that anyone can look at how the app works ‘under the hood,’ and point out security flaws.
Some also believe that the disappearing feature of Snapchat protects photos from being saved, unless the recipient takes a screenshot. These twelve lines of code can decrypt any Snapchat photo taken from a phone running iOS. This slightly lengthier Python program will decrypt photos on any phone running Android. A comprehensive list of Snapchat’s security flaws can be found here, courtesy of GibsonSecurity. In short, once a photo is decrypted, access cannot easily be revoked and a user’s private photos are thus unprotected.
Many social media users are either oblivious or indifferent about how easy their data is to view. Many companies make bold statements about the security of their apps, and it is easy to believe them. However, time and time again, these companies have failed to keep their users’ data secure. In the ‘Internet Era’, it is getting harder and harder for someone to have total privacy, and keep their phones, computers, and digital data safe. Even though we can’t achieve total security, it is still worth trying to keep private messages private.