“Communication is the essence of human life”

~Janice Light[1]

Instant messaging is a set of technologies that facilitate real-time communication. Also known as I.M., social messengers, messaging apps or chat apps, it is a quick, accessible, and convenient mode of communication. Instant messaging pre-dates the modern internet and has existed since the early 1990s. However, the way we know instant messaging today became famous after 2005 with the introduction of Blackberry Messenger and WhatsApp mobile applications. Eventually, increased internet penetration, improved smartphones and added convenience led to the widespread adoption of these messaging applications resulting in trillions of messages flowing through these platforms annually.

In 2021, there were 3.8 billion active users on different instant messaging apps, according to Statista [2]. Gradually, other platforms like Telegram, Signal, Facebook Messenger, and iMessage also emerged and created their own niches. Nowadays more communication takes place on IM platforms than in-person.

Security & Privacy in IMs

The rapid popularity gains of IM platforms led to all forms of information flowing through them. Given the volume of valuable and confidential data transmitted through the IM platforms, they became suitable channels for threat actors and intruders to gain access to information like never before. Thus, instant messaging platforms are vulnerable to security and privacy risks.


Although most present-day applications use some form of authentication to control data access on the platform, data confidentiality and integrity during transmission are equally necessary for security and privacy. A combination of cryptographic algorithms solves this riddle of secure message transmission in a real-time environment. However, different sets of cipher offer variable strengths and weaknesses, acting as a key differentiator in the security posture of popular messaging platforms.

Classification of Communications over IMs

Despite all security concerns and issues, instant messaging platforms continue to be used for all forms of communication by users. Particularly, communications over IMs can be classified as follows:

  • Informal communication with friends and family
  • Informal communication with colleagues at/ outside the workplace
  • Formal communication with colleagues at the workplace
  • Business communication with prospective/ existing customers

For example, companies are increasingly using services like ‘WhatsApp for Business’ to connect with customers. It offers features such as a business profile, greeting message, quick replies, and metrics to track engagement. Additionally, these platforms can be used as a live chat solution for customer support and to send promotional messages.


However, different scenarios require different levels of sensitivity to security and privacy measures. For example, informal communication with friends and family typically requires fewer security and privacy measures than formal communication with colleagues at the workplace or business communication with customers, as the latter could include sensitive information such as confidential business plans, financial data, and the personal information of customers. Therefore, it is important to be cautious about the information shared and the security and privacy implementation of the instant messaging platform used for sharing.

Security & Privacy implementation in IMs

Instant messaging platforms use diverse measures to protect users’ data. It includes:

  • End-to-end encryption: This method encrypts messages on the sender’s device, which can be decrypted only on the recipient’s device. It ensures that even if a message is intercepted in transit, it would be unreadable to anyone other than the intended recipient, including the IM platform itself.
  • Authentication: Most instant messaging platforms require users to create an account and log in to use the service. It ensures that only authorized users can access the platform and send messages.
  • Device and account linking: Many instant messaging platforms allow users to link their accounts to multiple devices, such as smartphones and tablets. Thus, the platform can detect if an account is accessed from an unknown device and alert the user.
  • Backup and recovery options: Many instant messaging platforms allow users to back up their messages and settings so that they can be recovered in case of loss or theft of the device.
  • Two-factor authentication: This is an additional layer of security that requires users to provide a code sent to their mobile phone or email address in addition to their password to log in.
  • Regular security updates: Instant messaging platforms often release regular security updates to fix potential vulnerabilities and ensure the protection of users’ data.
  • Legal compliance: Instant messaging platforms may be required to comply with legal requests for information from law enforcement agencies. While these platforms may provide information to law enforcement agencies, they also inform the user in case of any legal request for their information.

However, it’s important to note that the privacy and security measures taken by different instant messaging platforms may vary, which means that different platforms may have different levels of security based on their implementation and effectiveness. Thus, they may be susceptible to different attacks and breaches.

One such security incident was reported in 2016, when a popular instant messaging platform ‘Telegram’ was compromised by a group of hackers from Iran, leaking 15 million phone numbers of Iranian users.[3]

Conclusion

In conclusion, instant messaging has become an integral part of our daily lives, revolutionizing the way we communicate. With its real-time nature and advanced features, it has surpassed traditional forms of communication like SMS and email. But, with the increased usage of IMs, security and privacy concerns have also risen. Users must be aware of these risks and take necessary precautions to safeguard their personal and professional information. Despite these concerns, IMs continue to be used for all forms of communication, from personal to professional use cases. Companies are also adopting IMs for business communication, using services like WhatsApp for business to connect with customers. It is essential to be aware of potential security and privacy risks associated with each IM, while also being aware that no platform can guarantee complete protection.

Group 5: Abhishek Jain, Anubhav Swami, Ayushi Gandhi and Nikhil Nettar.

PS: Please take the survey in the first comment and share your comments.

References:

[1]Light, Janice. “‘Communication Is the Essence of Human Life’: Reflections on Communicative Competence.” Augmentative and Alternative Communication, vol. 13, no. 2, Jan. 1997, pp. 61–70. Taylor and Francis+NEJM, https://doi.org/10.1080/07434619712331277848.

[2]“Most Popular Messaging Apps 2022.” Statista, https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/. Accessed 27 Jan. 2023.

[3]“Exclusive: Hackers Accessed Telegram Messaging Accounts in Iran – Researchers.” Reuters, 2 Aug. 2016. www.reuters.com, https://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM.

[4]What Is Instant Messaging? www.youtube.com, https://www.youtube.com/watch?v=AtP874lpenI. Accessed 27 Jan. 2023.

[5]“Chat Systems.” Xkcd, https://xkcd.com/1810/. Accessed 27 Jan. 2023.

Join the Conversation

45 Comments

  2. Thank you for sharing the interesting topic and providing a comprehensive overview of the security and privacy concerns associated with instant messaging platforms. I am curious, which instant messaging platform does your group believe is the most secure and why, in your opinion? Thank you.

  3. Thank you for sharing the interesting topic and providing a comprehensive overview of the security and privacy concerns associated with instant messaging platforms. I am curious, which instant messaging platform does your group believe is the most secure and why, in your opinion? Thank you.

    1. According to our current research, Signal is considered as the most secure application in encrypting messages. “Signal created an encryption protocol that is now recognized as the most secure messaging app protocol out there”- Nord VPN. We were able to find multiple instances of this quote online. However since our project is also based on this same topic, we intend to manually go through each encryption algorithm and try to make our own conclusion as to which is most secure as the final end result of the project.

      1. That’s very interesting. It’s good to know that Signal is considered the most secure instant messaging app. I look forward to seeing the results of your project. Thanks Nikhil.

        1. Thank you for the question Leo. I would like to update you that after looking at the cryptography of four IMs, i.e. Signal, Whatsapp, iMessage and Telegram, we did find Signal to be the most secure platform.
          However, we should also know that the cryptographic primitives followed by all the IM applications were pretty similar, standard and followed NIST recommendations. It is the implementation of encryption, key management and data collection practices that creates a difference. For example, though iMessage provided end-to-end encryption, it stores public keys on iCloud making them accessible to Apple, thus defeating the entire purpose of E2E encryption.

      2. Cohn-Gordon, Cremers, Dowling, et al. (2020) suggested that Signal uses initial extended triple Diffie–Hellman (X3DH) key agreement and Double Ratchet protocols as a multi-stage authenticated key exchange protocol. Therefore Signal is more secure than other messaging apps.
        However, Rösler, Mainka and Schwenk (2018) mentioned that Signal’s strong security properties, such as Future Secrecy which is a core part of the one-to-one communication in the Signal protocol, do not hold for its group communication. Signal’s group messaging is not as secure as its non-group messaging.

        Source:
        Cohn-Gordon, K., Cremers, C., Dowling, B. et al. (2020) A Formal Security Analysis of the Signal Messaging Protocol. J Cryptol 33, 1914–1983 (2020). https://doi.org/10.1007/s00145-020-09360-1

        P. Rösler, C. Mainka and J. Schwenk(2018) “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,” 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 2018, pp. 415-429, doi: 10.1109/EuroSP.2018.00036.

        . We additionally show that strong security properties, such as Future Secrecy which is a core part of the one-to-one communication in the Signal protocol, do not hold for its group communication.

      3. Ramadhani, Ramadhani, Basit, (2020) mentioned Whatsapp uses a
        combination of Hybrid Cryptography In One Time Pad (OTP) and Keyed-Hash Message Authentication Code (HMAC) in messaging. Against popular belief or suspicion, they found no problem in Whatsapp’s end-to-end encryption (E2EE).

  4. Done with the survey. I’m intrigued. I use IM to send a message to my family and friends every time, so it will be quite interesting to know how we are protected by these platforms. Btw, would you know if there are standards or compliance set for IMs?

    1. Thank you for taking the survey, Nina 🙂
      To answer your question, yes, instant messaging apps are subject to standards and compliance regulations. It’s important for these apps to comply with data privacy and protection regulations, such as the GDPR in the EU and PIPEDA in Canada. However, the specific regulations an instant messaging app must comply with may differ depending on the jurisdiction and the data being collected and processed.

  5. Thank you for the post. It’s good to be reminded of the potential security and privacy risk associated with various IM. For me I use whatsapp which has end-to-end encryption but from your research, can you advise us the most secured IM to use?

    1. Thank you for your comment, Oluchi.
      As Nikhil mentioned earlier, based on current research, Signal is considered the most secure application for encrypting messages. Our project focuses on the encryption algorithms used in instant messaging apps, and our goal is to manually evaluate each algorithm to reach our own conclusion on which is the most secure.

  6. It is a very interesting topic and we face and work with these apps everyday of our life these days. I wonder if there is a platform that can link these apps together? for example someone in telegram can send a message to someone in whatsapp.

    1. That’s a good question. Thank you asking, Moein. Yes, there exists a platform that can link apps together and its “Matrix”. Instead of being a communications protocol, Matrix is basically a decentralised conversation store. In Matrix, each message you submit is duplicated across all of the servers whose users are taking part in the current conversation. I have attached the link in the comment for you to understand more about it.

      https://matrix.org

  7. Instant Messaging is an interesting cryptographic topic to explore and it was great to read about the different challeneges that go into creating a secure but also efficient IM platform. Most people don’t see the security issues with using some of these quick-and-easy solutions and can often lead to data leaks and a compromise of PII. Based your research, what has been the most common form of attack on IM platforms?

    1. Our project doesn’t necessarily focus on attacks as such, but the most common attacks with the help of IMs would definitely be Phishing / Identity Spoofing of some form as well as sending Trojan Horses ( Basically embedding malicious software/code inside an attachment) and virus as the attachments. If the questions was about “the attacks on IMs” then most of them would be categorized as some sort of Man in the Middle Attack where someone intercepts traffic due to use of weak / bad encryption algorithms and then decrypts them. So there would be unauthorized access also. There is a possibility these IM platforms face DDoS attacks but that isn’t as common.
      Funny thing is Apple mentions that iMessage is “end-to-end encrypted and no person including Apple can decrypt messages when in motion”. But the twist here is the use of the word ” in motion ” because if you actually look more in depth into this topic turns out Apple stores the decryption keys in the iCloud. So technically they could decrypt our messages “bUt oNlY wHeN DaTA is at ReSt” which in simple words mean that your message isn’t secure. Amazing loophole to exploit 😀

      1. Wow I did not know that!!! Classic Apple twisting their words to make them seem invincible in the IT security world 😡

  8. Very interesting and thought-provoking post. I can’t help but be reminded of the balance between convenience and security and how much we trust these companies to keep our benign conversations and darkest secrets secure! Just curious, has anyone had conversations within IM chats and coincidentally (or not…?) seen ads eerily mirroring items discussed in the chat shortly after???

    1. I’ve heard of some incidents. Makes you think on how secure IMs really are. Haha. I always think that there is some kind of a trade-off for these kind of convenience. Anyway, reading this blog, its good to know that they do have some kind of security in placed to protect our data.

    2. It is true that balance of convenience and security is an ongoing discussion in almost all cybersecurity forums. I would like to highlight that often, the most secure IMs fail to attract a large user-base because of lack of convenience. Though security is necessary and important, security over convenience can be counterproductive to the whole purpose of IM communication. Thus, finding an appropriate balance is the key.!

    3. Ya. Pretty sure if Facebook sells customer data for money then so will WhatsApp since they are under the same parent company. 😉
      And they can get away with it as long as they find loopholes and comply with local regulations.

      1. Yep! I remember having a conversation on WhatsApp about KFC and when I left the chat, all I saw on my browser were ads about KFC (-____-‘ ) I’ve heard other people complain about similar things as well.
        My thing is, this should not be possible with true end-to-end encryption!

  9. Completed the survey just as requested! This blog is really interesting to me because I have done a bit of research regarding IM apps before for my own personal use. Is there a messaging app that your group prefers? And are some of you now considering to maybe stop using certain IM apps after your research?

    1. Thank you for completing the survey, Jamie. It’s great to hear that you have conducted previous research on instant messaging apps for your personal use.
      As for our group, we don’t have a preferred instant messaging app, but the results of our research have certainly made us re-evaluate the apps we were previously using.
      For instance, I often use iMessage as my go-to instant messaging app, but after our research, I learned that while iMessage is user-friendly and convenient, it may not offer the same level of security as other instant messaging apps like Signal, WhatsApp, and Telegram.

    2. Haha ya. Again this comes down to the security vs convenience debate.
      For personal everyday use, if all my friends and family use WhatsApp then chances are I would lean towards using WhatsApp even if I am aware that it is not secure. Comes down to individual’s Risk Acceptance and tolerance limit. I wouldn’t personally use any of IM’s for work environment though. Email only I guess. May if I was forced to use one then Slack although we didn’t cover that in our project. Signal is the most secure yet I barely know anyone who uses that.

  10. It’s a good start to a promising topic subject I have a few suggestions and clarifications.
    Umm I think you forgot the OG of them all MSN messenger deservers some face time!!!! >:( and long before that was IRC (Internet Relay Chat) from the late 80s so I would update to say it’s been around for about as long as the official birth of the internet.
    As for security it would be interesting to see what you guys would suggest would be a good feature for a secure private Messager app.
    You are right that messaging app are the target of a lot hacks vulnerabilities these days and I would hazard a guess not a one of the popular ones are secure against governments agency’s anymore.
    Why I sick to just normal SMS.

    1. Ya. We actually wanted to cover a lot of IMs but due to time constraints we just picked four relevant ones which are being used today.
      I guess best security feature I can think of for a secure private Messenger app would be the cliché “End to End encrypted” but where the keys are not stored in any cloud. So even the IM company themselves cannot decrypt the message under any circumstances. And of course once we use the strongest cryptographic algorithms for encryption we get an app which provides almost the same level of security as Signal.

  11. Thank you for this blog post! I must admit I was a little embarrassed while doing the survey as I realized I don’t consider much beyond ease of use and am quick to just use whatever apps others are using for convenience. I especially appreciated the outline of the different measures IM platforms use to protect data. This gives me a better idea of what to look for when deciding which IM apps to continue using. I’d be very interested in seeing your final project on this topic to learn more.

    1. Thank you for completing the survey, Janelle. We’re glad that our blog post has been informative and helpful to you.
      I completely understand where you’re coming from, as I often do the same thing, using the same apps as others for the sake of convenience. It is common for people to prioritize convenience over security when it comes to choosing IM apps. We should all strive to be more mindful when it comes to our online security.
      We are working hard to complete our final project. We will definitely keep you updated and hope it will provide even more insight into this topic. Thanks for your interest!

  12. an interesting blog to learn about instant messaging. I was wondering about the encryption algorithm part of the applications available in the market. based on your research, would you happen to know which application use which type of encryption method?

    1. Interesting question Mehedi. When we started out, even we were skeptical if we’ll get our hands on the encryption algorithm used by these platforms. But as an encryption algorithm should be available for public scrutiny, we found that except for Apple, all the three platforms had made their encryption algorithms publicly available. However, our team was able to collect information about iMessages as well.

  13. Great content., What if employees working in an organization communicates through private messaging channels, then the companies have no record of information and no audit trail. In this case do you think business communications should have compliance built in?

    1. Thank you for your comment. You must offer a communication audit trail in order to comply. If you don’t have access to the data, that is not possible. Further complicating this is the latest wave of rules pertaining to personal data. Your business must retain the data available at all times.

    2. There are enterprise instant messaging applications such as Microsoft Commuicator, then it became Lync. Then replaced by Teams. IBM also has Lotus Sametime. They were/are pretty advanced, e.g., real-time monitoring of abusive language. They also have advanced backup, for records management, audit, even consequence management. Multiple nodes, external interfaces (if available) let external users use them also, e.g ., for vendor discussion, industrial conferences.

  14. When I took the survey and saw that Signal was the only option I use, I felt out of the loop. And seeing that WhatsApp is the most widely used gives me a little FOMO. But I still don’t trust the other platforms enough to jump on the bandwagon.

    1. Thank you for taking the survey, Julie. I totally get where you’re coming from. It can be tough when others are using different apps and it seems like everyone is on the same page except for you. But it’s important to prioritize your own security and privacy. Trusting an app with your personal information is a big decision and it’s great that you’ve found a platform in Signal that you feel confident using. It’s better to stick with what you feel comfortable and secure with, even if it means being ‘out of the loop’ sometimes.

    2. Interesting. So, we had 46.2% participants stating that Whatsapp was their most frequently used IM application. However, interestingly, we had equivalent 46.2% participants stating that they think Signal is the most secure application. So, as long as you are able to find your contacts on Signal, it seems to be the best option.

  15. Abhishek and the group. I must say that this a nice research topic and thanks for raising my consciousness to the security of my instant messaging use. I must confess, that I have been a victim ones of account hacking. My WhatsApp account was taken over, the adversaries got access to my contacts and successfully stole a couple thousand CAD from my friend pretending to be me.
    I quite love the concept of the two-factor authentication and I started using it after the incident.
    I also quite interested in the classification section of this post. But I was kind of looking for some thing else and when I did a little looking around online, I found so various other classification of IM messages service, so I will imagine that this classification in this post is original to you guys: nice one there.
    On the encryption part, The end-to-end encryption is cool for privacy, but would you also if there are solution for data integrity by way of hash or MIC strategy?
    On the legal Compliance, would you be able share some of the regulations that govern operators of this platform. And, in the presence of the end-to-end encryption would the operators have the backdoor access to communications on the platforms?

  16. I think about the old mailing list subscription. If some of us don’t have certain apps such as WhatsApp, signal, teams etc. Just use a mailing list or forum to add new posts, reply to all, or reply to specific topics or people.

  17. I think the popularity of instant messenging applications require critical mass:
    1. Think about fax, landline phones, pager, mobile phones or even video tape (or the competition of video tape format). They have exponential growth when they reach certain customer base numbers.
    2. Then continuation or lack of of customer content, growth in app uses strengthen or weaken the application popularity.
    3. Combined with reputation loss such as data breach, security incidents add up to application popularity.

  18. It amazes me how quickly technology advances, to think years ago we used AOL for IM stuck at a computer and only available through that provider ( I believe). Thank you for the post and 0% for the survey here.

  19. Hi,

    I love your blog post. I believe WhatsApp is secure in chatting through your post. In real life, I found out a lot of bad guys used WhatsApp as their tool to do phishing or social engineering attack. How WhatsApp can mitigate these kind of attacks? My another concern is that is backup on WhatsApp safe? It could be an another attack vector for hackers.

Leave a comment

Powered by UCalgary

The views, information, or opinions expressed on this site are solely those of the individual(s) involved and do not necessarily represent the position of the University of Calgary as an institution.

Website Terms & Conditions | Privacy Policy | Copyright © 2024