5 Secure Messaging Myths

Here are five top myths (and truths) product managers should know to build a competitive and secure messaging solution.

Messaging, whether it be through SMS/MMS text messages, email, or a messaging app, is a core way humans communicate with each other worldwide. According to CTIA, a trade association for the U.S. wireless communications industry, Americans sent 2.1 trillion SMS text messages in 2019, up 52 billion from the year prior; WhatsApp was delivering 100 billion messages per day by the end of 2020.

With more messages being sent than ever before, bad actors such as hackers, cybersecurity criminals, unethical companies, and even governments may target messages to intercept, steal, copy, or eavesdrop. From sensitive health information to data such as names, payment details, birthdates, and username/passwords, many messaging platforms are data breach targets, which can skewer customer confidence and privacy. Prioritizing secure messaging should be a top priority for messaging app product managers.

A chief way messaging providers can protect their users from malicious intent is through end-to-end encryption (E2EE), the act of encrypting messages on one device so only the device of the intended recipient can receive it. End-to-end encryption entails the use of mathematically generated cryptographic public and private keys. Much like a locked mailbox, a public key can be shared with anyone who wants to share a message with a certain user. A private key never leaves a device, and it deciphers received messages. EE2E differs from the arguably less secure messaging method known as transport layer security (TLS) or transport encryption, an encryption protocol requiring the involvement of a third-party server (potentially allowing the owner of the server — typically a tech company), to view message content or metadata.

This secure messaging overview provides baseline guidance for building a secure messaging app. But secure messaging is a nuanced topic, and it warrants in-depth consideration if you’re seeking to add this feature to an existing or novel product.

To kickstart your security journey, here are five top secure messaging myths to know.

Myth: End-to-end encrypted messages cannot be hacked.

Truth: While end-to-end encryption is considered a secure messaging gold standard, the protocol isn’t completely hack-proof. Messages can still be read before they are encrypted or after they are encrypted if a malicious actor breaks into a user’s personal device. While end-to-end encryption safeguards messages while they are in transit, they can still be attacked on personal devices such as a computer, phone, or tablet — especially if a device is left unlocked.

Myth: Today’s most secure messaging apps will always be the most secure messaging apps.

Truth: Like any business, each messaging app has its own privacy policy that is subject to change. Just because an app features sterling security protocols today doesn’t prevent the company from changing its policies tomorrow.

Case in point, when WhatsApp announced a change in their privacy policy outlining how the company shares user data with parent company Facebook, millions of WhatsApp users migrated to the secure, independent messaging competitor Signal. WhatsApp still uses end-to-end encryption, but many consumers of messaging apps weren’t comfortable with the new privacy policy.

Secure messaging protocols are always subject to change. Privacy policies and secure messaging values are created by humans, and they constantly evolve.

Myth: SMS text messaging is better than a secure messaging app.

Truth: Unlike many secure messaging apps (such as Signal, Telegram, and WhatsApp), most SMS text messages aren’t end-to-end encrypted. “When you send an SMS, while it might be secure between your phone and your network, once there it can be easily intercepted and collected,” writes cybersecurity expert Zak Doffman in Forbes. “[SMS] is built on an archaic architecture that sits inside the many cellular networks around the world.”

Apple’s iMessage is an exception because when two people with iPhones text each other, the messages are end-to-end encrypted (which appears as a blue text bubble). There is no way for Apple to decrypt the content of conversations when they are in transit between two iOS devices, a feature that some law enforcement professionals are trying to change. However, even with tight security, vulnerabilities with iMessage exist — mainly because users have the option to backup their messages in iCloud (a feature that can be easily turned off). Plus, texts revert to traditional SMS messaging when communicating with an Android device (which appears as a green text bubble.)

Myth: The option to “turn on” end-to-end encryption on secure messaging apps is better than a default setting.

Truth: Cybersecurity experts believe secure messaging apps that provide end-to-end encryption as a default setting are superior to those that simply offer E2EE as an option. For example, while the messaging app Telegram has a “secret chat” option (which enables end-to-end encryption), it must be “turned on” in the app’s account settings, which assumes users both know about the option and care enough to activate the added security. Greater E2EE adoption occurs when apps are inherently secure, such as in messaging platforms like Signal, Wire, and WhatsApp.

“WhatsApp and Signal end-to-end encrypt every message and call by default, so that their own servers never access the content of conversations,” explains Andy Greenberg in Wired. “Telegram by default only uses ‘transport layer’ encryption that protects the connection from the user to the server rather than from one user to another.”

Myth: Building a secure messaging app is a lengthy, expensive process.

Truth: It’s tricky to build a secure messaging app with end-to-end encryption from scratch. However, building a tech stack from best-in-class tech providers that prioritize reliable messaging and security is a chief way to speed up a secure messaging build, protect engineering resources, and reduce long-term costs.

Whether a team is tasked with building an HIPAA compliant messaging feature to allow doctors to communicate with their patients, or adding a chat feature to a fintech app that may contain sensitive customer data, pairing an in-app messaging solution with an encryption package from a company like Virgil Security or Apple Cryptokit is an easy and effective way to build secure messaging capabilities into an app.

Want to learn how Stream’s reliable, scalable and performance-first chat can transform your business? Try Stream’s free, 28-day Chat Trial!