Why You Should Stop Texting From Your Android Messages App | #exploits | #vulnverabilities


If you’re a user of Google’s Messages app on your Android smartphone, then you will now likely have the RCS update intended to bring standard text messaging into the current century. RCS is now available in all major countries except China, Russia and Iran. Building on standard SMS capabilities, this adds chat functionality to compete with WhatsApp and iMessage. But, in truth, it doesn’t compete at all. There’s a glaring issue that doesn’t look like being properly fixed anytime soon. This is now bad enough that you should now go use something else.

The issue, of course, is end-to-end encryption. Six months ago, reports emerged that Google was developing this level of security to upgrade RCS. As of this week, this is now finally available for public beta testing. On the surface, its intent is to deliver Android users with an iMessage alternative. But there is a glaring issue—and it’s a deal breaker. This deployment of end-to-end encryption on RCS is not available for groups—that’s seemingly too complex to handle right now. And there’s also no word yet as to when this limited upgrade might be rolled out.

With that in mind, Android users should opt for a different iMessage-like alternative. Fortunately, there is a simple solution available now. While its standard messenger is not end-to-end encrypted by default, Android offers users the option to select an alternative default messenger that does. Signal is the best secure messenger available. And while its install base is modest in comparison to WhatsApp or iMessage, it’s growing fast.

On iOS, users run encrypted iMessage and unencrypted SMS side by side within Apple’s default app. You’ll be familiar with the blue and green text bubbles that differentiate between the two. On Android you can select Signal as your default messenger, using Signal and SMS side by side, to deliver a similar user experience. This will give you the same experience as the end-to-end encrypted Android Messages, except it will work for groups and does not require beta installations for all those you choose to message. The latest production version of Signal will do just fine.

Just like iMessage, you’ll be able to see when your contacts are Signal-enabled or when you’re limited to what it calls “Unsecured SMS.” This integration is only available on your smartphone. Signal does not offer its desktop option for this integration. “We want to encourage users to move away from insecure legacy protocols,” it says. But the desktop Signal app will work just fine for your encrypted messages.

In shifting from Android Messages, you’ll lose the ability to send RCS messages to other RCS users. SMS within Signal is just the SMS basics. But Signal itself has the same rich chat functionality as other mainstream messengers, and you can encourage close friends, family and contacts to install the app. Signal used to be clunky but that has now changed, as it targets the mainstream with enhanced functionality, making it a viable default messenger when it was not before. 

When even Facebook strongly advises you to use end-to-end encrypted messengers, you should take note. And while Facebook Messenger (ironically) is nowhere close to adding this by default, its “secret conversations” are available. More importantly, Facebook-owned WhatsApp is the world’s leading end-to-end encrypted platform and has all the functionality offered by iMessage and Google’s RCS rollout.

Many Facebook Messenger users on Android have already set it as their standard messenger. While Facebook Messenger is not end-to-end encrypted by default, it is more secure than the fragmented SMS architecture operated by the networks. Yes, whenever a recipient is only on SMS this becomes moot, but you’ll find many more of your contacts on Facebook Messenger than Signal. That said, using Facebook Messenger by default is a bad idea for different reasons. Facebook is the hungriest data acquirer on your phone. Providing it with your SMS data makes little sense. WhatsApp does not provide an option to become the SMS messenger on Android, which would have been ideal given its huge install base.

So, why is SMS so bad security-wise? With SMS, your messages are encrypted between your phone and your network’s cell tower, preventing simple over-the-air interception. But once that message disappears into the network-to-network SMS architecture, all bets are off. Last year, a cyberattack on global carriers was found searching for SMS messages inside the networks at will. And, Haaretz recently reported on another sophisticated attack on an Israeli network to intercept SMS traffic.

When Google’s RCS rollout gained traction last year, one cybersecurity firm warned that RCS did nothing to resolve SMS vulnerabilities, and as such “exposes most mobile users to hacking.” The lack of security improvements with Android Messages “enables hackers to intercept and manipulate communication through a DNS spoofing attack.” Google did not respond when asked whether any of these issues have been addressed.

There’s more to iMessage than encrypting 1:1 or group messages within Apple’s ecosystem. Its innovative encryption architecture runs to multiple endpoints—your iPhone, iPad and Mac, for example, as fully-fledged apps not scrapes from the phone’s database. This network of a user’s trusted devices allows a live backup to run within iCloud, one that’s end-to-end encrypted, which beats even WhatsApp’s unsecured backup options and lack of multiple device support. There is a security caveat with iMessage—if users back up their devices to iCloud then it stores a copy of the encryption key, but such backups are less relevant now with iCloud syncing and device-to-device transfers when upgrading.

Signal also offers multiple endpoint apps, you can run the app on your phone and your laptop or desktop, although there is no syncing between those endpoints and no rolling, cross-platform backup option—Signal does nothing that might compromise the integrity of its security. When upgrading to a new device, you can create a backup and manually transfer the file across. If you are still holding back from installing Signal and giving it a go, then bear in mind that Google’s new end-to-end encryption on RCS uses Signal’s encryption protocol—as does WhatsApp.

Despite its shortcomings, this Google move is welcome, especially given the increasing threat to end-to-end encryption from lawmakers around the world. This initial beta addresses the most striking issue with SMS and basic RCS—protecting your chats. But enabling cloud backups will break that level of security, essentially storing decrypted messages and there’s no innovative architecture for handling multiple devices. The most glaring issue, though, is the lack of support for groups. Unless that is fixed, this encryption fairly pointless. When that is fixed, this advice may change. But, until then, my recommendation is to use WhatsApp as your mainstream messenger—given its vast user base and despite its shortcomings, and to select Signal as your default Android messenger to shift away from unsecured SMS and RCS wherever you can.



Click here for the original Source.

_________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply