Assessing the security of messenger applications

Written By fra juniper

Asking ‘Is WhatsApp secure?’ is asking the wrong question

Our clients often ask whether some messenger application is secure. This article explains why asking the question in this way is unhelpful and suggests a more helpful approach.

We live in a world where perfect security is impossible, and where the security of a messenger application is only one aspect of the complex system of systems that enables us to communicate. In this world, rather than focusing on the security of their messenger application, we recommend that people adopt a holistic approach to security. 

Why messenger application security is not a ‘yes/no’ question

The short answer is that, ultimately, no system is completely secure. Messenger applications are only one part of the complex system of systems that enables communication in the modern digital environment. The security of communication is a property of that system of systems, not of any one element within it. 

This means that even a relatively secure messenger application can be rendered ineffective by attacks on other parts of this system. This could be as simple as someone reading your screen over your shoulder, but it could also be much more complicated. As just one example, recent research has explored how Russia’s military and intelligence services exploit mobile devices captured on the frontlines to access the Signal messages of Ukrainian forces. The range of threat vectors arises because the security of the messenger application is just one piece of the puzzle.  

Not only are messenger applications one part of a wider system, but the applications themselves should also be understood as systems of systems. A single messenger application will work by combining, among other things, multiple encryption algorithms, protocols, and software libraries, as well as physical and digital infrastructure, often spread across multiple jurisdictions. These applications run on different operating systems, in different ways with varied hardware and firmware. These different systems are dynamic, capable of rapid change, and their interactions are complex, producing unpredictable outcomes. 

The security of messaging applications is dynamic, reflecting technical changes, but also political, economic, and legal factors. For example, one of the biggest threats to the security of your communications may be the way that the application developer uses your data to make money. Similarly, some developers will be subject to legal requirements to provide data to law enforcement or intelligence agencies. The role of political, legal, and economic factors alongside technical considerations is likely to be one of the reasons why technical authorities such as the UK National Cyber Security Centre do not comment on the security of even widely used messenger applications.

A more nuanced view of messenger security

Given this complexity, it is crucial to develop a more nuanced view of security. For example, a more useful question might be to ask whether application X is secure for a particular person, communicating a particular message, in a certain set of circumstances. 

These questions move beyond a binary view of ‘secure’ vs ‘insecure’ applications, and towards a more productive and granular engagement with the user’s threat model, the environment, and the specifics of the case. To see why this is important, consider that:

  • An ultra-high net worth individual faces different threats to a journalist exposing political corruption, to a research institution working on cutting-edge dual-use technology.

  • That operating in an authoritarian regime or an open conflict zone presents different challenges to operating in a liberal democracy with rule of law. Less starkly, there is a difference between operating on a public WiFi network versus a corporate network, and so on.

  • The content of the communications matters. Sharing recipe tips with family is different to discussing your company’s financials, or contacting an anonymous source. 

Exploring the breadth of considerations in this space underlines the importance of starting from a risk-based approach to security. Start by asking: how likely is it that the security of my communications could be tested? What would be the consequences of a failure of security around my communications? 

Understanding the threats to communication security

A user’s threat model should inform how they think about the security of their communications. For example, the threat model of a journalist operating in an authoritarian regime might encompass the likelihood of detention and interrogation, in the way that the threat model of a celebrity concerned about intrusion in their private communications might not. The security of messenger applications will matter for both these people, but in different ways. 

Developing a useful threat model requires developing a complete picture of the range of threats to the security of communications. Not all these threat vectors will be relevant or high risk for every user, but this needs to be assessed based on a holistic understanding.

Discussions of the security of messenger applications often focus on encryption. However, there are a broad range of vectors by which an adversary could seek to undermine the security of communications. An intelligent adversary will direct their efforts at the weakest aspects of security, for example targeting unencrypted data at rest on company servers rather than attempting to break encryption algorithms. Alternatively, if an adversary is able to install malicious software on the user’s mobile device, the security of the messenger application will be largely irrelevant.

The importance of these threat vectors will vary depending on the target’s threat model and circumstances. Threats enabled by physical access to the device or to the user may pose a greater risk for individuals living in countries with authoritarian systems of government, for example. The threat picture will be very different in active conflict zones, particularly where engaged forces have access to advanced surveillance and electronic warfare capabilities. 

Securing complex systems

Throughout this article we have emphasised the need to think holistically about the security of the overall system, rather than viewing aspects of the system in isolation. The security of communications made using a messenger application is a property of the security of that application, but also of the wider system of systems of which it is a part. Guidance issued by the US government in 2024, requiring senior government and political officials to use end-to-end encryption, reflected a concern that otherwise secure messaging applications might be rendered vulnerable by exploitation of the underlying telecommunications system. 

Moreover, in any practical scenario, this system of systems is almost certain to be complex, meaning that the behaviour of the overall system cannot straightforwardly be extrapolated from its current state. This also means that a group of systems that are each individually secure may, when combined, be insecure. As security practitioner Paul Martin observes, “Security risks are emergent properties of complex adaptive systems. They are capable of undergoing very rapid, non-linear changes, the outcomes of which are impossible to predict.”

In such a world, we cannot rely on the security properties of even the most well attested systems. If the risk around communication is high enough, then prudent actors will not rely on the security of technical systems alone. Users should therefore adopt a risk-based approach to operational security. If the loss of some security property around a message poses a high risk to you or others, then regardless of the assessment of the security of the communication system, there are mitigating measures that should be adopted. 

SECURED is approved by the NPSA to provide protective security assessments for companies, research institutions, and investors. Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.  

If you have any questions, or to subscribe for further updates on this subject, please contact hello@secured-research.com.

fra juniper
Previous

Taiwan investigating Chinese-linked vessel following damage to subsea cable
Next

Seizure of Russian-linked vessel indicates shift towards active responses to hybrid threats