Search
  • InPhySec

Are your SMS messages secure?

Short messaging service (SMS), more commonly known as texting, has been around for nearly 30 years and is slowly fading out. This may be for the best as it's a little known fact that SMS offers no encryption for sent or received text messages. It is important that, if you use two-factor authentication (2FA) based on SMS, you should swap this out for a 2FA verification app to ensure that the code is not extracted via SMS.


It is possible for an adversary to steal SMS messages, extract metadata and even spoof messages from known numbers. The most common apps we use in our day-to-day life such as SnapChat, Slack, Instagram, Facebook, and Skype are not end-to-end encrypted. Some applications provide the ability to send ‘Secret’ messages but this is rarely enabled by users.

There are a few messaging apps that are end-to-end encrypted by default, which are more appropriate solutions for instant messaging:

iMessage

This Apple application supports end-to-end encryption. iMessage can only be used to communicate between Apple devices. Additionally, if your messages are backed up to iCloud, a copy of your devices private key is stored on the cloud.

WhatsApp

This application provides end-to-end encryption and supports a wide range of device types. It records some information such as sender, receiver and time – but not the contents of messages.

Wire

This application supports end-to-end encryption. We do not recommend syncing information across platforms/devices as records are stored in plain text.

Signal

Signal has been designed and built to collect as little metadata as possible while encrypting all communications with other Signal users via end to end encryption. Users can also set their messages to “self-destruct” and add separate lock screens for their chats as additional layers of security.


50 views2 comments

0800 463 673 (NZ)

+64 27 554 9243 (Aus, UK)

security@inphysec.co.nz

  • YouTube

©2020 by InPhySec.