What the Signal Private Messenger App Says About Security in our Information Systems
With total end-to-end encryption, Signal Private Messenger is the most secure messaging app to date. While total privacy is highly desired, enterprises may want a version that gives them oversight of the messaging traffic within their own network.
Security continues to be a major issue in enterprise computing, especially with mobile. I am unsure if we’ll ever be able to provide total security in an information system. However, we are beginning to provide high security in a number of cases. For example, there have been a number of messaging apps such as WeChat and Facebook Messenger that utilize ‘end to end’ encryption of the message so that once it is written on the user’s mobile device, it is encrypted from that point all the way until it is decrypted on the receiver’s device to ensure it’s read by the intended recipient and no one else. However, it also can’t be read by anyone that might have a rightful need such as an IT administrator or in response to a court order.
Signal Private Messenger, by Open Whisper Systems, tops WhatsApp as what appears to be the most secure messaging app ever created. The system is designed so that it retains no information from its users. As encrypted messages pass through the Signal Private Messenger server, it does not retain an address book of users; but merely keeps the first time and last time someone signed on and not the contents of the messages. Thus, none of the messaging conversations are able to be read by Signal Private Messenger. Only the person you send the message to has the key to decrypting the message.
The Signal Private Messenger app currently works only on iOS across both mobile and desktop by cleverly setting up a secure link on the Mac desktop via mobile. The desktop app displays a barcode that is viewed by the phone’s camera and then binds the two devices together, pulling messaging contacts from your phone privately so that your message contact list is intact and available.
WhatsApp uses Signal Private Messenger for encryption internally but retains metadata on message activity, what time the messages occurred and between which people. In addition, WhatsApp communicates with the user’s contact list and accesses the user’s phone number as well.
Google’s new Allo messaging app uses its own encryption, but only in the Incognito mode of the service (in other words, you have to request it yourself). The same applies to Facebook Messenger, which only keeps message conversations private when the user enters Secret Conversation mode.
Signal Private Messenger definitely represents what appears to be the highest security available in a text messaging system, even outperforming WhatsApp. Signal appears to match the security built into Apple Pay. Once the Apple device is tapped next to the wireless payment icon in a retail outlet, a secure transaction is created that neither Apple nor anyone else can see throughout the entire payment process. Like Signal Private Messenger, Apple can’t see any of the financial transactions that are sent through the Apple Pay network.
The reigning question is: ‘Should applications that conceal data without the ability to monitor or retrieve it be allowed in the environment?’ Its use could impede e-Discovery, data retention and audit compliance requirements and could serve to circumvent security compliance. While total security may be a requirement, the ability to ensure the application can comply with business policy and regulations that may govern an organization introduces business risk.