Think your private conversations on messaging apps such as Facebook Messenger, What’s App and Viber are secure? Researchers from Brigham Young University don’t think so.
In a recent study of popular messaging apps, the researchers found that most users don’t take extra steps to protect themselves either because they think they are safe enough or because they are unaware of the steps available to them to ensure an extra layer of security.
"We wanted to understand how typical users are protecting their privacy," said BYU computer science Ph.D. student Elham Vaziripour, who led the recent study. According to Vaziripour, users simply are not protecting themselves.
In the case of What’s App and Viber, although the messages are encrypted by default, an additional step—called an authentication ceremony—is necessary to ensure true privacy and security.
The reason that users aren’t protecting themselves, according to Vaziripour, is that most users don’t understand the step’s significance or are unaware of the step entirely adding that "it is possible that a malicious third party or man-in-the middle attacker can eavesdrop on their conversations."
Users are able to confirm the identity of the person they are messaging with via the authentication ceremony, ensuring that additional parties (not even the company responsible for the app) cannot intercept messages.
In their study, researchers asked participants to share their credit card account number with the person they are exchanging messages with (another participant). Despite the many warnings about potential threats and to make sure that their communication was confidential, only 14 percent of users were able to authenticate the recipient of their confidential message.
In a second part of the study, participants were told about the authentication ceremony and employed it when asked to send their credit card numbers to their message partner again. In this case, 79 percent of users were able to authenticate their message recipients.
Despite the extra layer of security, researchers found that the process of authentication took too long for the participants, 11 minutes on average.
"Once we told people about the authentication ceremonies, most people could do it, but it was not simple, people were frustrated and it took them too long," Daniel Zappala, computer science professor said.
"If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education," said Vaziripour.
"Security researchers often build systems without finding out what people need and want," said Kent Seamons, computer science professor. "The goal in our labs is to design technology that's simple and usable enough for anyone to use."