To be sure that our messenger really is the best offer on the market, we commissioned a comprehensive and detailed study of all popular messaging apps. Our focus was on comparing the features and functions we are implementing in Aegees. Just a day or two ago, the report finally arrived, a stack of paper taller than our testing team leader, and take our word for it, he’s a really tall guy! Of course, a great deal of it is very technical, which means we find it fascinating but it’s pretty dull for anyone else. There’s also some commercially sensitive information that we would prefer to keep in-house because it represents know-how that competitors would just love to get their hands on. Apart from all that though, there’s still a lot of exciting stuff we can and want to share with you, and we hope you’ll find it interesting. That’s why we’ve written this summary!
We deliberately chose not to include WhatsApp and Telegram in the study because, in our professional opinion, these messaging apps don’t really qualify as secure. WhatsApp stores all user contacts on its servers, bases user identification on phone numbers and has recently given up end-to-end encryption, in other words, it’s NOT secure, and DOESN’T ensure anonymity. Telegram stores keys and so-called “secret chats” on the device, which is better, but it doesn’t encrypt them!
Secure Storage Of Data
We have established that data storage is one of the critical vulnerabilities in most modern messengers, which is why we decided to develop and implement in Aegees a revolutionary approach to data security. This vulnerability breaks down into these vital components: applying a centralized approach to data storage; storing data on servers; and the unencrypted storage of data.
We addressed the last two elements of that triad of challenges by creating a crypto-container. It works like a safe that’s installed on the user’s device and keeps all app data, including messages, calls and contacts, and so on fully encrypted. It really is a groundbreaking solution because, as far as we know, no other messaging application uses anything like it.
To complete our data protection plan, over time we will implement a decentralized server infrastructure. While we work on this solution, we have no choice but to stick with the good old, well, certainly old but not that good, centralized approach combined with data encryption. Our motto is “never store unencrypted data on servers” because server security these days has more holes than Swiss cheese; just think of the recent security bulletins for HP, iLO and Exim, for example.
We want to do justice to Ring, Signal, Wickr and CrypViser by confirming that indeed, these messengers do encrypt all data and store it on the device. There is one big security gap here though, all that data is stored in the general file system that can be accessed through the OS and therefore by any third-party apps the user might install.
Some developers like to keep where their apps store data a huge secret, it’s hard to see why. We know for sure that SafeUM and Threema decided to stick to the server data storage approach, and we think that was a big mistake.
We also want to give credit to Bitwala, Briar, Obsidian, Paymon, Status, CrypViser and Token (Toshi) developers for having already implemented a decentralized server infrastructure. However, with Signal, operators can still log any app data on their servers if they wish. Bria, Gem and Wickr use end-to-end encryption just like Aegees. The rest either provide encryption as a separate optional paid-for service or don’t even mention it at all.
End-to-end encryption has been the talk of the town lately; many call it the most effective data protection solution there is. As you’ve probably heard, one of the market leaders, WhatsApp recently dropped end-to-end encryption for messages to satisfy the demands of its new owner, Facebook and the US government.
Of course, we too, know something good when we see it, so we went right for it and implemented end-to-end encryption in Aegees. We are certainly not the only ones to do so; end-to-end encryption is used by Briar, Confide, e-Chat, Eleet, Ring, Sender, Signal, Status, Token (Toshi), Wickr, CrypViser, Threema, and Dust – but some of these apps implement it in such a way that the developers are able to read messages. In Aegees, we made that impossible; only the user and no one but the user will own and have access to their content.
Private Key and Network Transmission
We firmly believe that private keys must never… ever… be transmitted through networks, whether in full or in pieces. That’s why Aegees doesn’t support key transfer now, and we give our word that it never will. Apps like Briar, Ring, Signal, Wickr, and CrypViser all use the same approach.
Some messengers encrypt the key or parts of it before transfer, but in our opinion, modern computing capacities are such that precautions like that are entirely useless. It is almost as unsafe as transferring the key unencrypted. The key and/or any part of it must only be stored on the user’s device and never transferred via networks.
It’s only possible to verify that a developer means business by viewing the product’s source code. Without that, there is no way to know if the product truly delivers on all of its promises regarding functionality and security.
Since we know that like no one else, being the developers we are, we plan to disclose our source code when the time comes. We believe it gives us even more of a competitive advantage. Some other developers were also thinking along similar lines: Briar, Ring, SafeUM, Signal and Token (Toshi) went open-source too.
It seems that some companies went for a halfway solution and only disclosed some data, but not enough to give a full picture of what the product can or can’t do. One example is Threema; the developer of that messenger did choose to provide access to the program but only to the application interface.
User Account Bans
For our product, Aegees, we plan to retain the right to block any account that distributes information concerning terrorism, drug trafficking, child pornography and any other anti-social abomination. We feel aligned with the developers of Signal, Ring and Dust who chose the same approach.
It is curious, though, that many developers have not disclosed any information about their rights to selectively ban such accounts. Our research shows that this is the case with Bitwala, Confide, Eleet, e-Chat, Gem, Kik, Obsidian, Paymon, SafeUM, Sender, Status, Token (Toshi), Threema, and Wickr. The only two messaging apps we have identified that really provide 100-per cent account privacy and immunity against any bans are CrypViser and Briar. The downside to this approach is that they are very likely to become the preferred networks for all sorts of extremists, traffickers and child porn distributors.
User IP Address
We are still undecided about the user IP address issue but expect to finalize our choice soon, and well before the global rollout. We will let you know about our decision through a press release. What we do know so far is that the only messaging app that definitely conceals the user’s IP address is Briar; but the price they pay for it is no iOS support, due to what we believe was a questionable approach to P2P layer implementation. We also know for sure that Dust and Signal do give user IP addresses to the provider; Ring has developed a decentralized network by which the IP address is traceable; while none of the other developers say a word about whether their messengers do or don’t hide the user’s IP address.
So Which Is The Most Protected?
Because it was our choice to compare the apps in the most neutral and objective way possible, we must admit that some messaging apps on the market can indeed compete with Aegees as it is now. All such messengers are open-source projects using a centralized data storage approach. Analyzing the pros and cons of products in this group, we humbly (actually not too humbly) believe that Aegees provides the best security.
While present-day encryption solutions are more or less uniform, Aegees has a definite and powerful advantage over all other similar products thanks to its innovative crypto-container solution, as well as a few other unique features, like for example, encrypted audio conferences.
Speaking of which, the only product that can do the same, apart from Aegees, is Microsoft’s Skype, but Aegees is different in that it gives the developer no control over encryption keys. We won’t ever be able to tap into our users’ conversations. All the other apps we are talking about offer no audio conferencing at all.
Even today, long before its full-scope completion, Aegees is the only messaging application on the market that offers these advantages to its users:
- All data transmissions are encrypted. All data is always stored encrypted;
- All user data is safely stored within a crypto-container installed on the device;
- Private keys never leave the user device;
- The developer has no control over encryption keys;
- Encrypted audio conferences are implemented.
Having done all that, we’re carrying on with our work to make Aegees even better, even safer, and we are committed to delivering the best offer on the market to our users.