Facebook Messenger has transformed from a secondary feature within Facebook to a blockbuster mobile app in its own right. It reached 800 million users at the start of 2016 (up from 700 million in November 2015) and has been basically spun-off from the traditional Facebook app, with its own ecosystem of compatible apps, stickers and chat bots.
Some of its evolution is just Facebook playing catch-up with messaging titans such as WeChat, LINE and Viber, all of which have sported similar features for months if not years. But it is safe to say that outside of East Asia, Facebook Messenger will have greater reach than any of these competing services, which means that it will be under particularly high pressure from scammers and cybercriminals.
More specifically, they may be increasingly attacked for shortcomings in how they encrypt and store messages. The rapid development of mobile messaging in the last decade or so has in some cases left security measures behind.
What went wrong in a previous version of Facebook Messenger
We looked at a few of the issues with Facebook Messenger in a previous post. To recap, in early June 2016, security researchers discovered a flaw in both the mobile (apparently just the Android version) and web versions of Facebook Messenger. It worked as follows in the proof-of-concept:
- The message ID had to be obtained via a browser debugging tool and HTML inspection.
- This ID could be used to modify the message, perhaps inserting a link to malware within it.
- Finally, the message would be sent back to Facebook’s servers and by extension its designated chat recipients.
Perhaps the most important thing to note about this exploit is that it was in some sense a “feature, not a bug,” to use the adage that is sometimes brought up to make light of software-related issues. Unlike many other mobile and desktop messaging services, Facebook Messenger as of July 2016 lacked end-to-end encryption. Accordingly, messages could in theory be modified by Facebook itself, or any other party with access to them.
The flaw was patched shortly after it was revealed. Facebook described it as a “low risk” incident that, if exploited in the real world, would likely have been caught by the company’s anti-spam and anti-malware filters.
So the cause of concern here is less about what happened in this specific case and more about what could happen if attackers were to discover more efficient ways of carrying out fraud and message alteration on chat platforms, Facebook Messenger included, in the absence of sufficient encryption. Encryption has been a hot topic in recent years and months due to exploits such as Heartbleed, along with the ongoing revelations about the extent of government and corporate surveillance of mobile communications.
Is end-to-end encryption the fix for mobile app security shortcomings?
Both WhatsApp (which is owned by Facebook) and Viber activated end-to-end encryption in early 2016. Moreover, they enabled it by default. Facebook Messenger itself may be going in a similar direction in the second half of 2016, although there are still questions about its upcoming implementation in particular and about end-to-end encryption for mobile messaging in general.
Let’s start with the existing end-to-end encryption implementations. Viber called attention to itself in April 2016 when it opted not to reveal the details of how it had set up the encryption, leading some researchers to suspect that perhaps an unsafe algorithm such as MD5 was in use. Lack of transparency about which security mechanisms are in use can make end users doubt that their messages are actually secure from prying eyes.
Facebook-owned WhatsApp was more open about how it had pursued encryption. However, Facebook itself may be set to make the Facebook Messenger encryption opt-in, meaning that many of its users may miss out on the added privacy protections. There are several possible explanations for why this set up may be Facebook’s preference, including its desire to balance security considerations with its interest in mining chats for data. End-to-end encryption by default would mean that messages were invisible to any onlookers, including Facebook as well as the Internet service provider.
The importance of getting messaging security right
Chat apps have become centerpieces of the mobile experience, displacing SMS and becoming further integrated with other services for commerce and transportation. The coming wave of chat bots, which are pieces of artificial intelligence that can interpret requests and interact with human interlocutors, will likely continue to bolster the position of messaging as an even more important communication tool than email.
“We are steadily moving away from email as our regular means of online communication, in fact as far back as 2005, a Pew study concluded that almost half of web using teenagers preferred to keep in regular contact over instant messaging rather than email,” explained Trend Micro’s Rik Ferguson. “The intervening years have of course seen the rise of the behemoth that is Facebook and the (not so) young pretender, Twitter and these integrated platforms have led in their turn to the decline of standalone instant messaging.”
Ideally, end-to-end encryption will be widely implemented and easy to enable. It remains to be seen how Facebook and others will weigh security risks against business objectives. Individuals should opt-in or check the status of end-to-end encryption when using Facebook Messenger and other platforms.