Beginner’s Guide to Secure Communication
In today’s world, it is harder than ever to remain private in our day to day lives. At best, social media companies have made a business from datamining our personal information and social activity, and then they use it to sell advertising. At worst, the government gathers up every byte of internet traffic they can and stores it in a massive database. And of course, there are countless sources of computer malware with any number of nefarious purposes. However, that does not mean there is no hope for privacy, and with the right knowledge, you can rest easy that your data is safe.
First, the foundation of all good security practices is to ensure your operating system itself is secure. Whether this is a mobile device running iOS or Android, or computer running Windows, macOS or Linux, an insecure operating system (aka the OS) has the potential to negate any other good security practices. Fortunately, the easiest way to ensure your OS is secure is simply to always keep it up to date through available automatic security updates. This ensures all the latest OS-level exploits and vulnerabilities are fixed on your device before hackers have a chance to take advantage of it. On the other hand, if you run an outdated operating system that no longer receives security updates (such as Android 5, Windows XP or Windows 7), every time a new exploit is discovered, it makes you more and more likely to become a victim to malware. It’s like building your home’s foundation on a bed of sand instead of bedrock. After this basic level of security is achieved, you can then fully benefit from other methods of secure communication.
There are plenty of other nuances to keeping your information safe, even just when using your computer or phone normally. For example, one universal but potentially insecure feature you use daily is the clipboard. By its very nature, anything you copy onto the clipboard is accessible by every app on your device (this applies to virtually all operating systems). This is necessary so that you can copy and paste no matter what software you’re using, but this can also be exploited by any potentially malicious apps or software. For example, if you copy and paste a password or credit card number, even after you paste it, it will likely remain in your clipboard indefinitely until you copy something else to overwrite the clipboard. If a malicious app is running in the background, it could be harvesting all of that clipboard data. Since iOS 14, apple is showing a notification whenever an app is using your clipboard. This has lead to some apps being caught for spying on users.
Another example of something to watch out for are keyboard apps on Android, an OS where it is possible to replace the default keyboard. To even function, keyboard apps obviously must have extensive privileges, including knowing what you are typing. This is not a problem if the keyboard is from a well-trusted developer or company. However, there have been several instances where keyboard apps turned out to be either purely malicious and stole money from users, or just poorly secured resulting in their information being leaked. There are many other examples of malicious apps being found on both the Google Play store for Android and the App Store for iOS, so it is always best to stick to apps from trusted developers and always double-check the permissions an app requests (if applicable) to ensure they are all necessary.
In addition to using trusted software and apps, you should also do the same even for hardware devices. Because hardware devices such as keyboards sometimes need custom drivers to be installed to work with a computer, you must consider the trustworthiness of the device manufacturer in the same way you would any other software developer. In at least one example, a popular gaming keyboard was found to be sending keystroke data to a company in China. There are even some instances of malware being preinstalled on brand new phones and computers. Therefore, it is always important to do at least some level of research about the trustworthiness of not just software, but also hardware.
A cornerstone of secure communication is known as end-to-end (or E2E) encryption. Simply put, this is when certain data is securely encrypted before leaving your device in such a way that only the final intended recipient is able to decrypt and read the data or message. You likely use another form of encryption daily without even realizing it when visiting any website that uses an “HTTPS” connection (usually indicated by the lock next to the website URL in your browser). This method of encryption is important, but it is not technically end-to-end encryption because it only protects the connection between your computer and the website server. End-to-end encryption, on the other hand, goes a step further in situations where you do not even want the app, website, or service provider being used to be able to see what you are saying. Many chat apps, video conferencing apps, and more offer this form of encryption to maximize security. For example, the popular chatting apps WhatsApp and Signal offer E2E encryption, so theoretically only the sender and the receiver of messages can view them, and not even the creators of the app can view the content. There are even software projects that allow you to encrypt text or data yourself using your own encryption keys before sending it over email for example, effectively giving you E2E encryption over a service that does not actually provide that level of security itself. However, doing this would require the recipient to also have software capable of decrypting your message.
When trying to determine the trustworthiness of a program or app, one factor to consider is whether it is “open source” or “closed source”. Open source means that the source code of the software is publicly available for anyone to review (usually with an associated license). Closed source, on the other hand, means the source code is kept private and is only known to the developer or company that owns the software. A major benefit of open source software is that if there is any suspicion about its legitimacy or intentions, one can simply look at the source code and see exactly what the app does and spot any malicious code. It also means if someone wants to improve upon the software themselves, they can by building upon the source code to create their own version.
Overall, it is not so difficult to maintain security and privacy in your communications. Ensure you are using trusted apps from well-established sources, be aware of the information you do give apps access to, and keep your devices themselves secure by keeping them up to date on the latest security patches.