End-to-End Encrypted Communications: Phone Apps | Security Education Companion Skip to main content
Security Education Companion
A free resource for digital security educators
Planner (0)

End-to-End Encrypted Communications: Phone Apps

Last modified July 18, 2018
  • English

Help your learners build a foundational, general understanding of how end-to-end encrypted messaging works to protect their communications. In this lesson, we’ll start with generally exploring “private communication” and “encryption,” and then dig a bit deeper with the basics (and limitations!) of end-to-end encryption. After this lesson, your learners should be ready to learn about selecting, installing, and using end-to-end encrypted messaging apps.

Recommended Reading

Gotchas and Problems You Might Hit

  • What if participants don’t have their mobile devices?
  • What if participants don’t own their mobile devices, or fear that their devices are already compromised by malware?
  • What if participants don’t want to give their phone number? Do you have a backup activity, or a practice phone number they can contact?
  • What if participants feel uncomfortable with other people in the room? What if people don’t know each other?

Anticipated Questions and Answers

Q: Why do you recommend these apps over [insert other app here]?

A: The facilitator should refer to this piece about how EFF makes its decisions on tools.

They’re end-to-end encrypted by default.

They’re free and they work on both Android and IOS phones.

These apps also have great security features. Apps like Signal, WhatsApp, and Wire use something called forward secrecy. A short summary is that the app encrypts each message with a new set of encryption keys. It protects past messages against future compromises, like if someone was to somehow acquire your secret keys. This is different than something like end-to-end encrypted email, where the encryption keys stay with the user indefinitely until they choose to generate new keys (perhaps years later). If a bad actor gets ahold of their private key, that bad actor can decrypt all their previously sent messages.

Q: Isn’t WhatsApp owned by Facebook? What does that mean?

A: Yes. WhatsApp initially promised to not share data with Facebook, and then changed its stance. WhatsApp is still end-to-end encrypted, but they are sharing metadata with Facebook, like who is contacting whom. A benefit, however, is that WhatsApp is a mainstream app, which means it’s more likely you’ll have friends and contacts who also use it. To read more about EFF’s materials regarding Whatsapp, see the SSD guides for how to use WhatsApp for Android and for iOS.

Q: What if I want to anonymously communicate?

A: This is a different series of concerns than just wanting to have the content of your communications remain private. Do you prefer not to be associated with the person you are chatting with? This might be important for a journalist chatting with a source, a whistleblower, etc. The metadata of you chatting with a sensitive person (and vice versa) has a different set of risks and considerations. None of the tools we’ve talked about provide anonymous communication.

If anonymity is a concern for you, we can chat after the workshop.

Q: Does Signal really not retain that information? How can you know?

A: You can refer participants to this grand jury subpoena letter from the FBI in 2016:  https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/)

However, they should know that if Signal were to receive a U.S. court order, they may be forced to collect this kind of information going forward.

Q: I heard that people can hack into Signal. Is that true?

A: No. The most method of compromise for Signal is from malware on your device. Malware can infect your device if, for example, you download a malicious file or click on a phishing link. No end-to-end encryption tool can protect your messages if the endpoint (your device) is compromised by malware. This doesn’t mean that the end-to-end encryption provided by the tool doesn’t work--just that it has limitations.

Q: What if I don’t want to use my real phone number?

A: You have several options. You can use Wire. Or, if you’re based in the US, you can get a Google Voice phone number or a Twilio phone number to pseudonymously communicate. You can also replace your SIM card.