Web-based IM apps prone to hacking, security tests show

July 06, 2015 14:03
NCL chief executive Ronald Pong (inset) says web-based IM apps usually deploy the SSL encryption technology, which is less sophisticated and therefore more vulnerable to hacking. Photos: Bloomberg, Apple Daily

Web-based versions of five of six instant messaging apps (IM apps) commonly used in Hong Kong are prone to information leaks, Apple Daily reported on Monday, citing the results of a recent security test.

The test was conducted by NCL for the newspaper to determine if unauthorized parties can access private information sent via mobile and web browser versions of IM apps — WhatsApp, Telegram, Facebook Messenger, LINE, WeChat and Skype.

The mobile versions of the six IM apps were found secure as the transmission is conducted via Transport Layer Security (TLS) — the protocol that ensures privacy between communicating applications and their users on the internet.

When the encrypted messages are intercepted midway, they will appear unintelligible to hackers and need to undergo specific decryptions for the original messages to be recovered.

However, the performance of the web browser versions of five of the six IM apps was unsatisfactory due to the absence of high encryption protection, NCL chief executive Ronald Pong Pok-man said.

Original messages, photos and files sent via WeChat, Skype and Facebook Messenger can be intercepted and extracted right away. The same is true with WhatsApp, which is used for sending messages and photos.

Messages via Telegram are encrypted, but hackers will still be able to recover them through Google's spelling check services. 

(Telegram has reportedly gained popularity in Hong Kong political circles following the WhatsApp leak scandal involving instant messages between Legislative Council President Jasper Tsang Yok-sing and pro-establishment lawmakers on June 18.)

Facebook Messenger is the worst as the users’ friend lists, friends’ profile pictures and even photo albums could be hacked.

Currently, only the Japanese IM app, LINE, provides sufficient encryption protection for both its mobile and web-based services, a security upgrade the company initiated following last year's reports of massive hacking cases involving its user accounts.

Nonetheless, if spying malwares have been installed onto the users’ smartphones, information will be leaked to hackers regardless of the encryption protocol provided by the IM apps.

For instance, the spying iOS app, ikeymonitor, can keep track of the information input by iPhone users on keyboard or conduct screen capture every 30 seconds.

Francis Fong, honorary president of the Hong Kong Information Technology Federation, said private information such as user account, password and browsing history can be retained in public computers and people should always log off their IM accounts and delete cookies on internet browsers after using a public computer.

-- Contact us at [email protected]