[olga421]

I would like to know honestly which IM is the most secure to use, because I do discuss sensitive info with family and friends, so is BBM,imessage,whatsapp,google chat,and or plain texting which one is the best...thank you

Posted via CB10

[pogly2]

Bbm pin stays with you not a phone #

Posted via CB10

[pogly2]

Google watches everything and everyone. Use google as little as possible

Posted via CB10

[tollfeeder]

The most secure is probably Jabber with OTR, but you won't find that on BB10. There are Clients for Android though.

Posted via CB10

[lasouthern]

Telegram has a bb10 app. It has secure chats.

Posted via CB10

[Old_Mil]

Chat secure, silent text if you can find it. I have yet to be able to do a secure chat with telegrann.

Posted via CB10

[jdesignz]

I would like to know honestly which IM is the most secure to use, because I do discuss sensitive info with family and friends, so is BBM,imessage,whatsapp,google chat,and or plain texting which one is the best...thank you

Posted via CB10

I think all IM are. Having an email and password or mobile digits as your login is already considered secured unless you give others your information then it won't be. If you don't want others see your sensitive info, then don't give them or don't let them know. Easy as pie. It's like posting personal stuff on social media, think before you post. And if you're just an ordinary person that government or feds don't have anything to do with your sensitive info then you have nothing to worry about.

Back to topic, BBM is secured. We all know that. Be sure to convinced your friends and family to have BBM on their devices too. But if they won't, then you have to use other alternative or the ones that they use. Hth

PasaportePilipinasSQW100-1/10.3.1.2267

[Maxxxpower]

Back to topic, BBM is secured.

I wonder how long this myth will stay alive...

[Taigatrommel]

I always heard Threema is one of the most secure public IM available. Problem: Not available for BB10 of course and according to their website, they have no plans supporting it either

Posted via CB10

[faab]

Threema was available on Amazon app store a while ago.
I just searched it and it seems to be no longer available!?

Posted via CB10 on my ZED10

[pfe1223]

I would like to know honestly which IM is the most secure to use, because I do discuss sensitive info with family and friends, so is BBM,imessage,whatsapp,google chat,and or plain texting which one is the best...thank you

Posted via CB10

Here are some quick thoughts on each of the services that you mention:

• SMS - Not secure or private at all.
• Google Hangouts - Most likely secure, but certainly not private. Google makes their money on advertising. I would be surprised if they didn't do keyword scanning. In addition, Google saves chat history by default. That weakens your privacy. Google doesn't like letting other people in on their data, so I bet they go to good lengths to keep the data encrypted and out of sight of others.
• Whatsapp - Recently switched over to the encryption algorithms of Whisper Systems, which is run by a respected cryptographer Moxie Marlinspike. He has an excellent reputation in the security community. I believe that there is a nominal fee to use the service, but Facebook is an advertising company. Are they trying to leverage Whatsapp data? No idea. There has been a recent report that Whatsapp is leaking data, but it is not the messages themselves (again, Moxie's crypto is solid). Rather, info about your profile could be accessed.
• iMessage - Lots of talk about how secure this is, and respected people in the security have studied publicly available material and agree. However, iMessage is not private. The following may be applicable to any service that allows you to have access to your messaging service on multiple devices. In order for iMessage to work seamlessly across your iPhone, iPad, and OSX device, Apple needs to manage the private keys. That is, when I add a new iMessage capable device, Apple uses my private key to decrypt on the new device. Because Apple manages my keys, I can never be certain how many keys there are, and who access to them. Apple isn't an advertising company, and they are not keen on helping the government keeps tabs on everybody all of the time. I think Apple is a fairly trustworthy company in this regard. However, you cannot say this is a private messaging service when a third party controls the keys. To get really paranoid, all the government would have to do is issue a National Security Letter for Apple to create another key for an iMessage. Now all of their messages can be decrypted by the government. All in all, Apple does a good job with their messaging service, but if you want talk about security and privacy in the strictest terms, it is not a perfect service.
• BBM - Sadly BBM does not fare all that well on the security front. Here is some info about BBM from Episode 427 of the Security Now Podcast (great resource if you are interested in security): Steve: Yes. That's the problem. "The key used is a global cryptographic key that is common to every BlackBerry device in the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the 'BlackBerry Solution Security Technical Overview' document published by RIM specifically advises users to 'consider PIN messages as scrambled, not encrypted.'" I am guess that their enterprise solutions are better than their free consumer messaging. I also like the idea of Blend because you avoid the third party key management mentioned in the iMessage section. Regardless, you may want to look beyond BBM if you are serious about security.

I also see some mentions of Telegram in this thread. I hate to say more negative things, but Telegram is not secure. Moxie Marlinspike called them out a while ago on his blog regarding their encryption. Basically, they did not go with any of the trusted algorithms already out there, and decided to make their own. To counter Moxie's claims, Telegram held a security contest. If you could decrypt the message, then you won a bunch of money. Moxie replied that you could take an encryption algorithm that is already compromised and make it seem impenetrable by setting the parameters of the contest is a particular. He was implying that Telegram did exactly that. Sure enough, Telegram has a weakness.

So, what should you use? Security expert Steve Gibson (of the aforementioned Security Now podcast) really likes Threema. I believe it is iOS only. Threema offers three levels of security, the highest of which requires you to scan a QR code. Thus you have to meet the person face-to-face to make sure that they are who they say they are. Moxie Marlinspike offers his own secure products. On Android, the messaging app is TextSecure, and he has a voice app called RedPhone. On iOS, he offers something called Signal. Right now, Signal does encrypted calling, but messaging is planned for the future. He will also combine the voice and messaging of his Android products as well. As long as Facebook monetizes Whatsapp through the subscription fees and does not harvest the data for advertising, it could be a solution. Whatsapp is looking to add a web interface. I don't know if this means more third party key management as well. Security is hard, and it is often not the crypto that fails. It is almost always the systems around the crypto that provide the weakness. Good security is also not very user friendly. To make things "just work" you often make some sacrifices to security.

[diegonei]

BBM is secure if you are on a BES, period. No myth there, period.

BBM is somewhat secure if you are on BIS, since it has to go through the NOC and the NOC does encrypt the messages.

BBM 10 is as secure as BBM on a BIS. Maybe a bit more even due to the layered security explained in a blog post I am not gonna hunt for you.

WhatsApp recently promised to do end-to-end encryption. Some blogger claimed it was the most secure if all IMs, YET it's the one we are constantly hearing about being hacked.

Posted via CB10

[stevobbm]

I would say that most im's are as secure as the user.

If someone can lift up your device and read your messages, then NO im is secure.

 Z10

[Old_Mil]

With regards to Text Secure and Redphone they are indeed good apps. Neither is available on Amazon's app store.

The are available from 1 Mobile Market.

Text Secure won't install on a blackberry because it requires Google Play Services.

Redphone did install but the SMS verification didn't work and I had to have it call me with a verification code which I entered manually. I am going to install it on my wife's Z30 and try a call today.

Chat secure is available from the Amazon app store and installs but I am having trouble getting it to connect to the jabber server I created accounts on.

As cited earlier, unless BlackBerry makes changes, BBM is not secure outside of BES.

Posted via CB10

[jagrlover]

Here are some quick thoughts on each of the services that you mention:

• SMS - Not secure or private at all.
• Google Hangouts - Most likely secure, but certainly not private. Google makes their money on advertising. I would be surprised if they didn't do keyword scanning. In addition, Google saves chat history by default. That weakens your privacy. Google doesn't like letting other people in on their data, so I bet they go to good lengths to keep the data encrypted and out of sight of others.
• Whatsapp - Recently switched over to the encryption algorithms of Whisper Systems, which is run by a respected cryptographer Moxie Marlinspike. He has an excellent reputation in the security community. I believe that there is a nominal fee to use the service, but Facebook is an advertising company. Are they trying to leverage Whatsapp data? No idea. There has been a recent report that Whatsapp is leaking data, but it is not the messages themselves (again, Moxie's crypto is solid). Rather, info about your profile could be accessed.
• iMessage - Lots of talk about how secure this is, and respected people in the security have studied publicly available material and agree. However, iMessage is not private. The following may be applicable to any service that allows you to have access to your messaging service on multiple devices. In order for iMessage to work seamlessly across your iPhone, iPad, and OSX device, Apple needs to manage the private keys. That is, when I add a new iMessage capable device, Apple uses my private key to decrypt on the new device. Because Apple manages my keys, I can never be certain how many keys there are, and who access to them. Apple isn't an advertising company, and they are not keen on helping the government keeps tabs on everybody all of the time. I think Apple is a fairly trustworthy company in this regard. However, you cannot say this is a private messaging service when a third party controls the keys. To get really paranoid, all the government would have to do is issue a National Security Letter for Apple to create another key for an iMessage. Now all of their messages can be decrypted by the government. All in all, Apple does a good job with their messaging service, but if you want talk about security and privacy in the strictest terms, it is not a perfect service.
• BBM - Sadly BBM does not fare all that well on the security front. Here is some info about BBM from Episode 427 of the Security Now Podcast (great resource if you are interested in security): Steve: Yes. That's the problem. "The key used is a global cryptographic key that is common to every BlackBerry device in the world. This means any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device, if the messages can be intercepted and the destination PIN spoofed. Further, unfriendly third parties who know the key could potentially use it to decrypt messages captured over the air. Note that the 'BlackBerry Solution Security Technical Overview' document published by RIM specifically advises users to 'consider PIN messages as scrambled, not encrypted.'" I am guess that their enterprise solutions are better than their free consumer messaging. I also like the idea of Blend because you avoid the third party key management mentioned in the iMessage section. Regardless, you may want to look beyond BBM if you are serious about security.

I also see some mentions of Telegram in this thread. I hate to say more negative things, but Telegram is not secure. Moxie Marlinspike called them out a while ago on his blog regarding their encryption. Basically, they did not go with any of the trusted algorithms already out there, and decided to make their own. To counter Moxie's claims, Telegram held a security contest. If you could decrypt the message, then you won a bunch of money. Moxie replied that you could take an encryption algorithm that is already compromised and make it seem impenetrable by setting the parameters of the contest is a particular. He was implying that Telegram did exactly that. Sure enough, Telegram has a weakness.

So, what should you use? Security expert Steve Gibson (of the aforementioned Security Now podcast) really likes Threema. I believe it is iOS only. Threema offers three levels of security, the highest of which requires you to scan a QR code. Thus you have to meet the person face-to-face to make sure that they are who they say they are. Moxie Marlinspike offers his own secure products. On Android, the messaging app is TextSecure, and he has a voice app called RedPhone. On iOS, he offers something called Signal. Right now, Signal does encrypted calling, but messaging is planned for the future. He will also combine the voice and messaging of his Android products as well. As long as Facebook monetizes Whatsapp through the subscription fees and does not harvest the data for advertising, it could be a solution. Whatsapp is looking to add a web interface. I don't know if this means more third party key management as well. Security is hard, and it is often not the crypto that fails. It is almost always the systems around the crypto that provide the weakness. Good security is also not very user friendly. To make things "just work" you often make some sacrifices to security.

Someone correct if I'm wrong, but aren't BBM and PIN messages different things?

Posted via CB10

[stevobbm]

As far as I know, yes.

I know that pin messages are not secure at all, but that's ok.

I haven't heard of anyone hacking bbm, someone correct me if I'm wrong.

 Z10

[pfe1223]

To those wondering about BBM and PIN messages with regards to the quote I used from Steve Gibson. I found some more up to date info from BlackBerry. This site has official documentation (PDF to download) about BBM security. It was last updated in December 2014. From page 7 of the document:

Each device uses the same global BBM encryption key, which BlackBerry adds to the device during the manufacturing process.

This confirms what Gibson said earlier. Now, there is a BBM Protect service and the BES offerings. I am no security expert, but I looked through the documentation, and there are plenty of the good buzzwords you would want to see when talking about secure messaging.

[meagvg]

I use Threema with both iOS and a 10.3 leak on a Q10.

The UI on the iPhone is fluid and nicely done. Not so "pretty" on the Blackberry, but it works well. I use it with my Blackberry to message with several contacts on iPhones.

Notifications are the sticking point. They are a hassle to implement regarding volume levels, etc. I've used it with and without Hub++ and Bebuzz. Seems to work better without either of those programs on board.

It'll poll every 15 minutes for messages, but there's no way to get true push unless you've interacted with the program within the 15 minute window. An incoming message must be opened and read before it'll notify of another message.

Without a plug-in (that can't be installed), you're unable to take advantage of the QR code scanning for face-to-face authentication.

[MobileMadness002]

I wonder how long this myth will stay alive...

Until you show us Proof of Concept and read other persons conversations.

[Maxxxpower]

I haven't heard of anyone hacking bbm, someone correct me if I'm wrong.

Wrong.
a) How the NSA Spies on Smartphones Including the BlackBerry - SPIEGEL ONLINE
b) Not exactly a hack, but even worse: Indian government now able to tap BBM messages | CrackBerry.com Wouldn't be possibel if BBM was truly end-to-end encrypted/secure
Further information:
https://www.christopher-parsons.com/...nger-security/

Until you show us Proof of Concept and read other persons conversations.

LMAO

[diegonei]

Wrong.
a) How the NSA Spies on Smartphones Including the BlackBerry - SPIEGEL ONLINE
b) Not exactly a hack, but even worse: Indian government now able to tap BBM messages | CrackBerry.com Wouldn't be possibel if BBM was truly end-to-end encrypted/secure
Further information:
https://www.christopher-parsons.com/...nger-security/

BIS. BlackBerry has the control over the key they use for BIS. If a government passes law that forces them to either cooperate or terminate service, since they ca'nt terminate service, they cooperate.

BUT BIS. BIS. BIS YOU HEAR? Ok, so. BES is a completely different ballgame. The client has the BES keys BlackBerry wouldn't be able to look into anything you send over BBM since the key is not the one they use. Same for anything going through the NOC.

And that NSA thing? 2010. IF it's true, it's BBOS, not BB10. And I bet you a horse RIM patched it long ago.

Oh, one more thing, using a common key to all devices does not mean easy access to the messages as one would first have to hack the OS to grab the keys. Be my guest proving that BBOS and BB10 have been hacked.

Do you know what else? 2011 England riots. Yeah. Decrypting user's messages is necessary sometimes.

[Maxxxpower]

BIS. BlackBerry has the control over the key they use for BIS. If a government passes law that forces them to either cooperate or terminate service, since they ca'nt terminate service, they cooperate.

Yeah that's exactly the problem. Blackberry shouldn't have control over the key and offer full end-to-end encryption to anybody just like other IMs do.

BUT BIS. BIS. BIS YOU HEAR? Ok, so. BES is a completely different ballgame. The client has the BES keys BlackBerry wouldn't be able to look into anything you send over BBM since the key is not the one they use. Same for anything going through the NOC.

Yeah; I know, buddy. BES is not of any intererest for any "normal" Blackberry user posting here and asking what IM to use. So forget BES (or the overpriced BBM Protected) in this thread.

And that NSA thing? 2010. IF it's true, it's BBOS, not BB10. And I bet you a horse RIM patched it long ago.

BBM security architecture has not been improved except for BBM Protected users. Wanna pay $30 a year and ask all your friends to do the same?

Oh, one more thing, using a common key to all devices does not mean easy access to the messages as one would first have to hack the OS to grab the keys. Be my guest proving that BBOS and BB10 have been hacked.

You don't have to hack the OS to get the keys. You have to intercept communication and analyze it. That's what the NSA probably did. The got full access to BIS data. They didn't have to hack every single Blackberry device.

Conclusion:
Nice try buddy, but BBM is and stays insecure.

[nah.uhh]

Originally posted this on another thread

1) Bbm is still passes through BlackBerry infrastructure/servers
2) Triple DES is only for BB-BB, which includes BBOS 7.1 etc
2.1) when the connection to the BlackBerry infrastructure: BBOS always uses 3DES and adds TLS.. but only over WIFI.
BB10 always uses both.

BBMx doesn't use 3DES but always uses TLS. So *no, android bbm isn't scrambled.* The connection is encrypted.. to an extent. Messages from bbos via mobile network to BBMx are 3des encrypted on their way to the server, but drop the encryption at the server and add TLS before sending to bbmx (and vice versa. This implies that the messages between bbos and bbmx are in plain text once when being processed at the server? )
Attachment 326997

3) BBM voice/video transmission is a weird one..
- the call handshake is performed over TLS only, no 3des
- the actual call is done over UDP / TCP, without TLS
- if both callers are on the same WIFI network, the call will only access the Internet for the handshake, the actual call is done locally:

Attachment 326998

http://forums.crackberry.com/blackbe...android-990060

PassportSQW100-1/10.3.1.2480

[pfe1223]

I think there is some conflation with being truly secure and being secure enough. Most of what you see is secure enough. If you want to be absolutely secure then, as Mr. Gibson says, trust no one (TNO). BBM (and many other secure messaging services) are not TNO. Is BBM secure enough? Depends. A true TNO system would not have one key used for all encryption and decryption. Willfully forgoing extra security measures is placing a certain amount of trust in someone or something. Declaring that BB10 can't or won't get compromised is hubris. The question is, what happens when a BB10 device is compromised? One compromised device could lead to the unlocking of every BBM message ever sent. That was deliberate decision on BlackBerry's part, and it is a decision that limits how secure BBM can be considered. It is also a decision that makes their paid services much more appealing as well.

[lasouthern]

Chat secure, silent text if you can find it. I have yet to be able to do a secure chat with telegrann.

Posted via CB10

Only one app allows you to and that's http://appworld.blackberry.com/webst...ntent/59951054

The "unofficial" one. Problem is it's an android port so you HAVE NO choice on app permissions.. :/ other telegram apps you do, but you can't get the secured chats to work. :/

Posted via CB10