Pseudo Security

- Reading time: 7 Minuten -

As a general rule:
You have to trust the people you send information to - not a technical function at the receiver that only suggests pseudo-security to the sender.

Thoughts on “Security/Pseudo-Security in Messenger Systems

Before you can understand and recognize pseudo security, you have to deal with security in communications and related functionality first …

Security

Again and again, reports, reviews and recommendations about messenger systems emphasize “security” as a special feature. Through “best” security, users are often supposed to be persuaded to use a certain system. But:

  • What is “security”?
  • Is “security” the same thing for everyone?
  • Does everyone need a prescribed dose of “security” in the form of end-to-end encryption, for example?

In order to be able to answer these questions, you should briefly take a look inside yourself and consider what you yourself understand by security in the first place. In general, one can distinguish between security and safety (exteral):

  • Information security / crime prevention (=security) in which machines/technology should be protected from humans and
  • operational safety / accident prevention (=Safety). Here it is a matter of setting up and operating machines/technology in such a way as to protect people.

Various examples from practice:

  • Security in data protection (e.g. uploading address books, risks by link preview (external), …)?
  • Security and respect for privacy (secrets)?
  • Security of free and liberal thinking and decision-making?
  • Legal security?
  • Transmission security?
  • Technical security (fallback levels, data backups, …)?
  • Physical (e.g., structural) or organizational security (e.g., user rights)?
  • Security against unauthorized reading by government agencies?
  • Compromised security due to human errors/errors?
  • Failure safety of systems?

or - future-proofing?
Because ultimately, shouldn’t all action be geared towards that!?

Pseudo security

In a nutshell:
Pseudo security arises when (technical) security is only pretended or promised.

Many measures and functions that are intended to regulate access to sent/received information or to technically restrict display and further processing only pretend to be “secure” or are promises that can hardly be kept. They have nothing to do with transmission security (encryption) or actual access security (passwords, access systems, …).

Functions that technically try to make messages available to the recipient only in a restricted way are for example:

  • Screen capture lock in apps
  • not allowing messages to be forwarded (“forbid forwarding”)
  • not allowing storage on data media
  • “self-destructing” messages
  • automatic message deletion after a certain time (“auto-destruct timer”)
  • “auto-delete” on logout

However, some of these features can be very helpful for your own storage organization.

Explanation

“Mission-Impossible”-functions like self-destroying messages are believed with pleasure and can be sold well! However, all the technical possibilities mentioned can only give the sender perceived security. This means that a dangerous pseudo security is suggested and marketed!

It is in the nature of the thing that once sent information is at least briefly in the sphere of influence of the receiver (therefore they are finally also sent!). And since the sender usually has no control whatsoever over the recipient, his environment and the terminal device itself, there are many ways in which the aforementioned functions remain ineffective or become ineffective in terms of [security](/einfuehrung/#sicherheit/:

Group Method
Normal user
  • Reading by third parties (often underestimated!)
  • Forwarding
  • Screen copy
  • For smart users
  • Photograph
  • Copy via cache
  • Backup to cloud
  • Copy/access via “third-party app”
  • For specialists
  • Backup operations on device (“backup”)
  • Backup to 2nd device (parallel installation)
  • For Android:
  • Backups on/to PC via ADB (Android Debug Bridge)
  • also quite nice - and quite simple - is to disable the lock for screen copies (external)
    Quote: “This lets you take screenshots and do screen capture in apps that normally won’t let you.”
  • For experts/forensics
  • Direct readout of memory contents
  • Creating forensic memory images for analysis purposes.
  • It is therefore not only difficult, but impossible, to find a messenger that is designed to provide working protection against information disclosure and where the sender retains control over content once it has been sent. If content is to be displayed, it has to be transmitted to the recipient - and once it arrives, at least one way can be found as shown …

    News correction

    Message correction is a special case, because even this can suggest security. The function is actually intended for a subsequent correction of e.g. spelling mistakes or changes in content. Once sent, however, messages cannot be deleted even by message correction.

    Functionality:
    The original (first) message is still retained by the recipient, and the last subsequent “correction” message can then be displayed in place of the previous one. However, this depends on the respective settings and options of the programs/apps used. So, depending on the recipient, all messages sent by the sender will be displayed, or a visual indicator will appear with the message that it has been corrected.

    This can have far-reaching consequences as this example shows: You are standing together in a group, receive a message and say, “Hey look what xy is spreading!” The sender deletes the message and thinks “Thank goodness no one saw that …”

    So this feature is nice and handy to visually “correct” spelling errors in sent messages, for example. However, this should not be associated with security.

    Read receipts

    In addition, it is often relatively easy to suppress or falsify the very practical read receipts: Simply disconnect from the Internet after receiving the message and only then read it.

    So if a “read” checkmark is not yet visible, it means nothing and you have no security in this respect.

    Decision makers

    Advertising claims that promise pseudo-security are like stun grenades. Such “security functions” should only be used as a decision criterion with the greatest caution, if at all. This is because, depending on one’s point of view, such a function can be seen as an advantage or a disadvantage. In any case, such a criterion should not be overrated.

    Summary/Conclusion

    Basically:
    You have to trust the people you send information to - not a technical function at the receiver, which only suggests pseudo security to the sender.

    Supplementary information:

    Date: 22.04.2022
    Rights: CC BY-SA
    Autors: Diverse (Initiative Freie Messenger)


    All articles/thoughts about Messenger: