Researchers at Cisco's Talos Group are warning users to not to assume that the very popular encrypted messaging apps Telegram, WhatsApp and Signal will keep the communications confidential, as they partly delegate security to the operating systems they run on.
While the MT and Signal protocols the three messaging apps use are able to keep data secure in transit and on their servers, they fall short when it comes to protecting application state and user information, Talos wrote.
This is because they delegate the security of these to the operating system.
Pointing to vulnerabilities in the user interface framework for the apps, such as the remotely exploitable bug in Electron that was reported in January this year and which affected Signal, Slack and Skype, the Talos researchers said the apps can be compromised with side-channel attacks against operating systems.
Part of the problem is that non-technical users trust that the apps have the same level of security on all platforms when some are riskier than others.
Users are not told of this, nor are they given suffficient information to make educated decisions on the risk enabling certain settings on their devices carries.
Earlier this year, Talos analysed the Telegrab malware that hijacks Telegram desktop user sessions. With the session tokens in hand, attackers can create shadow sessions that replicate the messages and images that are sent or received by victims.
On Telegram, the researchers said the shadow sessions can be established without warnings to users which will have to manually check for active ones in the settings panel.
Signal and WhatsApp both pop up notices when shadow sessions are created, but it's possible for attackers to get around the warnings and access contacts and messages.
Talos said session management protocol developers predicted the above could happen, with security being "catastrophically compromised if an attacker learns a device's secret values, such as the identity private key and session state."
Individual users and corporations need to be aware that using messaging apps isn't risk-free, Talos said.
Secure messaging apps requires endpoint technology that better protects them, if they're used to transmit private and sensitive information, the security researchers added.