Of course, there are other end-to-end encrypted messaging apps to consider when it comes to minimizing your attack surface. Taylor Gulley, senior application security consultant at app security provider nVisium, told Threatpost on Tuesday that disabling widely used methods of communication can at least force attackers to jump through more hoops, given that it forces them “to invest more time and effort into discovering new exploits for the avenues that remain.”
To minimize attack surface via messaging, that means limiting the number of messaging apps installed, only accepting messages from known contacts, and preventing those messages received from automatically fetching media, Gulley noted. “All of these act as additional barriers between you and a malicious message.”
Gulley pointed out that there have been a number of vulnerabilities in recent years for both iOS and Android messaging apps.
A better option than either Android or iOS may be to use an open-source messaging app built from the ground up with security in mind, such as Signal, Gulley said via email. That gives you two fallbacks: “Auditing the code yourself as a user or to some degree, relying on the community to audit it for you.”
Open-source apps aren’t necessarily any more secure than proprietary apps, Gulley suggested, but at least they can be independently audited. “Despite their best intentions, securing your data and device is secondary to these companies who — let’s be honest — are ultimately there to make money off ads, devices, and services,” the consultant observed. “If these kinds of zero-day flaws were easy to discover, they would be less likely to have been created in the first place. This is evident by the fact that numerous open- and closed-source apps have been exploited by zero-day attacks — an unfortunate reality that will continue well into the future.”