Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Secure Messaging. Show all posts
WhatsApp Security
AI Data Privacy cybersecurity news Encrypted AI Chat End To End Encryption Meta AI Privacy Secure Messaging Trusted Execution Environment WhatsApp Security

Meta’s New Encrypted AI Chat Strategy Faces Trust Challenges


 

A significant structural change in consumer chatbot privacy has taken place over the past two years since Meta launched Incognito Chat with Meta AI on 13 May 2026. As a result of this announcement, the architecture Christakis has been referring to as Sealed Mode in Part 1 of his study on consumer chatbot confidentiality has become a mass-market product and no longer remains a research aspiration. 

The Meta AI app allows WhatsApp users to communicate with the provider in a mode that does not allow Meta to read the conversation, in a similar fashion to the way Meta cannot read two user WhatsApp messages. 

The protection is architectural rather than contractual: Meta has renounced access to content through its hardware design in a Trusted Execution Environment where the chat is processed. Furthermore, the announcement comes as legal and regulatory scrutiny grows on how artificial intelligence providers retain conversational data and respond to law enforcement demands. 

In spite of Google's statement that temporary Gemini chats may be retained for up to 72 hours, OpenAI and Anthropic maintain substantially longer retention periods for temporary and incognito interactions, with ChatGPT sessions and Claude sessions reportedly remaining available for at least 30 days. It has become increasingly necessary to maintain these retention practices since chatbot logs have been used as evidence in numerous high-profile legal cases, including investigations relating to the mass shootings at Tumbler Ridge and Florida State University, as well as a court order requiring indefinite storage of certain ChatGPT conversations in The New York Times litigation. 

Additionally, Google is facing litigation regarding allegations that Gemini encouraged a series of “missions” preceding the death of a 36-year-old man. Meta is positioning Incognito Chat to distinguish itself from conventional cloud AI architectures against this backdrop. Using Meta AI, the company has extended the company's existing Private Processing framework originally deployed within WhatsApp for AI-driven summarization and writing tools directly into conversations with users. This eliminates the previous model of prompts leaving WhatsApp's encrypted channel and reaching Meta's server infrastructure during processing, eliminating the problem. 

Using Incognito Chat, Meta claims that conversations are processed within a Trusted Execution Environment where neither Meta nor WhatsApp has access to plaintext conversation history, while all contextual memory is removed once a session is completed. A web search initiated by Meta AI is also detached from user identity metadata and can be disabled completely by the user at launch. At launch, Meta will provide text-only interactions, with an upcoming "Side Chat" feature that will enable users to privately assist within an active WhatsApp conversation without interrupting the encryption thread. 

Through the new model, Meta AI users will be able to initiate Incognito Chat sessions where they will be able to conduct temporary encrypted interactions. These interactions will be processed in an isolated, secure computing environment whose operations are even inaccessible to Meta AI's internal systems, according to Meta AI. 

By design, Meta says these sessions are ephemeral, with conversations neither being stored nor retained by default following their conclusion. The feature is positioned in a way similar to transient secure messaging rather than conventional cloud-based AI assistance. In the near future, this capability will be available both through WhatsApp and Meta AI's standalone application, along with another privacy-focused feature internally referred to as Sidechat. 

With Sidechat, users will be able to use Meta AI discreetly within an active WhatsApp conversation to summarize exchanges, answer contextual questions, and provide assistance with ongoing conversations without interrupting or exposing the primary encrypted chat thread by invoking Meta AI discreetly within an active conversation. Meta officially stopped supporting end-to-end encrypted direct messages on Instagram less than one week before the rollout, which has increased industry scrutiny.

According to Instagram's support documentation, encrypted direct message functionality will cease on 8 May, and users are advised to export any media or conversations they wish to keep. Users seeking encrypted communication were immediately redirected to WhatsApp, which was explicitly referred to as Meta's sole remaining end-to-end encrypted messaging platform. 

Following the Instagram encryption rollback, a spokesperson from the company indicated that limited adoption prompted the rollback, stating that only a small percentage of users enabled encrypted direct messages, but stressed that WhatsApp's infrastructure could still be used by those who needed encrypted communication.

Meta’s Incognito Chat initiative ultimately represents more than a new privacy feature it signals a broader shift in how major AI platforms are attempting to redesign trust at the infrastructure level rather than through policy language alone. By combining encrypted messaging pathways with Trusted Execution Environment-based processing, Meta is testing whether consumer AI systems can operate with reduced provider visibility while still delivering real-time contextual assistance at scale. 

Yet the rollout also exposes the growing contradiction at the center of the AI industry: as chatbot interactions become increasingly personal, legal demands for data retention, safety monitoring, and platform accountability continue to expand in parallel. Whether Meta’s architecture can withstand both regulatory pressure and public skepticism may determine how future AI communication systems balance usability, privacy, and operational transparency.
Read more »
Secure Messaging
Apple Privacy Apple Security Encrypted RCS End To End Encryption iOS 26.5 iPhone Security Mobile Cyber Security RCS Protocol Secure Messaging

iOS 26.5 Introduces Private RCS Messaging and Core Feature Improvements


 

By introducing end-to-end encrypted RCS messaging between iPhone and Android devices for the first time, Apple has taken another step towards unifying secure cross-platform communication. 

In the update, Apple's messaging architecture has been significantly altered, extending advanced encryption protections beyond its proprietary ecosystem and into carriers' Rich Communication Services networks. This feature is currently being tested across major US networks and enables encrypted message exchange through the most recent version of Google Messages for Android, as well as Apple's native messaging experience, which is enhanced with visual encryption indicators and automatic activation mechanisms. 

RCS encrypted messages are currently available through a phased beta rollout to iPhone users running iOS 26.5 across supported carrier networks. Android compatibility is dependent on the latest version of Google Messages. It has been confirmed that encryption will be activated by default and gradually extended to both newly initiated and existing RCS conversations, eliminating the need for users to configure encryption manually.

Supported chats are now equipped with a dedicated lock icon that acts as a real-time confirmation layer, making sure messages are not readable while in transit between devices. Apple reiterated its commitment to privacy as its first priority, stating that iMessage remains fully encrypted within its native ecosystem, while the expansion of encrypted RCS provides an additional layer of security for cross-platform communication. 

According to industry analysts, the move is more of a strategic extension of Apple's broader device security framework than simply a messaging upgrade. According to Faisal Kawoosa, Founder and Chief Analyst at Techarc, the latest update enhances security assurances for Apple users outside of the iOS ecosystem, despite the fact that third-party messaging platforms will continue to be relevant.

With iOS 26.5, multiple system-level vulnerabilities are addressed, including issues relating to malicious media files and crafted text messages, causing application crashes, interface freezing, and potential denial-of-service exploitation scenarios before. 

Along with messaging overhaul, iOS 26.5 incorporates stability and security fixes. Modernizing the functionality of RCS itself, the update also brings advanced messaging capabilities, including high-resolution media transfer, typing indicators, read acknowledgement, reactions, and collaborative group chats across multiple devices. 

 Additionally, iOS 26.5 introduces a series of ecosystem refinements for personalization, subscription flexibility, and contextual user experiences in addition to its security-focused messaging upgrades. Apple has released an animated vertical light band wallpaper collection entitled Pride Luminance in honor of Pride Month, which shifts subtly as the device is unlocked, highlighting the importance of awareness of Pride Month. 

Apple continues to integrate adaptive visual design into iOS with its newest features, allowing users to customize wallpaper based on 11 predefined colour combinations or to create their own palette configurations. In addition to expanding subscription controls in the App Store, developers may also now offer monthly payment structures for discounted annual plans, a move that is intended to reduce upfront costs for long-term subscriptions while maintaining yearly commitments. 

The revised billing framework will require users who subscribe to annual packages through monthly payments to complete the payment cycle, regardless of whether the subscription is cancelled prior to the expiration date. Along with these additions, Apple has been continuing to expand its RCS rollout. Even though Rich Communication Services support was introduced with iOS 18 in 2024, it did not initially offer end-to-end encryption support, despite offering advanced messaging features such as high-resolution media sharing, typing indicators, read receipts, and advanced group chat features. 

In response to the integration of E2EE standards in the RCS specification by the GSMA last year, Apple has begun testing encrypted RCS support through the iOS 26 beta cycle and is preparing for a wider stable rollout. The availability of RCS support on iPhones continues to vary according to the network provider, because RCS functionality remains dependent on carrier-level implementation. 

Through the Messages settings panel, eligible users can manage the feature, displaying dedicated visual verification indicators, such as lock icons and encrypted session labels, in encrypted RCS chats. Aside from the refinement of core applications within Apple's release cycle, other core applications are being refined as well, including Maps updates that incorporate recommendations based on nearby trends and recent search behaviour, demonstrating the company's growing emphasis on contextually relevant software. 

Apple's iOS 26.5 not only extends feature parity between platforms but also reinforces its broader strategy to embed privacy and resilience deeper into everyday digital communication. By implementing end-to-end encryption for RCS conversations and simultaneously addressing media-handling vulnerabilities at the system level, the company is strengthening security controls around one of the most widely targeted layers of the mobile ecosystem. 

It reflects the growing industry trend towards interoperable, yet encrypted communication standards, where usability enhancements will increasingly coexist with enterprise-grade security protections and real-time threat mitigation.
Read more »
WhatsApp Privacy
cybersecurity news digital surveillance End To End Encryption Federal Investigation Meta Security Privacy Secure Messaging WhatsApp Encryption WhatsApp Privacy

WhatsApp Encryption Comes Under Spotlight Following Federal Allegations

 


Federal Investigation Into WhatsApp Encryption

A confidential federal investigation into encryption integrity has morphed into a broader debate addressing the technical transparency of one of the largest messaging platforms in the world. According to a Bloomberg report citing individuals familiar with the matter, investigators quietly examined whether Meta’s WhatsApp could, under certain internal conditions, expose access to user conversations despite its longstanding end-to-end encryption assurances. 

There was considerable weight to these allegations, considering WhatsApp has more than three billion users globally, many of whom depend on the platform for confidential personal communications, corporate coordination, and sensitive business communications. The inquiry was led by a special agent from the U.S. Department of Commerce's Bureau of Industry and Security over a period of nearly ten months, during which internal documents were reviewed, interviews were conducted, and an assessment of the handling of message data behind the platform's infrastructure layers was carried out. 

The investigation reportedly intensified after a January 16 internal memorandum circulated across multiple federal agencies claimed that certain Meta employees and contractors could access message content in ways that conflicted with WhatsApp’s public encryption narrative. In spite of the technical and regulatory implications of the findings, the federal investigation was abruptly ended earlier this year without any explanation of the reasons for the sudden halt of the investigation. 

In 2024, an anonymous whistleblower alleged that WhatsApp’s privacy architecture was not as impenetrable as it was publicly portrayed, resulting in renewed controversy surrounding WhatsApp. According to the reports, U.S. authorities began a federal investigation quietly in 2025, ordering investigators to examine whether the messaging service's internal systems allowed access to the supposedly encrypted communications through its internal systems. 

The investigation is reported to have taken nearly ten months. Investigators collected technical records, interviewed personnel, and reviewed the internal operational processes related to Meta's storage and handling of message data. A report indicates that preliminary findings suggested that a mechanism could be established that would allow message content to be exposed unencrypted under certain circumstances, prompting internal attention to the investigation. The investigation was ultimately terminated without any formal public findings, further deepening concerns surrounding transparency and encrypted data governance.

Meta Defends WhatsApp’s Encryption Architecture

According to Meta, WhatsApp's end-to-end encryption framework prevents even the company itself from gaining access to message content while it is being transmitted. WhatsApp has consistently denied allegations that it reads private conversations on the service. After Meta acquired WhatsApp in 2014, the platform introduced end-to-end encryption globally in 2016. The system was designed so that only the sender and recipient possess the cryptographic keys required to unlock conversations. From a technical standpoint, the encryption architecture continues to be regarded by many cybersecurity researchers as fundamentally secure during message transmission. 

Public Distrust and Global Security Concerns

The public, however, remains skeptical of the program, partly because many users believe ads often appear to relate to topics discussed in supposedly private conversations. The perception of large-scale data collection practices in digital ecosystems has continued to fuel distrust, even though no verifiable evidence has conclusively demonstrated that WhatsApp monitors encrypted communications for advertising purposes. 

A number of governments and state institutions have emphasized the potential threat WhatsApp poses to sensitive communications, despite its claims that it is encrypted. The concerns extend beyond consumer privacy issues to national security concerns and operational risk management concerns. A number of countries, including Iran and Russia, have repeatedly expressed concerns regarding the platform’s data handling practices and foreign ownership structure, including the United States, where the application was prohibited from being used on official devices for the House of Representatives. 

In addition, a class action lawsuit filed in San Francisco in 2026 alleges that Meta unlawfully intercepted and shared private WhatsApp communications with unauthorized parties, adding further pressure. It was alleged in the complaint that company personnel could access messages in real time via internal request systems. According to report, one federal investigator involved in the investigation concluded Meta can store text, audio, image, and video data in a non-encrypted format within certain backend environments. This claim has been strongly contested by the company. 

India’s Encryption and Traceability Clash

In India, where privacy rights and regulatory oversight have increasingly collided over digital communications, the encryption debate has been particularly significant. After WhatsApp updated its privacy policy in 2021, tensions escalated. At the same time, the Indian government introduced new information technology rules requiring message service providers to provide a method for “tracing” messages so that law enforcement can examine them. 

WhatsApp would have been forced to fundamentally change its encryption model in order to comply with the regulations, effectively undermining the fundamental principle of end-to-end encryption. As a result, the platform challenged the requirements in court, arguing that a requirement for traceability would substantially compromise user privacy and weaken the protections provided by digital security.  In spite of India enacting the Digital Personal Data Protection Act in 2023, the legal dispute has not yet been resolved. 

When WhatsApp appeared before the Delhi High Court in 2024, it stated that it may be forced to cease operations in India if forced to violate encryption safeguards, a scenario that would negatively impact approximately half a billion users. Despite the ongoing legal standoff, the platform continues to operate in India without implementing the government's traceability requirement, tkeeping the broader debate surrounding encryption, surveillance, and digital privacy far from resolved. 

Whistleblower Complaint and Operation Sourced Encryption

The allegations against Meta did not originate from online speculation or public conspiracy theories but reportedly emerged through a formal whistleblower complaint submitted to the U.S. As stated in the complaint filed by the Securities and Exchange Commission in 2024, WhatsApp may have provided limited access to user communications, despite repeated assurances regarding end-to-end encryption provided by the platform. 

The seriousness of the allegations prompted federal authorities to quietly launch an internal investigation that remained largely shielded from public scrutiny. An investigation was later handled by a special agent within the Bureau of Industry and Security, specifically through its Office of Export Enforcement, where Operation Sourced Encryption was reportedly conducted. 

During the inquiry, officials interviewed individuals familiar with Meta’s operational workflows, reviewed internal technical processes, and examined whether backend systems created any pathway through which employees or contractors could access message-related content after transmission. 

Internal Findings and Access Allegations

The investigation reached a turning point in January 2026 when the lead agent circulated a memo to numerous agencies, including the Securities and Exchange Commission and the Federal Trade Commission, regarding the allegations of misrepresentation. According to the memorandum referenced in the report, the agent concluded that Meta possessed the technical capability to store and potentially access WhatsApp communications, including text messages, photographs, audio clips, and video recordings.

The findings further suggested that certain internal practices could conflict with federal standards governing consumer privacy and corporate disclosure One of the investigation’s central findings involved what the agent described as a ‘tiered permissions system,’ an internal access framework allegedly active since at least 2019. 

According to the memo, the structure provided varying levels of platform visibility to employees, contractors, and overseas personnel, including workers based in India. Individuals interviewed during the probe reportedly stated that moderation-related operations conducted through Accenture involved broad access to message-associated content.” 

Sudden Shutdown of the Federal Probe

If the findings were circulated internally, senior leadership of the Commerce Department reportedly ordered the investigation to be terminated shortly thereafter. Those officials who supported the closure of the investigation later referred to the agent's conclusions as "unsubstantiated" and argued that the investigation exceeded the authority typically granted to export enforcement officers. 

Though the federal investigation was formally terminated without any public release of its conclusions, the controversy has intensified scrutiny of the ways in which encrypted communication platforms manage backend infrastructure, moderation systems, metadata processing, and administrative access controls.

The investigation has heightened industry concerns over whether large-scale messaging platforms will be able to simultaneously maintain strong encryption guarantees, regulatory compliance, and operational oversight without creating hidden exposure points, despite Meta's continued rejection of allegations that WhatsApp compromises private conversations. 

There are now many questions raised by regulators, cybersecurity researchers, and privacy advocates that go far beyond a particular application, resulting in a profound debate regarding transparency, trust, and the future architecture of secure digital communications.
Read more »
WhatsApp
alternative messaging apps Cyber Security End-to-End Encryption Privacy Concerns Secure Messaging Signal app SMS security risks SMS vulnerabilities Telegram WhatsApp

Seure Messaging Apps: A Safer Alternative to SMS for Enhanced Privacy and Cybersecurity

 

The Short Messaging Service (SMS) has been a fundamental part of mobile communication since the 1990s when it was introduced on cellular networks globally. 

Despite the rise of Internet Protocol-based messaging services with the advent of smartphones, SMS continues to see widespread use. However, this persistence raises concerns about its safety and privacy implications.

Reasons Why SMS Is Not Secure

1. Lack of End-to-End Encryption

SMS lacks end-to-end encryption, with messages typically transmitted in plain text. This leaves them vulnerable to interception by anyone with the necessary expertise. Even if a mobile carrier employs encryption, it's often a weak and outdated algorithm applied only during transit.

2. Dependence on Outdated Technology

SMS relies on Signaling System No. 7 (SS7), a set of signalling protocols developed in the 1970s. This aging technology is highly insecure and susceptible to various cyberattacks. Instances of hackers exploiting SS7 vulnerabilities for malicious purposes have been recorded.

3. Government Access to SMS

SS7 security holes have not been adequately addressed, potentially due to government interest in monitoring citizens. This raises concerns about governments having the ability to read SMS messages. In the U.S., law enforcement can access messages older than 180 days without a warrant, despite efforts to change this.

4. Carrier Storage of Messages

Carriers retain SMS messages for a defined period, and metadata is stored even longer. While laws and policies aim to prevent unauthorized access, breaches can still occur, potentially compromising user privacy.

5. Irreversible Nature of SMS Messages

Once sent, SMS messages cannot be retracted. They persist on the recipient's device indefinitely, unless manually deleted. This lack of control raises concerns about the potential exposure of sensitive information in cases of phone compromise or hacking.

Several secure messaging apps provide safer alternatives to SMS:

1. Signal
 
Signal is a leading secure messaging app known for its robust end-to-end encryption, ensuring only intended recipients can access messages. Developed by the non-profit Signal Foundation, it prioritizes user privacy and does not collect personal data.

2. Telegram

Telegram offers a solid alternative to SMS. While messages are not end-to-end encrypted by default, users can enable Secret Chats for enhanced security. This feature prevents forwarding and limits access to messages, photos, videos, and documents.

3. WhatsApp

Despite its affiliation with Meta, WhatsApp is a popular alternative with billions of active users. It employs end-to-end encryption for message security, surpassing the safety provided by SMS. It's available on major platforms and is widely used among contacts.

In conclusion, SMS is not a recommended option for individuals concerned about personal cybersecurity and privacy. While it offers convenience, its security shortcomings are significant. 

Secure messaging apps with end-to-end encryption are superior alternatives, providing a higher level of protection for sensitive communications. If using SMS is unavoidable, caution and additional security measures are advised to safeguard information.
Read more »
Trojanized Apps
Data Hackers Messaging Apps Safety Secure Messaging Security Trojanized Apps

Transparent Tribe Hackers Disseminate CapraRAT via Trojanized Messaging Apps

 

Transparent Tribe, an alleged Pakistan-aligned advanced persistent threat (APT) group, has been interconnected to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT. 

"Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET said in a report shared with The Hacker News.

It is estimated that up to 150 victims, most of whom have military or political affiliations, were targeted, with the malware (com.meetup.app) available for download from fake websites posing as official distribution centers for these apps. The targets are believed to have been lured by a honeytrap romance scam in which the threat actor approaches the victims via another platform and persuades them to install malware-laced apps under the guise of "secure" messaging and calling.

The targets are believed to have been lured by a honeytrap romance scam in which the threat actor approaches the victims via another platform and persuades them to install malware-laced apps under the guise of "secure" messaging and calling.

The apps, however, come pre-installed with CapraRAT, a modified version of the open-source AndroRAT that Trend Micro first documented in February 2022 and that exhibits overlap with a Windows malware known as CrimsonRAT.

The backdoor includes a plethora of features that allow it to capture screenshots and photos, record phone calls and surrounding audio, and exfiltrate sensitive data. It can also make calls, send SMS messages, and receive download commands. However, in sequence to use the app's features, users must first create an account by linking their phone numbers and completing an SMS verification step.

As stated by the Slovak cybersecurity firm, the campaign is narrowly targeted and there is no evidence that the apps were available on the Google Play Store.

Transparent Tribe, also known as APT36, Operation C-Major, and Mythic Leopard, was recently linked to another wave of attacks against Indian government organizations using malicious versions of the Kavach two-factor authentication solution.

The research comes just weeks after cybersecurity firm ThreatMon detailed a spear-phishing campaign by SideCopy actors targeting Indian government entities with the goal of deploying an updated version of the ReverseRAT backdoor.
Read more »
Subscribe to: Posts (Atom)