When you installed Cellcrypt, you may have noticed that we asked for your email address rather than your telephone number. There are several reasons why Cellcrypt, unlike consumer messaging apps such as WhatsApp and Signal, does not use telephone numbers from a security standpoint.

1) Becoming You only requires access to your phone.

With consumer apps such as Signal & WhatsApp, if someone gets hold of your phone, they can gain full access to your account, including your messages and contacts. Because these apps use the phone number as the User ID and simple SMS verification, if someone has your phone and knows your phone number, then on another device, they can register in the app as you.

When registering with your phone number on a new device, an SMS will be sent to your phone number; if your phone is unlocked or set to display incoming SMS messages on the lock screen, the attacker can then enter that number on their device, have full access to the app as you, access your messages, and even start messaging your contacts as you!

2) Using Phone Numbers makes Enterprise use challenging.

Many organisations still provide mobile devices and mobile plans, including phone numbers, to their employees.

The challenge, if the UserID is the phone number, is that if someone leaves the organisation and their device/plan is given to another employee, from the app’s perspective, the new employee assumes the identity of the old employee. They will be members of the same groups and have access to historical and current messages in those groups as well as all individual messages and contacts.

3) Mobile Contact Discovery can reveal sensitive data,

By installing consumer apps such as WhatsApp or Telegram, users can immediately communicate with existing contacts stored on their phones using their phone number and a process called Mobile Contact Discovery.

When a user clicks the button to permit these apps to access the on-device address book, the apps will regularly upload the user's contacts to the app providers’

servers.

For an example of this in action, pick one of your contacts (I've chosen Bill) and type the following into a WhatsApp message bar: "Bill's number is." The app will retrieve Bill's number from your contacts and offer it as a predictive text option. Utilising this access, the researchers have shown how, with relatively few resources, crawling attacks can collect sensitive data on a massive scale.

Even Signal, which does not transfer the phone's full address book but instead uses short cryptographic hash values of phone numbers, is easy to overcome. The low entropy of phone numbers means attackers can use new and optimised attack strategies to deduce phone numbers from those cryptographic hashes within milliseconds. This is exacerbated by the fact that these consumer apps place almost no restrictions on signing up. As a result, bad actors can create as many accounts as they need to crawl a platform's user database by requesting data for random phone numbers and creating an increasingly detailed picture.

A study by the Technical University of Darmstadt and the University of Würzburg saw the researchers querying 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. This allowed them to access commonly stored personal meta-data, including profile pictures, nicknames, status texts, and the "last online" time. Matching this data over time against public data sources and social networks makes it possible to build detailed profiles that greatly interest bad actors.

In Telegram's case, this discovery service exposed sensitive information about individuals not registered with the app. This means that the system is exploiting individuals who may never have used Telegram, let alone given permission for their phone number to be used.

Finally, the contacts in your phone may differ significantly from those you need to contact securely. Separating your secure and standard phone contacts should also be a key consideration when selecting a secure communications solution.