Spy Vs. Spy: Texas A&M Researchers Work To Secure Messaging
Cybersecurity expert Dr. Nitesh Saxena studies the privacy promises — and addresses the pitfalls — of secure messaging apps like Signal and WhatsApp.
When you send a message through WhatsApp or iMessage, you might think only you and the recipient can read it. Thanks to end-to-end encryption (E2EE), that’s usually true, but it’s not the whole story, says Dr. Nitesh Saxena, a cybersecurity expert at Texas A&M University.
Saxena, professor of Computer Science and Engineering and associate director of the Texas A&M Global Cyber Research Institute, leads the SPIES Lab where, among other projects, researchers explore how secure messaging and calling apps like Signal, WhatsApp and Telegram work and how they can be improved. “SPIES” stands for Security and Privacy in Emerging Computing and Networking Systems.
End-To-End Encryption
E2EE ensures that only the sender and recipient of a message can read it. “Even the company running the app — whether that’s Meta for WhatsApp or Apple for iMessage — can’t see what’s being said,” Saxena said. Messages are encrypted on your device and decrypted only on the recipient’s device, bypassing servers that could be compromised.
This is especially important in countries with strict surveillance. “Apps like Signal are banned or restricted in China, Saudi Arabia and the UAE,” Saxena said. “Some governments don’t like being shut out.”
But encryption isn’t foolproof.
Are Secure Apps Really Secure?
While most of these apps protect against casual snooping, Saxena says more sophisticated attacks — like “man-in-the-middle” — are harder to prevent. In this type of attack, a hacker intercepts your messages and pretends to be your contact at the time you add a new contact.
Apps try to prevent this with “authentication ceremonies,” where users verify each other by comparing security codes via a phone/video call or scanning QR codes in-person. The problem is that most people skip this step, Saxena said, and if they do try it, they often get it wrong.
His lab studies how users interact with — and falter at — these steps and is developing simpler, more automated verification tools. “Ideally, you should be able to hit a button, and the app checks everything for you. We are working towards that,” he said.
Human Error In Group Chats
Some messaging mistakes happen due to user error, and Saxena said that problem lies in design. “In large group chats, it’s easy to overlook who’s included. Maybe it’s just a phone number — no name, no photo. That’s risky,” he said.
His team is exploring design changes to reduce such mistakes, like displaying profile pictures of all recipients before a message can be sent.
If your app offers a way to verify your contact, take a minute to do it. It’s worth it.
Encryption And Government Access
Encryption isn’t just a technical issue, it’s political. Law enforcement agencies argue they need access to encrypted chats to fight crime. One proposed method is “client-side scanning,” where apps scan messages for illegal content before they’re encrypted.
“The U.S. hasn’t implemented this (yet),” Saxena said, explaining the concern is that once a backdoor exists, it can be abused by hackers, corporations or governments.
To counter this, Saxena’s lab is developing encrypted keyboards that prevent scanning before a message is even composed.
Messaging Across Devices
Modern users often message from phones, tablets and laptops, which is convenient, but introduces security challenges. “Syncing messages securely across devices is not easy,” Saxena said, adding that current methods like QR code scanning aren’t always safe.
His team is working on new cryptographic techniques that allow secure syncing without exposing messages or encryption keys.
AI And Messaging
Saxena’s research also looks to the future, where AI plays a bigger role in communication, such as helping to summarize, write replies or filter spam. But how can the AI model — typically running on a remote server — do that if it can’t read your messages?
“We’re working on efficient multi-party computation techniques — ways to compute over encrypted data without decrypting it or leaking anything meaningful about it,” Saxena said. This would allow smart features without compromising privacy.
A Secure Future
Ultimately, Saxena emphasizes that encryption alone isn’t enough. “We can build the strongest encryption in the world, but if people make mistakes, hackers exploit loopholes, or companies mislead users, then it doesn’t matter.”
His advice is to use secure apps like Signal and WhatsApp but understand their limitations. “And if your app offers a way to verify your contact, take a minute to do it. It’s worth it.”
Visit the SPIES Lab online and learn more about Computer Science and Engineering at Texas A&M.
