End-to-End Encryption (E2EE) Messaging

Deep packet inspection (DPI), and potential cooperation between ISPs and security agencies—how you communicate is a matter of critical safety.

End-to-End Encryption (E2EE) is the gold standard for digital communication. It ensures that a message is turned into an unreadable code (encrypted) on your device and only turned back into a readable message (decrypted) on the recipient's device.

Why this matters in Iran: If a messaging app is not E2EE, the service provider (e.g., Telegram, SMS, or domestic apps) can read your messages. If they can read them, they can be compelled to hand them over to authorities, or hackers can intercept them. With E2EE, not even the app's creators or the ISP can read the content of your messages.

---

1. Signal: The Gold Standard

Signal is widely regarded by security experts as the most secure messaging app available. It is open-source, non-profit, and collects virtually no data about its users.

Why Signal is Best for Iranian Users

• True E2EE: All messages, calls, and media are encrypted by default.
• Minimal Metadata: Unlike competitors, Signal does not know who you are talking to or when.
• Censorship Resistance: Signal has built-in features to bypass blocking (TLS Proxies), which is crucial given the severe filtering of Signal in Iran.

Essential Security Settings

To maximize protection against physical device seizure or remote hijacking:

1. Registration Lock:
   • Go to: Settings > Account > Registration Lock
   • Why: This prevents state actors or hackers from hijacking your account on another device using a compromised SMS verification code (SIM swapping/interception). You will need a PIN to re-register.
2. Screen Security:
   • Go to: Settings > Privacy > Screen Security
   • Why: Prevents the "Recent Apps" list from showing a preview of your messages.
3. Disappearing Messages:
   • Go to: Settings > Privacy > Default Timer for New Chats
   • Why: If your phone is confiscated, old messages will have already self-destructed.

Bypassing Censorship: Signal Proxy

Signal is blocked in Iran. While you can use a VPN, Signal allows you to use a Proxy directly inside the app to bypass filtering without a system-wide VPN.

1. Go to: Settings > Data and Storage > Use Proxy.
2. Enter a valid proxy address (often shared on trusted channels like Twitter/X or Mastodon via #IRanASignalProxy).
3. Note: The proxy provider can see your IP address but cannot read your messages.

⚠️ Alternative Client: Molly (Android Only) For Android users, Molly is a hardened fork of Signal. It offers features not found in the official app, such as Tor integration and database encryption passphrases. It is an excellent choice for high-risk users.

---

2. WhatsApp: The Popular Alternative

WhatsApp uses the same encryption protocol as Signal, meaning the content of your messages is secure. However, it has significant privacy drawbacks compared to Signal.

The Risks

• Metadata Collection: WhatsApp is owned by Meta (Facebook). They collect extensive metadata: who you talk to, how often, your location, and device info. In a threat model where "who knows who" matters, this is a vulnerability.
• Cloud Backups: By default, WhatsApp backups (to Google Drive or iCloud) are NOT encrypted. If authorities access your Google/Apple account, they can access your message history.

Hardening WhatsApp

If you must use WhatsApp, enable End-to-End Encrypted Backups:

1. Go to: Settings > Chats > Chat Backup > End-to-end Encrypted Backup.
2. Turn it ON and save the 64-digit key or password safely.
3. Without this, your backup is a vulnerability.

---

3. Telegram: The Dangerous Misconception

Telegram is immensely popular in Iran, but it is NOT a secure messenger by default.

The "Cloud Chat" Problem

• Default Behavior: Standard Telegram chats are "Cloud Chats." They are encrypted between you and the Telegram server, and the server and the recipient. Telegram has the decryption keys.
• Risk: If Telegram servers are compromised, or if the company is pressured by a state entity, your message history is accessible.

How to Use Telegram Safely

You must manually enable E2EE for every sensitive conversation:

1. Open the profile of the contact.
2. Tap the "..." (three dots) or "More" menu.
3. Select Start Secret Chat.
4. Note: Secret Chats do not sync across devices and are stored only on the device where they were initiated.

Warning: Do not rely on Telegram for sensitive activism or coordination unless you strictly use Secret Chats with disappearing timers.

---

4. Domestic Apps (Rubika, Eitaa, Soroush, etc.)

Do not use Iranian domestic messaging apps for any sensitive communication.

These applications are hosted on servers inside Iran and are subject to local laws requiring data retention and cooperation with security services.

• No E2EE: They generally do not offer end-to-end encryption.
• Surveillance: Administrators have full visibility into your chats, groups, and contacts.
• User Identification: Registration requires a verifiable Iranian phone number, directly linking your identity to your activity.

---

5. Verification: Detecting "Man-in-the-Middle" Attacks

In a high-surveillance environment, a sophisticated attacker might try to intercept a conversation by pretending to be your contact (Man-in-the-Middle attack).

Safety Numbers (Signal) / Security Codes (WhatsApp)

Every E2EE chat has a unique "Safety Number" or "Fingerprint."

1. Verify: When meeting a contact in person, scan their QR code or compare the number string.
2. Alerts: If you see a warning that "Safety Number has changed," stop communicating immediately. verify their identity through a different channel (e.g., a voice call). This warning could indicate their account was hijacked or an interception is being attempted.

---

Summary of Recommendations for Iranian Users

Final Checklist for Safety

• Use Signal for all sensitive conversations.
• Set up a Registration Lock PIN.
• Enable Disappearing Messages.
• Verify Safety Numbers with key contacts.
• Never use SMS or domestic apps for private data.