Do not make this dangerous messaging mistakeCorbis via Getty ImagesThe secure messaging apps on your phone are dangerous. Not because their own security measures are vulnerable to attack although that does happen, but because their security is only as good as your behavior. And millions of iPhone and Android users dont realize that simple mistakes can open your phone to attack.That was the crux of the NSAs warning that has now been made public and which has been headlined as a Signal vulnerability in the wake of Trump officials inadvertently inviting a journalist onto a sensitive group chat. But its not. Its a user vulnerability. The NSA notification is a warning to change messaging settings. Nothing more.The NSA warning last month was prompted by Googles Threat Intelligence Group discovering Russias GRU was tricking Ukrainian officials into opening access to their Signal accounts, allowing the Russians to listen in. This wasnt a Signal flaw the app was working as intended. And it wasnt limited to Signal. Google warned this threat also extends to other popular messaging applications such as WhatsApp and Telegram.The two vulnerabilities relate to features in both Signal and WhatsApp that make them easier to use. Linked Devices and Group Links. The first enables you to sync and access your secure messaging apps on all your eligible devices. The second provides a simple way for you to invite new members into a group chat by sending them a link, rather than adding them one-by-one from within the group.The Group Link threat only extends to the group itself, and is easily mitigated. In Signal, disable the Group Link from within the groups settings. In WhatsApp you dont have that option, but do not use links for sensitive groups; you should also set sensitive groups in WhatsApp such that only Admins can add members.The Linked Devices option is much more dangerous as it can establish a fully syncd replica of your messaging app on someone elses device. But again this risk is easily mitigated. In both apps there is a clear settings menu entitled Linked Devices. Go there now and unlink any device you dont 100% recognize as belonging to you. If in doubt, remove. You can always add it back later if you make a mistake. On both apps, your primary phone is the base and all other devices can be linked and unlinked there.There is a twist to this. In the Russian attack, the Signal group invite link was hijacked to link a device instead. But there is no way for someone to link a device without it showing in the settings per above. Regularly checking those links is key. Its also worth periodically unlinking browser web app links (as opposed to apps) and relinking.The NSAs other messaging advice should be common sense. Set and regularly change your app PIN and enable the screen lock. Do not share contact or status info, certainly not outside your contacts. The DOD agency also recommends keeping phone and app contacts a separate, albeit thats painful for everyday use.The concept of secure messaging is widely misunderstood. End-to-end encryption is a transmission safeguard. Content is scrambled by your device and unscrambled when it reaches a recipient. Each end (phones in a chat) is vulnerable to a compromise of that device, a user saving content, or the wrong person invited into a group. None of these apps are bulletproof if your other security is flawed or you make a mistake.You can read the NSAs full advisory here. Take heed and make sure you keep your work plans, your party plans and even your war plans secret.