The comparison was last updated on 26/Jan/21. Please contact me with any updates, if I have made any mistakes.
Red = Something of major concern.
Yellow = Something of concern.
Green = Nothing of concern.
Blank = I couldn’t find any information about it.
| Google Messages | Apple iMessage | Facebook Messenger | Element / Riot | Signal | Microsoft Skype | Telegram | Threema | Viber | Facebook Whatsapp | Wickr Me | Wire | Session (in progress) |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Overview | |||||||||||||
| Is the app recommended to secure my messages and attachments? | No | No | No | No | Yes | No | No | Yes | No | No | No | Yes | No |
| Main reasons why the app isn't recommended? | Named as NSA partner in Snowden revelations Makes money from personal data Data not protected, not all data protected No independent & recent code audit and security analysis Closed source | Named as NSA partner in Snowden revelations Data not protected, not all data protected No independent & recent code audit and security analysis Closed source | Named as NSA partner in Snowden revelations Encryption not enabled by default Makes money from personal data Data not protected, not all data protected No independent & recent code audit and security analysis Closed source | No independent & recent code audit and security analysis | Recommended | Named as NSA partner in Snowden revelations Encryption not enabled by default Makes money from personal data Data not protected, not all data protected Closed source | Bespoke cryptography Encryption not enabled by default Data not protected, not all data protected | Recommended | Data not protected, not all data protected No independent & recent code audit and security analysis Closed source | Named as NSA partner in Snowden revelations Makes money from personal data Data not protected, not all data protected No independent & recent code audit and security analysis Closed source | Recent security audits are not public Closed source | Recommended | No independent & recent code audit and security analysis |
Details | |||||||||||||
| Company jurisdiction | USA | USA | USA | UK | USA | USA | USA / UK / Belize / UAE | Switzerland | Luxembourg / Japan | USA | USA | Switzerland | Australia |
| Infrastructure jurisdiction | Worldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions) | USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud | USA, Sweden (Ireland planned) | UK (and potentially all jurisdictions, given it's a decentralised messaging platform) | USA | USA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and Japan | UK, Singapore, USA, and Finland | Switzerland | USA | USA (unsure of other locations) | USA (unsure of other locations) | EU | Messages: Worldwide (uses de-centralised servers) Attachments: Centralised server (unknown location) |
| Implicated in giving customers' data to intelligence agencies? | Yes | Yes | Yes | No | No | Yes | No | No | No | Yes | No | No | No |
| Surveillance capability built into the app? | No | No | No | No | No | Yes | No | No | No | No | No | No | No |
| Does the company provide a transparency report? | Yes | Yes | Yes | No | Yes | Yes | No | Yes | No | Yes | Yes | Yes | Yes |
| Company's general stance on customers' privacy | Poor | Poor | Poor | Good | Good | Poor | Poor | Good | Poor | Poor | Good | Good | Good |
| Funding | Apple | New Vector Limited | Freedom of the Press Foundation / the Knight Foundation / the Shuttleworth Foundation / the Open Technology Fund / Signal Foundation (Brian Acton) | Microsoft | Pavel Durov | User pays / Afinum Management AG | Rakuten / friends and family of Talmon Marco (it's very unclear) | Gilman Louie / Juniper Networks / the Knight Foundation / Breyer Capital / CME Group / Wargaming / Merlin International / Lytical Ventures | Janus Friis / Iconical / Zeta Holdings Luxembourg | LAG Foundation Ltd | |||
| Company collects customers' data? | Yes | Yes | Yes | No | No | Yes | Yes | No | Yes | Yes | No | No | No |
| App collects customers' data? | Yes (Difficult to assess given the app is integrated into Google's greater ecosystem) | Yes (Difficult to assess given the app is integrated into Apple's greater ecosystem) | Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other data | Contact info / contacts / identifiers / diagnostics / user content (Contact info not sent when using anonymously) | Contact Info | Yes (Information not submitted to Apple Store) | Contact info / contacts / identifiers | Contact info / identifiers / diagnostics (Contact info not sent when using anonymously) | Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnostics | Purchases / financial info / location / contact info / contacts / user content / identifiers / usage data / diagnostics | Contact info / usage data / diagnostics (Contact info not sent when using anonymously) | Contact info / identifiers / usage data / diagnostics | No |
| User data and/or metadata sent to parent company and/or third parties? | Yes | Yes | Yes | No (User data is sent to a third party if a payment is made) | Minimal (mandatory mobile number sent to third party for registration & recovery) | Yes | Yes | No (optional mobile number sent to third party for registration) | Yes | Yes | No (optional mobile number sent to third party for registration) | Yes | No |
| Is encryption turned on by default? | Yes | Yes | No | Yes | Yes | No | No | Yes | Yes (if device supports it) | Yes (if device supports it) | Yes | Yes | Yes |
| Cryptographic primitives | Curve25519 / AES-256 / HMAC-SHA256 | RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1 | Curve25519 / AES-256 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | RSA-1536 & 2048 / AES 256 / SHA-1 | RSA 2048 / AES 256 / SHA-256 | Curve25519 256 / XSalsa20 256 / Poly1305-AES 128 | Curve25519 256 / Salsa20 128 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | ECDH512 / AES-256 / HMAC-SHA256 | Curve25519 / ChaCha20 / HMAC-SHA256 | X25519 / AES (unsure of key length / unknown |
| Are the app and server completely open source? | No | No | No | Yes (clients Element / Riot, server/API matrix.org) | Yes | No | No (clients and API only) | No (apps only) | No | No | No | Yes | Yes |
| Are reproducible builds used to verify apps against source code? | No | No | No | No | Android only | No | iOS and Android | Android only | No | No | No | No | No |
| Can you sign up to the app anonymously? | No | No | No | Yes | No | No | No | Yes | No | No | Yes | No | Yes |
| Can you add a contact without needing to trust a directory server? | N/A, Google Messages uses RCS, which doesn't use a directory service | No | No | No | No | No | No | Yes | Yes | No | No | No | Yes |
| Can you manually verify contacts' fingerprints? | Yes | No | Yes | Yes | Yes | No | No (session only, does not provide users' fingerprint information) | Yes | Yes | Yes | Yes | Yes | Yes |
| Directory service could be modified to enable a MITM attack? | N/A, Google Messages uses RCS, which doesn't use a directory service | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Do you get notified if a contact's fingerprint changes? | No | Yes | Yes | No | No (session only, does not provide users' fingerprint information) | Yes | Yes | No (setting turned off by default) | Yes | If contact was previously verified | N/A | ||
| Is personal information (mobile number, contact list, etc.) hashed? | N/A, Google Messages uses RCS, which doesn't use a directory service | No | No | Yes | Mostly | No | No | Yes | No | No | Yes | Mostly | N/A |
| Does the app generate & keep a private key on the device itself? | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| Can messages be read by the company? | No | No | Yes | No | No | Yes | Yes | No | No | No | No | No | No |
| Does the app enforce perfect forward secrecy? | Yes | No | Yes | Yes | Yes | No (session keys do change after being used 100 times) | No | Yes | Yes | Yes | Yes | Yes | |
| Does the app encrypt metadata? | No | No | No | Yes | No | Yes | No | Yes | Mostly | Yes | |||
| Does the app use TLS/Noise to encrypt network traffic? | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Does the app use certificate pinning? | Yes (>=iOS 9.3) | Yes | Yes | Yes | Yes | ||||||||
| Does the app encrypt data on the device? (iOS and Android only) | No | Yes (if passphrase enabled) | Yes | Yes (if passphrase enabled) | iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app) | iOS: Yes (if passphrase enabled); Android: Yes (unsure of function) | Yes | ||||||
| Does the app allow a secondary factor of authentication? | No | No | No | No | Yes | No | Yes | Yes | No | Yes | Yes (password for account used) | Yes | Yes |
| Are messages encrypted when backed up to the cloud? | Yes (>= Android P) | No | Yes | N/A, Signal is excluded from iCloud/iTunes & Android backups | Yes | iOS: Yes Android: No | N/A, Wickr is excluded from iCloud/iTunes & Android backups | N/A, Wire is excluded from iCloud/iTunes & Android backups | |||||
| Does the company log timestamps/IP addresses? | Yes | Yes | No | Yes | Yes | No | Yes | Yes | No | Some | No | ||
| Have there been a recent code audit and an independent security analysis? | No | No | No | No (Matrix's encryption library reviewed by an independent party) | Yes (October, 2014) | No | Yes (November, 2015) | Yes (October, 2020) | No | No | Yes (August, 2014) | Yes (March, 2018) | No |
| Is the design well documented? | No | Somewhat | Somewhat | Somewhat | Somewhat | No | Somewhat | Somewhat | Somewhat | Somewhat | Somewhat | Somewhat | Somewhat |
| Does the app have self-destructing messages? | No | No | Yes | No | Yes | No | Yes | No | Yes | Yes | Yes | Yes | Yes |