Google Messages

Apple iMessage

Facebook Messenger

Element

Signal

Microsoft Skype

Telegram

Threema

Viber

Facebook Whatsapp

Amazon Wickr Me

Wire

Session

Simplex

Twitter DM

Overview

Is the app recommended to secure my messages and attachments?NoNoNoNoYesNoNoYesNoNoNoYesYesNeeds further consideration and feedbackNo
Main reasons why the app isn't recommended

Improvements to apps that are recommended

More details



Named as NSA partner in Snowden revelations

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source
Named as NSA partner in Snowden revelations

Data not protected, not all data protected

No independent & recent code audit and security analysis


Closed source
Named as NSA partner in Snowden revelations

Encryption not enabled by default

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source
No independent & recent code audit and security analysis Remove the mandatory requirement for users to sign up with a mobile number

Provide more comprehensive independent assessments of security/privacy
Named as NSA partner in Snowden revelations

Encryption not enabled by default

Makes money from personal data

Data not protected, not all data protected


Closed source
Bespoke cryptography

Encryption not enabled by default

Data not protected, not all data protected
Make APIs and server code open source


Provide more comprehensive independent assessments of security/privacy
Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source
Named as NSA partner in Snowden revelations

Messages can be read by Facebook if marked as "abusive"

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source
Former NSA chief Keith Alexander is on Amazon’s board of directors

Funded by the CIA

Recent security audits are not public

Has contracts with the US government

Closed source
Further limit metadata storage and logging

Provide more comprehensive independent assessments of security/privacy
Implement perfect forward secrecy at the end-to-end encryption layer

Provide more comprehensive independent assessments of security/privacy
Provide a transparency reportEnd-to-end encryption not implemented for all users and group chats

No implementation details

No comprehensive independent assessments of security/privacy

Closed source

Details

Company jurisdictionUSAUSAUSAUKUSAUSAUSA / UK / Belize / UAESwitzerlandLuxembourg / JapanUSAUSAUSA / SwitzerlandAustraliaUKUSA
Infrastructure jurisdictionWorldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions) USA (Ireland and Denmark planned); iMessage runs on AWS and Google CloudUSA, Sweden (Ireland planned)UK (and potentially all jurisdictions, given it's a decentralised messaging platform)USAUSA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and JapanUK, Singapore, USA, and FinlandSwitzerlandUSAUSA (unsure of other locations)USA (unsure of other locations)EUMessages: Worldwide (uses de-centralised servers)

Attachments: Centralised server in Canada
Worldwide (uses de-centralised servers)USA, worldwide (unsure of other locations)
Implicated in giving customers' data to intelligence agencies?YesYesYesNoNoYesNoNoNoYesNoNoNoNoYes
Surveillance capability built into the app?NoNoNoNoNoYesNoNoNoNoNoNoNoNoNo
Does the company provide a transparency report?YesYesYesNoYesYesNoYesNoYesYesYesYesNoYes
Company's general stance on customers' privacyPoorPoorPoorGoodGoodPoorPoorGoodPoorPoorPoorGoodGoodGoodPoor
FundingGoogleAppleFacebookNew Vector LimitedFreedom of the Press Foundation / the Knight Foundation / the Shuttleworth Foundation / the Open Technology Fund / Signal Foundation (Brian Acton)MicrosoftPavel DurovUser pays / Afinum Management AGRakuten / friends and family of Talmon Marco (it's very unclear)FacebookAmazon / CIAJanus Friis / Iconical / Zeta Holdings Luxembourg /
Morpheus Ventures
LAG Foundation LtdVenture Capital fund Village GlobalTwitter
Company collects customers' data?YesYesYesNoNoYesYesNoYesYesYesNoNoNoYes
App collects customers' data?Yes

(Difficult to assess given the app is integrated into Google's greater ecosystem)
Yes

(Difficult to assess given the app is integrated into Apple's greater ecosystem)
Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other dataContact info / contacts /
identifiers /
diagnostics /
user content

(Contact info not sent when using anonymously)
Contact InfoIdentifiers /
Contact Info /
User Content /
Identifiers /
Usage Data /
Diagnostics
Contact info /
contacts /
identifiers
Contact info / identifiers / diagnostics

(Contact info not sent when using anonymously)
Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnosticsPurchases /
financial info /
location /
contact info /
contacts /
user content /
identifiers /
usage data /
diagnostics
Contact info /
usage data /
diagnostics

(Contact info not sent when using anonymously)
Contact info / identifiers / usage data / diagnosticsNoNoPurchases /
Location /
Contact Info /
Contacts /
User Content /
Search History /
Browsing History /
Identifiers /
Usage Data /
Diagnostics
User data and/or metadata sent to parent company and/or third parties?YesYesYesNo

(User data is sent to a third party if a payment is made)
Minimal

(mandatory mobile number sent to third party for registration & recovery)
YesYesNo

(optional mobile number sent to third party for registration)
YesYesNo

(optional mobile number sent to third party for registration)
YesNoNo
Yes
Is encryption turned on by default?YesYesNoYesYesNoNoYesYes (if device supports it)Yes (if device supports it)YesYesYesYesNo
Cryptographic primitivesCurve25519 / AES-256 / HMAC-SHA256P-256 ECDH & Kyber-768/1024 / AES-256 / HMAC-SHA384Curve25519 / AES-256 / HMAC-SHA256Curve25519 / AES-256 / HMAC-SHA256Curve25519 & Kyber-1024 / AES-256 / HMAC-SHA256/512Curve25519 / AES-256 / HMAC-SHA256RSA 2048 / AES 256 / SHA-256Curve25519 256 / XSalsa20 256 / Poly1305-AES 128Curve25519 256 / Salsa20 128 / HMAC-SHA256Curve25519 / AES-256 / HMAC-SHA256ECDH512 / AES-256 / HMAC-SHA256Curve25519 / ChaCha20 / HMAC-SHA256X25519 / XSalsa20 256 / Poly1305 Curve25519 / XSalsa20 256 / Poly1305
Are the app and server completely open source?NoNoNoYes (clients Element / Riot, server/API matrix.org) YesNoNo (clients and API only)No (apps only)NoNoNoYesYesYesNo
Are reproducible builds used to verify apps against source code? NoNoNoNoAndroid onlyNoiOS and AndroidAndroid onlyNoNoNoNoNoNoNo
Can you sign up to the app anonymously?NoNoNoYesNoNoNoYesNoNoYesNoYesYes
No
Can you add a contact without needing to trust a directory server?N/A, Google Messages uses RCS, which doesn't use a directory serviceNoNoNoNoNoNoYesYesNoNoNoYesYesNo
Can you manually verify contacts' fingerprints?YesYesYesYesYesNoNo (session only, does not provide users' fingerprint information)YesYesYesYesYesYesYes
Directory service could be modified to enable a MITM attack?N/A, Google Messages uses RCS, which doesn't use a directory serviceYesYesYesYesYesYesYesYesYesYesYesYesYesYes
Do you get notified if a contact's fingerprint changes?YesYesYesNoNo (session only, does not provide users' fingerprint information)YesYesNo (setting turned off by default)YesIf contact was previously verifiedN/AN/A
Is personal information (mobile number, contact list, etc.) hashed?N/A, Google Messages uses RCS, which doesn't use a directory serviceNoNoYesMostlyNoNoYesNoNoYesMostlyN/AN/ANo
Does the app generate & keep a private key on the device itself?YesYesYesYesYesYesYesYesYesYesYesYesYesYes
Can messages be read by the company?NoNoYesNoNoYesYesNoNoYesNoNoNoNo
Does the app enforce perfect forward secrecy?YesYesYesYesYesYesNo (session keys do change after being used 100 times)YesYesYesYesYesNoYes
Does the app encrypt metadata?NoNoNoYesNoNoYesNoYesMostlyYesYes
Does the app use TLS/Noise to encrypt network traffic?YesYesYesYesYesYesNoYesYesYesYesYesYesYes
Does the app use certificate pinning?Yes (>=iOS 9.3)YesYesYesYesYes
Does the app encrypt data on the device? (iOS and Android only)NoYes (if passphrase enabled)YesYes (if passphrase enabled)iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app)iOS: Yes (if passphrase enabled); Android: Yes (unsure of function)YesYesYes
Does the app allow local authentication when opening it?NoNoYes
NoYesNoYesYesNoYesYes (password for account used)YesYesYes
Are messages encrypted when backed up to the cloud?Yes (>= Android P)NoYesN/A, Signal is excluded from iCloud/iTunes & Android backupsYesiOS: Yes
Android: Yes
N/A, Wickr is excluded from iCloud/iTunes & Android backupsN/A, Wire is excluded from iCloud/iTunes & Android backupsN/A, Session is excluded from iCloud/iTunes & Android backups
Does the company log timestamps/IP addresses?YesYesNoYesYesNoYesYesNoSomeNoYes
Yes
Have there been a recent code audit and an independent security analysis?NoNoNoNo

(Matrix's encryption library reviewed by an independent party)
Yes (many in the last few years)NoYes (November, 2015)Yes (October, 2020)NoNoYes (August, 2014)Yes (March, 2018) Yes (April, 2021)Yes (November, 2022)
No
Is the design well documented?NoSomewhatSomewhatSomewhatSomewhatNoSomewhatSomewhatSomewhatSomewhatSomewhatSomewhatSomewhatSomewhatNo
Does the app have self-destructing messages?NoNoYesNoYesNoYesNoYesYesYesYesYesYesYes

Red = Something of major concern.

Yellow = Something of concern.

Green = Nothing of concern.

Blank = I couldn’t find any information about it.

N/A = Not applicable.