Secure Messaging Apps Comparison

How to End Mass Surveillance

- Thoughts on Ending Government Mass Surveillance: Why I was Wrong
  November 3, 2020

Blog Posts

- The EU Giveth Digital Privacy & the EU Taketh Digital Privacy
  November 28, 2020
- The Road to Digital Serfdom
  November 8, 2020

	Google Messages	Apple iMessage	Facebook Messenger	Element / Riot	Signal	Microsoft Skype	Telegram	Threema	Viber	Facebook Whatsapp	Wickr Me	Wire	Session
Overview
Is the app recommended to secure my messages and attachments?	No	No	No	No	Yes	No	No	Yes	No	No	No	Yes	No
Main reasons why the app isn't recommended Improvements to apps that are recommended More details	Named as NSA partner in Snowden revelations Makes money from personal data Data not protected, not all data protected No independent & recent code audit and security analysis Closed source	Named as NSA partner in Snowden revelations Data not protected, not all data protected No independent & recent code audit and security analysis Closed source	Named as NSA partner in Snowden revelations Encryption not enabled by default Makes money from personal data Data not protected, not all data protected No independent & recent code audit and security analysis Closed source	No independent & recent code audit and security analysis	Remove the mandatory requirement for users to sign up with a mobile number Provide more comprehensive independent assessments of security/privacy	Named as NSA partner in Snowden revelations Encryption not enabled by default Makes money from personal data Data not protected, not all data protected Closed source	Bespoke cryptography Encryption not enabled by default Data not protected, not all data protected	Make APIs and server code open source Implement perfect forward secrecy at the end-to-end encryption layer Provide more comprehensive independent assessments of security/privacy	Data not protected, not all data protected No independent & recent code audit and security analysis Closed source	Named as NSA partner in Snowden revelations Makes money from personal data Data not protected, not all data protected No independent & recent code audit and security analysis Closed source	Recent security audits are not public Closed source	Further limit metadata storage and logging Provide more comprehensive independent assessments of security/privacy	No independent & recent code audit and security analysis Data not protected
Details
Company jurisdiction	USA	USA	USA	UK	USA	USA	USA / UK / Belize / UAE	Switzerland	Luxembourg / Japan	USA	USA	USA / Switzerland	Australia
Infrastructure jurisdiction	Worldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions)	USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud	USA, Sweden (Ireland planned)	UK (and potentially all jurisdictions, given it's a decentralised messaging platform)	USA	USA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and Japan	UK, Singapore, USA, and Finland	Switzerland	USA	USA (unsure of other locations)	USA (unsure of other locations)	EU	Messages: Worldwide (uses de-centralised servers) Attachments: Centralised server in the US
Implicated in giving customers' data to intelligence agencies?	Yes	Yes	Yes	No	No	Yes	No	No	No	Yes	No	No	No
Surveillance capability built into the app?	No	No	No	No	No	Yes	No	No	No	No	No	No	No
Does the company provide a transparency report?	Yes	Yes	Yes	No	Yes	Yes	No	Yes	No	Yes	Yes	Yes	Yes
Company's general stance on customers' privacy	Poor	Poor	Poor	Good	Good	Poor	Poor	Good	Poor	Poor	Good	Good	Good
Funding	Google	Apple	Facebook	New Vector Limited	Freedom of the Press Foundation / the Knight Foundation / the Shuttleworth Foundation / the Open Technology Fund / Signal Foundation (Brian Acton)	Microsoft	Pavel Durov	User pays / Afinum Management AG	Rakuten / friends and family of Talmon Marco (it's very unclear)	Facebook	Gilman Louie / Juniper Networks / the Knight Foundation / Breyer Capital / CME Group / Wargaming / Merlin International / Lytical Ventures	Janus Friis / Iconical / Zeta Holdings Luxembourg / Morpheus Ventures	LAG Foundation Ltd
Company collects customers' data?	Yes	Yes	Yes	No	No	Yes	Yes	No	Yes	Yes	No	No	No
App collects customers' data?	Yes (Difficult to assess given the app is integrated into Google's greater ecosystem)	Yes (Difficult to assess given the app is integrated into Apple's greater ecosystem)	Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other data	Contact info / contacts / identifiers / diagnostics / user content (Contact info not sent when using anonymously)	Contact Info	Yes (Information not submitted to Apple Store)	Contact info / contacts / identifiers	Contact info / identifiers / diagnostics (Contact info not sent when using anonymously)	Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnostics	Purchases / financial info / location / contact info / contacts / user content / identifiers / usage data / diagnostics	Contact info / usage data / diagnostics (Contact info not sent when using anonymously)	Contact info / identifiers / usage data / diagnostics	No
User data and/or metadata sent to parent company and/or third parties?	Yes	Yes	Yes	No (User data is sent to a third party if a payment is made)	Minimal (mandatory mobile number sent to third party for registration & recovery)	Yes	Yes	No (optional mobile number sent to third party for registration)	Yes	Yes	No (optional mobile number sent to third party for registration)	Yes	No
Is encryption turned on by default?	Yes	Yes	No	Yes	Yes	No	No	Yes	Yes (if device supports it)	Yes (if device supports it)	Yes	Yes	Yes
Cryptographic primitives	Curve25519 / AES-256 / HMAC-SHA256	RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1	Curve25519 / AES-256 / HMAC-SHA256	Curve25519 / AES-256 / HMAC-SHA256	Curve25519 / AES-256 / HMAC-SHA256	RSA-1536 & 2048 / AES 256 / SHA-1	RSA 2048 / AES 256 / SHA-256	Curve25519 256 / XSalsa20 256 / Poly1305-AES 128	Curve25519 256 / Salsa20 128 / HMAC-SHA256	Curve25519 / AES-256 / HMAC-SHA256	ECDH512 / AES-256 / HMAC-SHA256	Curve25519 / ChaCha20 / HMAC-SHA256	X25519 / XSalsa20 256 / Poly1305
Are the app and server completely open source?	No	No	No	Yes (clients Element / Riot, server/API matrix.org)	Yes	No	No (clients and API only)	No (apps only)	No	No	No	Yes	Yes
Are reproducible builds used to verify apps against source code?	No	No	No	No	Android only	No	iOS and Android	Android only	No	No	No	No	No
Can you sign up to the app anonymously?	No	No	No	Yes	No	No	No	Yes	No	No	Yes	No	Yes
Can you add a contact without needing to trust a directory server?	N/A, Google Messages uses RCS, which doesn't use a directory service	No	No	No	No	No	No	Yes	Yes	No	No	No	Yes
Can you manually verify contacts' fingerprints?	Yes	No	Yes	Yes	Yes	No	No (session only, does not provide users' fingerprint information)	Yes	Yes	Yes	Yes	Yes	Yes
Directory service could be modified to enable a MITM attack?	N/A, Google Messages uses RCS, which doesn't use a directory service	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Do you get notified if a contact's fingerprint changes?		No		Yes	Yes	No	No (session only, does not provide users' fingerprint information)	Yes	Yes	No (setting turned off by default)	Yes	If contact was previously verified	N/A
Is personal information (mobile number, contact list, etc.) hashed?	N/A, Google Messages uses RCS, which doesn't use a directory service	No	No	Yes	Mostly	No	No	Yes	No	No	Yes	Mostly	N/A
Does the app generate & keep a private key on the device itself?	Yes	Yes	Yes	Yes	Yes		Yes	Yes	Yes	Yes	Yes	Yes	Yes
Can messages be read by the company?	No	No	Yes	No	No	Yes	Yes	No	No	No	No	No	No
Does the app enforce perfect forward secrecy?	Yes	No	Yes	Yes	Yes		No (session keys do change after being used 100 times)	No	Yes	Yes	Yes	Yes	Yes
Does the app encrypt metadata?	No	No	No		Yes		No	Yes		No	Yes	Mostly	Yes
Does the app use TLS/Noise to encrypt network traffic?	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes
Does the app use certificate pinning?		Yes (>=iOS 9.3)			Yes			Yes			Yes	Yes	No
Does the app encrypt data on the device? (iOS and Android only)	No	Yes (if passphrase enabled)		Yes	Yes (if passphrase enabled)			iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app)			iOS: Yes (if passphrase enabled); Android: Yes (unsure of function)	Yes	Yes
Does the app allow a secondary factor of authentication?	No	No	No	No	Yes	No	Yes	Yes	No	Yes	Yes (password for account used)	Yes	Yes
Are messages encrypted when backed up to the cloud?	Yes (>= Android P)	No		Yes	N/A, Signal is excluded from iCloud/iTunes & Android backups			Yes		iOS: Yes Android: No	N/A, Wickr is excluded from iCloud/iTunes & Android backups	N/A, Wire is excluded from iCloud/iTunes & Android backups	No
Does the company log timestamps/IP addresses?		Yes	Yes		No	Yes	Yes	No	Yes	Yes	No	Some	No
Have there been a recent code audit and an independent security analysis?	No	No	No	No (Matrix's encryption library reviewed by an independent party)	Yes (October, 2014)	No	Yes (November, 2015)	Yes (October, 2020)	No	No	Yes (August, 2014)	Yes (March, 2018)	No
Is the design well documented?	No	Somewhat	Somewhat	Somewhat	Somewhat	No	Somewhat	Somewhat	Somewhat	Somewhat	Somewhat	Somewhat	Somewhat
Does the app have self-destructing messages?	No	No	Yes	No	Yes	No	Yes	No	Yes	Yes	Yes	Yes	Yes

The comparison was last updated on 26/Jan/21. Please contact me with any updates, if I have made any mistakes.

Red = Something of major concern.

Yellow = Something of concern.

Green = Nothing of concern.

Blank = I couldn’t find any information about it.