I intend to update this site over Christmas 2020. Please contact me with any updates, if I have made any mistakes.
| Comparison | Allo | iMessage | Messenger | Riot | Signal | Skype | Telegram | Threema | Viber | Wickr | Wire | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TL;DR: Does the app secure my messages and attachments? | No | No | No | No | Yes | No | No | Yes | No | No | No | Yes |
| Company jurisdiction | USA | USA | USA | UK | USA | USA | USA / UK / Belize | Switzerland | Luxembourg / Japan | USA | USA | Switzerland |
| Infrastructure jurisdiction | USA, Belgium, Finland, Ireland,the Netherlands, Chile, Taiwan,and Singapore | USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud | USA, Sweden (Ireland planned) | UK (and potentially all jurisdictions, given it's a decentralised messaging platform) | USA | USA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and Japan | UK, Singapore, USA, and Finland | Switzerland | USA | USA (unsure of other locations) | USA (unsure of other locations) | Germany / Ireland |
| Implicated in giving customers' data to intelligence agencies? | Yes | Yes | Yes | No | No | Yes | No | No | No | Yes | No | No |
| Surveillance capability built into the app? | No | No | No | No | No | Yes | No | No | No | No | No | No |
| Does the company provide a transparency report? | Yes | Yes | Yes | No | Yes | Yes | No | Yes | No | Yes | Yes | Yes |
| Company's general stance on customers' privacy | Poor | Poor | Poor | Good | Good | Poor | Poor | Good | Poor | Poor | Good | Good |
| Funding | Apple | New Vector Limited | Freedom of the Press Foundation, the Knight Foundation, the Shuttleworth Foundation, and the Open Technology Fund, Signal Foundation (Brian Acton) | Microsoft | Pavel Durov | User pays | Rakuten, friends and family of Talmon Marco (it's very unclear) | Gilman Louie, Juniper Networks, the Knight Foundation, Breyer Capital, CME Group, and Wargaming | Janus Friis, Iconical, Zeta Holdings Luxembourg | |||
| Company collects customers' data? | Yes | Yes | Yes | No | No | Yes | Yes | No | Yes | Yes | No | No |
| App collects customers' data? | Yes | Yes | Yes | Minimal | Minimal | Yes | Yes | No | Yes | Yes | No | Minimal |
| Is encryption turned on by default? | No | Yes | No | No | Yes | Yes | No | Yes | Yes (if device supports it) | Yes (if device supports it) | Yes | Yes |
| Cryptographic primitives | RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1 | Curve25519 / AES-256 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | RSA-1536 & 2048 / AES 256 / SHA-1 | RSA 2048 / AES 256 / SHA-256 | Curve25519 256 / XSalsa20 256 / Poly1305-AES 128 | Curve25519 256 / Salsa20 128 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | ECDH512 / AES-256 / HMAC-SHA256 | Curve25519 / ChaCha20 / HMAC-SHA256 | |
| Are the app and server completely open source? | No | No | No | Yes | Yes | No | No (clients and API only) | No | No | No | No | Yes |
| Can you sign up to the app anonymously? | No | No | No | Yes | No | No | No | Yes | No | No | Yes | No |
| Can you add a contact without needing to trust a directory server? | No | No | No | No | No | No | No | Yes | Yes | No | No | No |
| Can you manually verify contacts' fingerprints? | No | No | Yes | Yes | Yes | No | No (session only, does not provide users' fingerprint information) | Yes | Yes | Yes | Yes | Yes |
| Directory service could be modified to enable a MITM attack? | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Do you get notified if a contact's fingerprint changes? | No | No | Yes | Yes | No | No (session only, does not provide users' fingerprint information) | Yes | Yes | No (setting turned off by default) | No | If contact was previously verified | |
| Is personal information (mobile number, contact list, etc.) hashed? | No | No | No | Mostly | No | No | Yes | No | No | Yes | Mostly | |
| Does the app generate & keep a private key on the device itself? | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Can messages be read by the company? | Yes | No | Yes | No | No | Yes | Yes | No | No | No | No | No |
| Does the app enforce perfect forward secrecy? | No | Yes | Yes | Yes | No (session keys do change after being used 100 times) | No | Yes | Yes | Yes | Yes | ||
| Does the app encrypt metadata? | No | No | Yes | No | Yes | No | Yes | Mostly | ||||
| Does the app use TLS/Noise to encrypt network traffic? | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes |
| Does the app use certificate pinning? | Yes (>=iOS 9.3) | Yes | Yes | Yes | ||||||||
| Does the app encrypt data on the device? (iOS and Android only) | Yes (if passphrase enabled) | Yes (if passphrase enabled) | iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app) | iOS: Yes (if passphrase enabled); Android: Yes (unsure of function) | Yes | |||||||
| Does the app allow a secondary factor of authentication? | No | No | No | No | No | No | Yes | Yes | No | Yes | Yes (password for account used) | Yes |
| Are messages encrypted when backed up to the cloud? | No | N/A, Signal is excluded from iCloud/iTunes & Android backups | Yes | iOS: Yes Android: No | N/A, Wire is excluded from iCloud/iTunes & Android backups | |||||||
| Does the company log timestamps/IP addresses? | Yes | Yes | Yes | No | Yes | Yes | No | Yes | Yes | No | Some | |
| Have there been a recent code audit and an independent security analysis? | No | No | No | No | Yes (October, 2014) | No | Yes (November, 2015) | Yes (November, 2015) | No | No | Yes (August, 2014) | Yes (March, 2018) |
| Is the design well documented? | No | Somewhat | Somewhat | Somewhat | Somewhat | No | Somewhat | Somewhat | Somewhat | Somewhat | Somewhat | Somewhat |
| Does the app have self-destructing messages? | Yes | No | Yes | No | Yes | No | Yes | No | No | No | Yes | Yes |
Red = Something of major concern.
Yellow = Something of concern.
Green = Nothing of concern.
Blank = I couldn’t find any information about it.