The objective of this site
I created this site to enable people to compare many so-called “secure messaging apps”. Likewise, I hope to educate people as to which functionality is required for truly secure messaging.
This site is not meant to be comprehensive; security is difficult, and a full review of each app is simply not plausible due to time and lack of access to source code in many cases.
Shouldn’t you stay impartial?
In my experience, normal people (read: non-security/privacy people) want a simple yes/no answer or a recommendation. I believe that my comparison is fair, and that is why I have included my criteria for how I rated each of the apps.
I am not connected to any of the companies or people behind the apps.
- I’ve assumed with iMessage and Skype that both the sender and receiver are also using iMessage and Skype. They both fall back to unencrypted communication if the other party doesn’t support encryption.
So… which app(s) should I use?
- Signal. It’s completely open source, written by a well-known security expert, and its protocol is used in other messaging apps (e.g., Whatsapp & Wire). They’re funded by donations and grants, not corporate money that relies upon your data. Their implementation has been reviewed by security experts and cryptographers. It’s solid.
- Threema. If you’re looking to avoid Five Eyes/Fourteen Eyes, or you’d like to use an app anonymously, then it’s a good choice. They have a user pays model, their design is solid, and they have had the app independently reviewed. It is, however, closed source.
- Wire. Again, if you’re looking to avoid Five Eyes/Fourteen Eyes, then it’s a good choice. It’s not as well documented as Signal and Threema, although both their client and server are open source. It has been independently reviewed. Both Threema and Wire provide slightly different levels of security and privacy. I’d recommend them both equally for the average user.
Which apps should I avoid?
- Facebook Messenger. Encryption isn’t enabled by default, Facebook’s business model relies on collecting user information, and they were implicated as an NSA partner in the Snowden leaks.
- Google Allo. Encryption isn’t enabled by default, Google’s business model relies on collecting user information, and they were implicated as an NSA partner in the Snowden leaks.
- iMessage. It does not provide user verification, its design is completely closed, metadata is not protected, and it has never been audited independently. Despite Apple’s recent focus on privacy, they were named as partners with the NSA in the Snowden leaks.
- Riot. It’s a UK-based company, and its encryption is still in beta. It looks promising, but I wouldn’t suggest using it for anything important.
- Skype. It’s been designed with built-in surveillance. Enough said. Microsoft were named as partners with the NSA in the Snowden leaks.
- Telegram. Bespoke cryptography is not a good idea, encryption is not enabled by default, user verification isn’t implemented correctly, user data (phone numbers, contact information) is not protected, and it has largely been criticised by cryptographers/security experts.
- Viber. It’s closed sourced, founded by Talmon Marcoiii, ex Chief Information Officer (CIO) of the Central Command of the Israeli Defense Force, the funding is unclear, it doesn’t protect user data, and it hasn’t been independently audited.
- Whatsapp. It’s closed source, owned by Facebook (whose business model relies on collecting user information), doesn’t protect metadata, doesn’t protect user data (phone numbers, contact information), logs timestamps/user metadata, and it hasn’t been independently audited. Facebook were also named as partners with the NSA in the Snowden leaks. It does, however, use the same protocol as Signal.
- Wickr: It’s closed source and an American company. That’s enough to rule it out for me in this post-Snowden world.
A word on trust
In order to consider any of the apps “secure”, you must trust the people behind them. Each of the apps has one weakness in common: you must trust a third party (them) in order for it to work. Namely you must
- trust that they have no incentives not to protect your data,
- trust that they have designed and implemented a secure solution,
- trust that they won’t/can’t hand over your data to the authorities,
- trust that the source from which you downloaded the app hasn’t modified it,
- trust that the source code they publish, if they do, is solely what was used to compile the app, and
- trust that there are no backdoors or security vulnerabilities.
Specifically, with every single app that I’ve assessed, you must trust their directory servers. These are the servers that ensure that Person A is really sending a message to Person B, and that Person C cannot intercept the message or impersonate either Person A or Person B.
You’re wrong! I must have my say about xyz
Please browse to the Contact page.
A word on threat models
It’s said that security/privacy without a threat model is an undefined problem. (Well, that’s what I say, at least.)
Each of our own personal threat models vary. If you’re sending messages to your mum about dinner, then the privacy of your data and metadata probably isn’t of that much concern. However, if you’re a medical professional, journalist, lawyer, political dissident, or even a politician, there are many reasons why you would want to protect your, or your clients’, information.
A note on message delivery
Even though apps may have their infrastructure outside of Five Eyes/Fourteen Eyes countries, they may still rely on USA-based infrastructure in order to deliver notifications to devices. Both Google and Apple provide such notification services — for Android and iOS respectively — that run on infrastructure in the USA.
This is my understanding:
- Neither Google nor Apple can read the message or message metadata.
- However, Apple or Google can read the message notification data. This means that if you’re using iOS, Apple do know the frequency with which you’re sent messages, and they also know when you’re sent messages. It’s the same for Google and Android.
- Apple and Google need to know to which device to send the notifications. Both Apple and Google use unique IDs (hardly surprising) in order for this to function correctly. It’s therefore possible that those IDs could be tracked.
According to the Threema FAQ, it’s possible to use Threema on Android without Google Cloud Messaging (Google’s message notification service).
Wire can also be used without Google Cloud Messaging on Android. Update: Signal can now be used without Google Cloud Messaging.
- The most important gap is that this site is not meant to be comprehensive. I have not reviewed the security of each app; rather, I have compared security/privacy functionality.
- Many apps require that an account be created in order to use them. I have not assessed the security of accounts themselves. For example, two-factor authentication, password resets, key recovery, etc.
- Many apps offer a web interface through which you can send and receive messages. I have not assessed the security of web interfaces.
- I have not assessed the design of each app.
- I have not sought out to find vulnerabilities in each app.
- I’m not a programmer. I have not assessed the quality of the code for any of the apps.
Do you make any money from this site?
No. The domain name and hosting cost me a small amount of money per month. However, it does take quite a bit of my free time to research, keep up to date, and maintain the website.
How have you assessed each app?
For each app, I have done the following:
- Installed the app (and asked one friend of mine to install them all too) & tested the functionality that can be verified (two-factor authentication, verifying keys, etc.).
- Read the publicly available information provided by each of the companies.
- Read information written by reputable sources about each app (e.g., Matthew Green from Johns Hopkins University).
- In some cases (Threema & Wire), someone from the company has reached out to me to confirm or correct certain ratings.
Yes, it’s possible that the information on the apps’ sites could be [purposely] incorrect. Yes, it’s possible that I’ve been given incorrect information. Hence why open source software, independent audits, funding, etc. is so important to consider, too.
Why don’t you assess Tox?
Tox doesn’t support push notifications on iOS. I don’t believe it will become a mainstream messaging app until it does.
Why don’t you assess app xyz?
I’ve decided to try to keep the table reasonably small. And I’m only aiming to assess the most popular messaging apps. That said, I will assess new apps if I think they offer a secure alternative to the apps that I’ve already assessed.
Signal, Wire. etc. do allow anonymous user registration. What gives?
No, they don’t. If you need to give away personal data — a phone number, an email address, etc. — then it’s not anonymous. It’s not necessary to require personal data to register users.
App xyz has vulnerabilities. Surely it’s not secure?
All software has bugs, some of which are vulnerabilities. I originally attempted to rate apps based on previous/known vulnerabilities; however, I felt it raised more questions than answers. Is an app less secure because it’s had vulnerabilities? Does a vulnerability necessarily mean the app is insecure? It depends is the answer, and this answer cannot be written in table form.
You finally assessed Riot!
Yes, after 20+ requests, I finally got around to it. Please note I’ve assessed the default installation, not the option of running your own server.