| Date | Change | Reason |
|---|---|---|
| 10/16 | First release of the site | |
| 10/16 | "Does the company provide a transparency report" for Signal changed from "No" to "Yes" | Open Whisper Systems have effectively published a transparency report |
| 10/16 | "Does the app have self-destructing messages" for Signal changed from "No" to "Yes" | Signal now supports self-destructing messages |
| 10/16 | Added initial assessment of Facebook Messenger | Facebook Messenger now supports encrypted messages |
| 10/16 | "Does the app have self-destructing messages" for Wire changed from "No" to "Yes" | Wire now supports self-destructing messages |
| 10/16 | Moved site to Cloudflare CDN, enabled caching | Site loaded too slowly outside of Australia/NZ |
| 11/16 | Site now has a maximum width of 1920 pixels | Main table width was restricted on widescreen monitors |
| 11/16 | Added that the messaging part of Signal is fully open source (client and server); however, the phone call part is not (client only) | Clarification |
| 11/16 | Changed "Can the messages be read by the company?" for Skype from "Very likely" to "Yes" | There's enough evidence to suggest that Microsoft can read Skype messages |
| 11/16 | Added "Does the app use certificate pinning" for Wire to "Yes" | Thanks to the Wire team for clarification |
| 11/16 | Changed "Do you get notified if a contact's fingerprint changes?" for Wire from "No" to "Sometimes" | Wire does notify users if they've previously verified the fingerprint; thanks to the Wire team for clarification |
| 11/16 | Added "Are messages encrypted when backed up to the cloud?" for Wire | Thanks to the Wire team for clarification |
| 11/16 | Changed "Does the app use TLS to encrypt network traffic?" for Telegram from "Yes" to "No" | Telegram uses its own protocol |
| 12/16 | Happy New Year! The first column is now fixed | It's easier to browse through the table when the first column (app name) is fixed |
| 12/16 | Added Viber assessment | It's long overdue |
| 12/16 | Added "Does the company log timestamps/IP addresses?" for Google Allo | It's pretty clear from Google's privacy policy that they collect this information |
| 12/16 | Added "Does the app allow a secondary factor of authentication?" for Google Allo | The app doesn't provide 2-factor authentication |
| 01/17 | Instead of the first column being fixed, the header is now fixed | It's easier to browse through the table when the first header (app name) is fixed |
| 01/17 | Added "Does the company log timestamps/IP addresses?" for Skype | It's pretty clear from Microsoft's privacy policy that they collect this information |
| 01/17 | Moved the Messenger column so that the apps are rated in alphabetical order | Readability |
| 01/17 | Added on the About page that Wire can also be used without Google Cloud Messaging | Thanks to the Wire team for clarification |
| 01/17 | Clarified in "Ratings" that although Apple encrypt iCloud backups, they have access to the encryption key and can hence read iMessages that have been backed up to iCloud | Clarification |
| 01/17 | Changed "Does the company provide a transparency report?" for Threema from "No" to "Yes" | Threema does provide a transparency report; thanks to the Threema team for clarification |
| 01/17 | Added two more investors under "Funding" for Wire | Both Janus Friis & Zeta Holdings Luxembourg, along with Iconical, fund Wire |
| 01/17 | Changed "Infrastructure jurisdiction" from "Switzerland" to "EU" for Wire | Wire is hosted in the EU (appears to be in Ireland) |
| 01/17 | Changed the rating "Does the app use TLS to encrypt network traffic?" to "Does the app use TLS/Noise to encrypt network traffic?" | Whatsapp uses Noise for transport layer authentication and encryption; Signal probably uses it, too (couldn't find any information to confirm this) |
| 01/17 | Added a FAQ to the "About" page | I've received a few emails asking similar questions |
| 02/17 | Changed "Has there been a recent code audit and security analysis?' for Wire from "No" to "Yes" | Wire has now been independently audited; thank you to the Wire team and others for letting me know |
| 02/17 | Under cryptographic primitives, I've changed any app that uses SHA-1 to red | SHA-1 has been broken by Google; they have published two files with the same SHA-1 hash |
| 02/17 | Changed "Are the app and server completely open source?" for Signal from "Yes (messaging is but phone calls is not)" to "Yes" | Open Whisper Systems have released the source code for phone calls and video calling |
| 03/17 | Changed "Does the app allow a secondary factor of authentication?" for Wire from "No" to "Yes" | Wire now supports Touch ID on iOS |
| 03/17 | Added "Does the app encrypt data on the device?" for Wire | It's clear from Wire's security whitepaper that they encrypt data on iOS and Android |
| 08/17 | Changed "Company jurisdiction" for Telegram from "Germany" to "US / UK / Belize" | Telegram isn't a registered company in Germany; it is registered in the US, the UK, and Belize through a complex structure of shell companies |
| 08/17 | Changed "Infrastructure jurisdiction" for Wire from "EU (appears to be in Ireland)" to "Germany / Ireland" | Wire's servers are hosted on AWS in Germany and Ireland |
| 08/17 | Changed "Are the app and server completely open source?" for Wire from "No (clients only) to "No (clients, protocol, and API only; server partially open source)" | Wire have begun to open source their server code |
| 08/17 | Changed "Does the app allow a secondary factor of authentication?" for Whatsapp from "No" to "Yes" | Whatsapp have rolled out two factor authentication |
| 08/17 | Changed "Are messages encrypted when backed up to the cloud?" from "No" to "iOS: Yes; Android: No" | Whatsapp iCloud backups are now encrypted; Android backups on Google's cloud remain unencrypted |
| 11/17 | Changed "Are the app and server completely open source?" for Wire from "No (clients, protocol, and API only; server partially open source)" to "Yes" | Wire have made their server code open source; thanks to the Wire team for reaching out |
| 11/17 | Changed "Company's general stance on customers' privacy" for Telegram from "Good" to "Poor" | Telegram isn't designed to protect users' data by default, does not use strong security/encryption |
| 02/18 | Added assessment of Riot | The assessment was requested 20+ times |
| 02/18 | Added "Signal Foundation (Brian Acton)" Funding for Signal | Signal have created the "Signal Foundation"; Brian Acton has given $50 million USD to the foundation and sits on its board |
| 05/18 | Changed "Have there been a recent code audit and independent security analysis?" for Wire to "March, 2018" | Wire has had another round of independent audits; thanks to the Wire team for reaching out |
| 05/18 | Changed "Are the app and server completely open source?" for Riot from "No (clients and API only;)" to "Yes" | Riot uses Matrix's home server by default |
| 05/18 | Changed "Cryptographic primitives" for Telegram from "RSA 2048 / AES 256 / SHA-1" to "RSA 2048 / AES 256 / SHA-256" | Telegram's new protocol uses SHA-256 |
| 01/21 | Added Big Tech's names to the main row | Emphasise which companies own which apps |
| 01/21 | Changed "Have there been a recent code audit and an independent security analysis?" for Threema from "Yes, (November, 2015)" to "Yes, (October, 2020)" | Threema had an independent analysis conducted in October, 2020 |
| 01/21 | Changed "Infrastructure jurisdiction" for Wire from "Germany / Ireland" to "EU" | Wire's website states that its servers are in the EU |
| 01/21 | Replaced Google Allo with Google Messages | Google retired Allo in March, 2019 |
| 01/21 | Introduced "Reproducible builds" as part of the assessment | Reproducible builds prove apps in app stores were compiled with published source code |
| 01/21 | Changed "Are the app and server completely open source?" for Threema from "No" to "No apps only" | Threema released its source code for iOS and Android apps |
| 01/21 | Changed "Funding" for Threema from "User pays" to "User pays, Afinum Management AG" | Threema introduced a new business partner |
| 01/21 | Changed "Company jurisdiction" for Telegram from "USA / UK / Belize" to "USA / UK / Belize / UAE" | Telegram developers work out of Dubai, although their complex set of shell companies is beyond my legal understanding |
| 01/21 | Changed "App collects customers' data?" to align with permissions granted from the Apple Store | Now aligned to recent articles about Whatsapp's foreseeable privacy policy change |
| 01/21 | Renamed "Riot" to "Element" | |
| 01/21 | Changed "Are messages encrypted when backed up to the cloud?" from empty to "Yes" | Element encrypts the data with a user-supplied key |
| 01/21 | Changed "Is encryption turned on by default?" for Element from "No" to "Yes" | Element enabled default end-to-end encryption last year |
| 01/21 | Changed "Does the app encrypt data on the device? (iOS and Android only)" for Element from empty to "Yes" | Thank you to Element for reaching out |
| 01/21 | Changed "Is personal information (mobile number, contact list, etc.) hashed?" for Element from empty to "No" | App permissions hint that Element does not hash this data |
| 01/21 | Changed "Does the app have self-destructing messages?" for Viber from "No" to "Yes" | Viber introduced self-destructing messages last year |
| 01/21 | Introduced "User data and/or metadata sent to parent company and/or third parties?" as part of the assessment | Whatsapp will change its privacy policy to send data to its parent company (Facebook) |
| 01/21 | Added "Merlin International / Lytical Ventures" to funding for WIckr | Thank you to Wickr for reaching out |
| 01/21 | Changed "User data and/or metadata sent to parent company and/or third parties?" for Wickr from empty to "No (optional mobile number sent to third party for registration)" |
Thank you to Wickr for reaching out |
| 01/21 | Changed "Do you get notified if a contact's fingerprint changes?" for Wickr from "No" to "Yes" | Thank you to Wickr for reaching out |
| 01/21 | Changed "Are messages encrypted when backed up to the cloud?" for Wickr from empty to "N/A, Wickr is excluded from iCloud/iTunes & Android backups" | Thank you to Wickr for reaching out |
| 01/21 | Changed "Does the app have self-destructing messages?" for Whatsapp from "No" to "Yes" | Whatsapp now has self destructing messages |
| 01/21 | Added an "Overview" and "Details" section | Attempted to make it more obvious that the first row is a recommendation |
| 01/21 | Added Session assessment | After many requests, I decided to assess Session |
| 01/21 | Changed "Does the app allow a secondary factor of authentication?" for Signal from "No" to "Yes" | Signal offers second factor authentication through the device's fingerprint authentication |
| 01/21 | Changed "Is personal information (mobile number, contact list, etc.) hashed?" for Element / Riot from "No" to "Yes" | Element / Riot hashes contact details |
| 01/21 | Changed "Have there been a recent code audit and an independent security analysis?" for Element / Riot from "No" to "No (Matrix's encryption library reviewed by an independent party)" | Element / Riot have had Matrix's encryption library reviewed; however, their apps and infrastructure have not been assessed |
| 01/21 | Added "Main reasons why the app isn't recommended?" | |
| 01/21 | Changed "Is encryption turned on by default?" for Skype from "Yes" to "No" | Skype encryption isn't enabled by default. |
| 01/21 | Changed "Does the app use certificate pinning?" for Wickr Me from "No" to "Yes" | Wickr Me does SSL pinning |
| 01/21 | Changed "Company jurisdiction" for Wire from "Switzerland" to "USA / Switzerland" | Wire has its holding company, Wire Holdings Inc, located in the US |
| 01/21 | Changed "Funding" for Wire from "Janus Friis / Iconical / Zeta Holdings Luxembourg" to "Janus Friis / Iconical / Zeta Holdings Luxembourg / Morpheus Ventures" | Wire raised $8.2 million USD from Morpheus Ventures |
| 04/21 | Completed the Session assessment | Thank you to the Session team for answering my questions |
| 06/21 | Changed "Funding" for Wickr Me to "Amazon" | Amazon acquired Wickr |
| 06/21 | Added "Former NSA chief Keith Alexander is on Amazon’s board of directors" to "Main reasons why the app isn't recommended" for Wickr Me | Amazon acquired Wickr; Amazon is deeply connected to the US government and hence cannot be trusted |
| 06/21 | Changed "Company's general stance on customers' privacy" for Wickr Me from "Good" to "Poor" | Amazon acquired Wickr, and Amazon does not have a great record at securing people's data (e.g., Ring and Alexa) |
| 06/21 | Changed "Company collects customers' data?" for Wickr Me from "No" to "Yes" | Amazon acquired Wickr, and Amazon collects users' data |
| 10/21 | Changed "Have there been a recent code audit and an independent security analysis?" for Session from "No" to "Yes (April 2021)" | Session was independently assessed |
| 10/21 | Changed "Does the app enforce perfect forward secrecy?" for Session from "Yes" to "No" | Session implements the Signal protocol with a few exceptions, including PFS |
| 10/21 | Changed "Infrastructure jurisdiction" for Session from "Attachments: Centralised server in the US" to "Attachments: Centralised server in Canada" | Session's attachment server is in Canada |
| 10/21 | Changed "Improvements to apps that are recommended" for Session to "Implement perfect forward secrecy at the end-to-end encryption layer / Provide more comprehensive independent assessments of security/privacy" | Session was independently assessed; attachments are end-to-end encrypted |
| 10/21 | Changed "Are messages encrypted when backed up to the cloud?" for Session from "No" to "N/A, Session is excluded from iCloud/iTunes & Android backups" | Session is excluded from iOS and Android backups |
| 10/21 | Changed "Funding" for Wickr Me from "Amazon" to "Amazon / CIA" | Wickr Me accepted $1.6 million USD from the CIA before being bought by Amazon |
| 10/21 | Added "Funded by the CIA" for Wickr Me to "Main reasons why the app isn't recommended" | You can't make up this nonsense; do not use Wickr Me |
| 10/21 | Changed "Are messages encrypted when backed up to the cloud?" for WhatsApp to "iOS: Yes / Android: Yes" | WhatsApp backups are now end-to-end encrypted |
| 10/21 | Changed "Can messages be read by the company?" for WhatsApp from "No" to "Yes" | "Abusive" messages can be forwarded to a moderator for review |
| 10/21 | Added "Messages can be read by Facebook if marked as "abusive" for WhatsApp to "Main reasons why the app isn't recommended" | "Abusive" messages can be forwarded to a moderator for review |
| 02/23 | Changed "Does the app enforce perfect forward secrecy?" for Threema from "No" to "Yes" | Threema have implemented PFS in their new ibex protocol: https://threema.ch/en/blog/posts/ibex |
| 03/24 | Clarified app authentication rating | It wasn't clear that I meant local authentication on the app itself, not the user's account |
| 03/24 | Added initial assessment of Simplex | |
| 03/24 | Added initial assessment of Twitter DMs | |
| 03/24 | General update to Skype | Skype uses Signal's protocol for private messages |
| 03/24 | Updated iMessage and Signal's cryptographic primitives | iMessage and Signal now use "post quantum" key exchange protocols |
| 03/24 | Many general updates | - iMessage contact verification - Signal assessments |
| 09/24 | Changed "Does the company provide a transparency report?" for Simplex from "No" to "Yes." | Simplex now has a transparency report |
| 09/24 | Changed "Does the company log timestamps/IP addresses?" for Simplex from "Yes" to "No" | Simplex implemented private IP routing |
| 09/24 | Changed "Is the app recommended to secure my messages and attachments?" for Simplex from "Needs further consideration and feedback" to "Yes" | Simplex now meets the criteria for "Yes" |
| 09/24 | Changed "Main reasons why the app isn't recommended" from "Provide a transparency report" to "Provide more comprehensive independent assessments of security/privacy" | Simplex now meets the criteria for "Yes" |
| 09/24 | Added quantum resistant cryptographic primitive for Simplex | Simplex uses sntrup761 for both key exchange and the double ratchet |
| 11/24 | Changed "Company jurisdiction" for Session from "Australia" to "Switzerland" | Session wisely moved their organisation to Switzerland |
| 07/25 | Removed Skype | Microsoft decomissioned Skype |
| 12/25 | Changed "Are messages encrypted when backed up to the cloud?" for Signal from "N/A, Signal is excluded from iCloud/iTunes & Android backups" to "N/A, Signal is excluded from iCloud/iTunes & Android backups; Signal offers an opt-in, end-to-end encrypted backup service" | Signal now offers an opt-in backup service |
| 12/25 | Added "Messages can be read by Facebook if marked as "abusive"" to Facebook Messenger | "Abusive" messages can be forwarded to a moderator for review |
| 04/26 | Changed "Does the app have self-destructing messages?" for Google Messages from "No" to "Yes" | Google Messages supports disappearing messages with 1 hour, 24 hour, and 7 day timers |
| 04/26 | Added official Google documentation links to the Google Messages column | Links to official Google support pages added to 11 cells to support claims |
| 04/26 | Updated "Funding" for Signal to reflect current funding sources | Signal is now primarily funded by the Signal Foundation (Brian Acton) and user donations; previous funders (Knight Foundation, OTF, etc.) were historical |
| 04/26 | Changed "Are the app and server completely open source?" for Signal from "Yes" to "Yes (anti-spam module excluded)" | Signal's server anti-spam component is proprietary/closed source |
| 04/26 | Changed "Does the app encrypt data on the device?" for Signal from "Yes (if passphrase enabled)" to "Yes" | Signal now encrypts the local database by default using SQLCipher with an auto-generated key; the separate passphrase feature was removed |
| 04/26 | Added official Signal documentation links to the Signal column and updated security audit references | Links to official Signal support pages, protocol specifications, and blog posts added to 18 cells; added PQXDH formal verification (USENIX 2024) to audit row |
| 04/26 | Updated "Infrastructure jurisdiction" for Apple iMessage from "USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud" to "USA, Ireland, Denmark; iMessage uses AWS and Google Cloud for storage" | Apple's Ireland and Denmark data centers are now operational (were previously "planned") |
| 04/26 | Updated "Cryptographic primitives" for Apple iMessage from "P-256 ECDH & Kyber-768/1024 / AES-256 / HMAC-SHA384" to "P-256 ECDH & Kyber-1024 / AES-256 CTR / HKDF-SHA384" | Per Apple's PQ3 blog and Stebila's formal analysis, PQ3 uses Kyber-1024 (not 768), AES-256 in CTR mode, and HKDF-SHA384 |
| 04/26 | Changed "Does the app allow local authentication when opening it?" for Apple iMessage from "No" to "Yes (iOS 18+)" | iOS 18 added system-wide app locking with Face ID/Touch ID/passcode which works on the Messages app |
| 04/26 | Updated "Are messages encrypted when backed up to the cloud?" for Apple iMessage from "Yes" (red) to "Yes, but backup key is escrowed by Apple unless Advanced Data Protection is enabled" (yellow) | Clarifies that iCloud Backup is only fully end-to-end encrypted when the opt-in Advanced Data Protection feature (released December 2022) is enabled |
| 04/26 | Changed "Have there been a recent code audit and an independent security analysis?" for Apple iMessage from "No" to "Somewhat" with references to Stebila (2024) and Linker/Basin/Sasse USENIX Security 2025 formal analyses of PQ3 | Multiple independent formal verifications of Apple's PQ3 protocol have been published since the last update, though broader independent analysis of the full iMessage stack remains limited |
| 04/26 | Added official Apple documentation links to the Apple iMessage column | Links to official Apple support pages, security blog, and legal process guidelines added to 11 cells to support claims |
| 04/26 | Updated Apple iMessage "reasons not recommended" list entry from "No independent, recent code audit and security analysis" to "More comprehensive code audit and security analysis" | Reflects that independent formal analyses of PQ3 now exist (Stebila 2024, USENIX 2025), while more comprehensive analysis of the full iMessage stack remains desirable |
| 04/26 | Updated "Infrastructure jurisdiction" for Facebook Messenger from "USA, Sweden (Ireland planned)" to "USA, Sweden, Ireland, Denmark, Singapore" | Meta's Ireland (Clonee, County Meath), Denmark, and Singapore data centers are now operational |
| 04/26 | Added notification-on-fingerprint-change cell for Facebook Messenger with value "Yes" and link to Code Verify | Messenger's Code Verify feature notifies users when contact identity keys change in end-to-end encrypted chats |
| 04/26 | Changed "Have there been a recent code audit and an independent security analysis?" for Facebook Messenger from "No" to "Somewhat" with reference to the Labyrinth formal verification by Watanabe and Yoneyama (2025) | Independent formal verification of Meta's Labyrinth encrypted message storage protocol has been published in IEICE Transactions, though broader independent analysis of the full Messenger E2EE stack remains limited |
| 04/26 | Added official Meta documentation links to the Facebook Messenger column | Links to Meta Transparency Center, Labyrinth protocol whitepaper, Engineering at Meta posts, and Messenger Help Center pages added to 6 cells to support claims |
| 04/26 | Updated Facebook Messenger "reasons not recommended" list entry from "No independent & recent code audit and security analysis" to "More comprehensive code audit and security analysis" | Reflects that some independent analysis now exists (Labyrinth formal verification) while more comprehensive analysis of the full E2EE stack remains desirable |
| 04/26 | Updated "Funding" for Threema from "User pays / Afinum Management AG" to "User pays / Comitis Capital GmbH (formerly Afinum, 2020–2026)" | Threema was acquired by Comitis Capital GmbH in January 2026, replacing Afinum Management AG as the majority owner |
| 04/26 | Updated "Cryptographic primitives" for Threema to note that the Ibex protocol adds a perfect forward secrecy layer on top of Curve25519/XSalsa20/Poly1305-AES | The Ibex forward secrecy protocol was rolled out in Threema 5.0 (Android, November 2022) and is now the default for new chats |
| 04/26 | Added Ibex blog link to "Does the app enforce perfect forward secrecy?" for Threema | Provides a direct reference to Threema's official explanation of the Ibex protocol that delivers PFS and post-compromise security |
| 04/26 | Updated "Have there been a recent code audit and an independent security analysis?" for Threema from "Yes (October, 2020)" to references for ETH Zürich (USENIX Security 2023), the Ibex formal proof (2023), and the Cure53 Threema Desktop 2.0 audit (January 2024) | Multiple newer independent analyses of Threema have been published since 2020, including Paterson/Scarlata/Truong's "Three Lessons from Threema" at USENIX Security 2023, Gerhart/Rösler/Schröder's formal security proof of the Ibex protocol (2023), and Cure53's audit of Threema Desktop 2.0 (January 2024) |
| 04/26 | Fixed a typographical error in the Threema "Does the app encrypt data on the device?" cell ("set in the app)s" → "set in the app)") | Removes a stray trailing character |
| 04/26 | Added official Threema documentation links to the Threema column | Links to Threema's server-location FAQ, ownership FAQ, cryptography whitepaper, Ibex blog post, open-source page, Threema ID FAQ, and Threema Safe FAQ added to supporting cells |
| 04/26 | Renamed Twitter column to "X" and updated header link from twitter.com to x.com | Twitter rebranded to X in July 2023 |
| 04/26 | Updated "Funding" for X from "Twitter" to "X Corp. (subsidiary of xAI Holdings Corp., Elon Musk)" | X Corp. merged into xAI in an all-stock deal on 28 March 2025, creating xAI Holdings Corp. (source: Sullivan & Cromwell transaction highlight) |
| 04/26 | Updated "Infrastructure jurisdiction" for X from "USA, worldwide (unsure of other locations)" to "USA (Portland, OR and Atlanta, GA on-prem; GCP and AWS US regions)" | X vacated its Sacramento data centre in 2022/2023; remaining on-prem infrastructure is in Portland, OR and Atlanta, GA; other traffic runs on GCP and AWS US regions |
| 04/26 | Updated "Main reasons why the app isn't recommended" for X | Changed to: "Encryption keys stored by X. Data not protected, not all data protected. No independent & recent code audit and security analysis. Closed source." |
| 04/26 | Filled in "Cryptographic primitives" for X: libsodium (X25519 / XSalsa20-Poly1305); Juicebox (threshold OPRF + secret-sharing) for key storage; no PFS | XChat's cryptographic stack documented in Matthew Green's June 2025 analysis |
| 04/26 | Filled in 5 previously-empty cells for X: "Do you get notified if a contact's fingerprint changes?" (No); "Does the app generate & keep a private key on the device itself?" (No, escrowed via Juicebox); "Can messages be read by the company?" (Yes); "Does the app enforce perfect forward secrecy?" (No); "Does the app encrypt metadata?" (No) | XChat now provides sufficient published detail to assess these rows; sources: Matthew Green's June 2025 analysis and X's help page for Chat, which explicitly states no MITM protection and that message metadata is not encrypted |
| 04/26 | Added official X documentation links to the X column | Links to transparency.x.com, help.x.com/en/using-x/about-chat, and x.com/en/privacy added to "Does the company provide a transparency report?", "Can you manually verify contacts' fingerprints?", "App collects customers' data?", "Does the company log timestamps/IP addresses?", and "Does the app have self-destructing messages?" cells |
| 04/26 | Added official link to "Does the company provide a transparency report?" for SimpleX | Links to simplex.chat/transparency/ |
| 04/26 | Updated "Funding" for SimpleX to include Jack Dorsey & Asymmetric Capital Partners ($1.3M pre-seed, 2024) | In August 2024 SimpleX raised $1.3M from Jack Dorsey and Asymmetric Capital Partners; Village Global pre-seed link also added |
| 04/26 | Added official link to "Cryptographic primitives" for SimpleX | Links to the SimpleX blog post on adding quantum resistance (sntrup761) to the Signal double ratchet algorithm |
| 04/26 | Added official GitHub link to "Are the app and server completely open source?" for SimpleX | Links to github.com/simplex-chat/simplex-chat |
| 04/26 | Added official protocol spec link to "Does the app enforce perfect forward secrecy?" for SimpleX | Links to the pqdr.md post-quantum double ratchet protocol specification in the simplexmq repository |
| 04/26 | Added official link to "Does the app encrypt metadata?" for SimpleX | Links to the SimpleX v5.8 blog post on private message routing, which explains how metadata is encrypted via a 2-hop routing protocol |
| 04/26 | Added official link to "Does the company log timestamps/IP addresses?" for SimpleX | Links to the SimpleX v5.8 blog post on private message routing, which explains how IP address protection was implemented |
| 04/26 | Updated "Have there been a recent code audit and an independent security analysis?" for SimpleX from "Yes (November, 2022)" to include the Trail of Bits cryptographic design review (October 2024) with links to both audit announcements | Trail of Bits completed a cryptographic protocol design review of SimpleX in July 2024, published in October 2024; links added to both the 2022 implementation audit and 2024 design review blog posts on simplex.chat |
| 04/26 | Updated "Funding" for Session from "LAG Foundation Ltd" to "Session Technology Foundation" | The Session Technology Foundation (a Swiss non-profit based in Zug) officially assumed stewardship of Session on 11 October 2024, superseding the previous OPTF / LAG Foundation structure |
| 04/26 | Added official Session Technology Foundation transparency report link to "Does the company provide a transparency report?" for Session | The Session Technology Foundation publishes transparency reports at session.foundation/transparency-reports |
| 04/26 | Added official Session Protocol documentation link to "Cryptographic primitives" for Session | Links to getsession.org/blog/session-protocol-technical-information confirm the current V1 protocol uses X25519 / XSalsa20-256 / Poly1305 |
| 04/26 | Added GitHub link to "Are the app and server completely open source?" for Session | Active development has moved from oxen-io to the session-foundation GitHub organisation (github.com/session-foundation); all core apps are GPL-3.0 open source |
| 04/26 | Added official audit links to "Have there been a recent code audit and an independent security analysis?" for Session | Links added to Session's blog post (getsession.org/blog/session-code-audit) and Quarkslab's full report (blog.quarkslab.com) for the April 2021 Quarkslab security assessment |
| 04/26 | Fixed "Infrastructure jurisdiction" for Wire from Session's data (de-centralised servers / Canada) to Wire's actual infrastructure | Wire uses centralised EU servers in Germany and Ireland hosted on AWS; the previous cell contained Session's data by mistake |
| 04/26 | Added transparency report link to "Does the company provide a transparency report?" for Wire | Links to wire.com/en/transparency-report |
| 04/26 | Added Phase 1 audit PDF link to "Cryptographic primitives" for Wire | Links to the Kudelski Security & X41 D-Sec Proteus/Cryptobox protocol audit (February 2017) which documents the Curve25519 / ChaCha20 / HMAC-SHA256 cryptographic stack |
| 04/26 | Added GitHub link to "Are the app and server completely open source?" for Wire | Links to github.com/wireapp |
| 04/26 | Updated "Have there been a recent code audit and an independent security analysis?" for Wire from "Yes (March, 2018)" to include both Phase 1 (Kudelski Security & X41 D-Sec, February 2017) and Phase 2 (X41 D-Sec, March 2018) audits with links | Phase 1 covered the Proteus/Cryptobox protocol; Phase 2 covered application-level security (iOS/Android/Web); both audits now linked directly |
| 04/26 | Updated "Company jurisdiction" for Telegram from "USA / UK / Belize / UAE" to "BVI / UAE" and linked to the privacy policy | Per telegram.org/privacy#8-2-telegrams-group-companies, the only group companies listed are Telegram Group Inc (BVI, parent), Telegraph Inc (BVI), and Telegram FZ-LLC (Dubai/UAE); neither USA, UK, nor Belize appear in §8.2 |
| 04/26 | Updated "Infrastructure jurisdiction" for Telegram from "UK, Singapore, USA, and Finland" to "USA (Miami), Netherlands (Amsterdam), Singapore" with link to the documented DC map | Per the PyroTGFork FAQ, Telegram's data centers are DC1/DC3 in Miami (USA), DC2/DC4 in Amsterdam (Netherlands), and DC5 in Singapore; UK and Finland are not part of the current DC map |
| 04/26 | Changed "Does the company provide a transparency report?" for Telegram from "No" to "Minimal" with link to the @transparency channel | Telegram publishes limited disclosure statistics via the official t.me/transparency channel |
| 04/26 | Added FAQ link to "Funding" for Telegram | Links to telegram.org/faq#q-who-pays-for-all-this which confirms Pavel Durov as the funder |
| 04/26 | Added privacy policy link to "App collects customers' data?" for Telegram | Links to telegram.org/privacy |
| 04/26 | Added privacy policy link to "User data and/or metadata sent to parent company and/or third parties?" for Telegram | Links to telegram.org/privacy |
| 04/26 | Added Secret Chats FAQ link to "Is encryption turned on by default?" for Telegram | Links to telegram.org/faq#q-how-are-secret-chats-different which documents that end-to-end encryption is only on in opt-in Secret Chats |
| 04/26 | Added MTProto spec link to "Cryptographic primitives" for Telegram | Links to core.telegram.org/mtproto which documents the RSA 2048 / AES-256 / SHA-256 stack |
| 04/26 | Added source link to "Are the app and server completely open source?" for Telegram | Links to telegram.org/apps which enumerates the official clients and their source repositories |
| 04/26 | Added reproducible-builds documentation link to "Are reproducible builds used to verify apps against source code?" for Telegram | Links to core.telegram.org/reproducible-builds |
| 04/26 | Fixed "Can you manually verify contacts' fingerprints?" for Telegram from "No (session only, does not provide users' fingerprint information)" to "Yes (Secret Chats only)" with link | The previous cell was copy-pasted from Session; Telegram Secret Chats expose a key visualization documented at core.telegram.org/api/end-to-end#key-visualization |
| 04/26 | Fixed "Do you get notified if a contact's fingerprint changes?" for Telegram from "No (session only, does not provide users' fingerprint information)" to "Yes (Secret Chats only)" with link | The previous cell was copy-pasted from Session; Telegram Secret Chats re-key every 100 messages or one week and surface a new visualization, documented at core.telegram.org/api/end-to-end/pfs |
| 04/26 | Fixed "Is personal information (mobile number, contact list, etc.) hashed?" for Telegram from "No (session only, does not provide users' fingerprint information)" to "No" | The previous text was erroneously copy-pasted from Session; Telegram uploads contacts in plaintext for directory matching |
| 04/26 | Added end-to-end documentation link to "Does the app generate & keep a private key on the device itself?" for Telegram | Links to core.telegram.org/api/end-to-end which documents key generation in Secret Chats |
| 04/26 | Added FAQ link to "Can messages be read by the company?" for Telegram | Links to telegram.org/faq#q-how-secure-is-telegram which explains the split between cloud chats and Secret Chats |
| 04/26 | Added PFS documentation link to "Does the app enforce perfect forward secrecy?" for Telegram | Links to core.telegram.org/api/end-to-end/pfs which documents the 100-message / one-week rekey in Secret Chats |
| 04/26 | Added MTProto link to "Does the app use TLS/Noise to encrypt network traffic?" for Telegram | Links to core.telegram.org/mtproto documenting the bespoke MTProto transport used in place of TLS/Noise |
| 04/26 | Added privacy policy link to "Does the company log timestamps/IP addresses?" for Telegram | Links to telegram.org/privacy |
| 04/26 | Expanded "Have there been a recent code audit and an independent security analysis?" for Telegram to link four independent assessments of MTProto 2.0 | Added Jakobsen & Orlandi (eprint.iacr.org/2015/1177, 2015); Miculan & Vitacolonna formal analysis (arxiv.org/abs/2012.03141, 2020); Albrecht et al., "Four Attacks and a Proof for Telegram" (Journal of Cryptology, 2025); and Matthew Green's 2024 analysis |
| 04/26 | Added FAQ link to "Does the app have self-destructing messages?" for Telegram | Links to telegram.org/faq#q-how-do-self-destruct-timers-work |
| 04/26 | Changed "Does the company provide a transparency report?" for WhatsApp from "No" to "Yes" | WhatsApp is covered by Meta's government data-request transparency report, the same source used for Facebook Messenger |
| 04/26 | Changed "Does the app allow local authentication when opening it?" for WhatsApp from "No" to "Yes" | WhatsApp has supported Touch ID / Face ID and fingerprint app-lock on iOS and Android since 2019 |
| 04/26 | Fixed "Is personal information (mobile number, contact list, etc.) hashed?" for WhatsApp from "No (setting turned off by default)" to "No" | WhatsApp does not expose a setting to enable contact-number hashing; the qualifier was a copy-paste artefact from the security-notification row |
| 04/26 | Added official WhatsApp documentation links to the WhatsApp column | Links added to: transparency report, app data collection (privacy policy ×2), end-to-end encryption FAQ, cryptographic primitives whitepaper, private-key whitepaper, security-code verification FAQ, security-notification FAQ, encrypted backup FAQ, timestamps/IP privacy policy, PFS whitepaper, and disappearing-messages FAQ (12 cells total) |
| 04/26 | Removed Amazon Wickr Me | Wickr Me is no longer available to individual users; Amazon refocused Wickr as an enterprise-only product |
| 04/26 | Renamed "Element (Matrix)" column to "Element X (Matrix)" | Element has moved to Element X, a full rewrite using the Matrix Rust SDK and vodozemac; Element X (v26.04.x) is now the primary stable client on Android and iOS |
| 04/26 | Updated "Funding" for Element X from "New Vector Limited" to "Element Creations Limited" with link to element.io/en/about | New Vector Limited rebranded to Element Creations Limited; the old name is no longer the registered company name |
| 04/26 | Updated "Are the app and server completely open source?" for Element X: removed outdated brand name "Riot", updated to "clients Element X, server/API matrix.org/Synapse", added link to github.com/element-hq | Element (formerly Riot) was rebranded in July 2020; Element X is the current client; Synapse is the canonical Matrix server reference implementation |
| 04/26 | Changed "Are reproducible builds used?" for Element X from No (red) to "Android only" (yellow) with link to F-Droid listing | Element X Android has been published on F-Droid with reproducible builds since June 2024 |
| 04/26 | Changed "Does the app allow local authentication?" for Element X from No (red) to Yes (green) | Element X supports PIN-based screen lock and biometric authentication on both Android and iOS; classic Element did not have this feature |
| 04/26 | Changed "Have there been a recent code audit and an independent security analysis?" for Element X from No (red) to Yes (green) with three audit links | Three independent audits now exist: NCC Group (November 2016, classic Olm library); Least Authority (May 2022, vodozemac — the Rust Olm/MegOlm implementation used by Element X via Matrix Rust SDK); BSI/MGM Security Partners (August 2024, Synapse and Element Web/Desktop — covers the Matrix server and classic client) |
| 04/26 | Updated "Main reasons why the app isn't recommended" for Element X: replaced "No independent, recent code audit and security analysis" with "No transparency report" and "Metadata not encrypted" | The code audit row is now Yes; the remaining reasons Element X is not recommended are absence of a transparency report and unencrypted room metadata |
| 04/26 | Fixed capitalisation of "Can you add a contact without needing to trust a directory server?" for Element X from "no" to "No" | Capitalisation inconsistency; all other cells use title-case No |
| 04/26 | Added official documentation links to the Element X column | Links added to: company jurisdiction (element.io/en/about), infrastructure jurisdiction (matrix.org/ecosystem/servers/), privacy stance (element.io/en/legal/privacy), company data collection (element.io/en/legal/privacy), app data collection (element.io/en/legal/privacy), encryption by default (element.io/en/features/end-to-end-encryption), cryptographic primitives (spec.matrix.org/v1.17/olm-megolm/), open source (github.com/element-hq), anonymous signup (matrix.org/docs/matrix-concepts/end-to-end-encryption/), personal info hashing (spec.matrix.org/unstable/identity-service-api/), private key on device (spec.matrix.org/v1.17/olm-megolm/), messages readable (element.io/en/features/end-to-end-encryption), perfect forward secrecy (spec.matrix.org/v1.17/olm-megolm/), TLS encryption (spec.matrix.org/), cloud backup encryption (docs.element.io recovery key), design documentation (spec.matrix.org/) — 15 cells total |
| 04/26 | Changed "Does the app encrypt metadata?" for Element X from blank to No (red) | Room metadata (names, topics, avatars, join rules, power levels) is stored as plaintext state events on the homeserver; only message content is E2E encrypted. MSC3414 proposes encrypting state events but is not yet shipped. |
| 04/26 | Updated "Main reasons why the app isn't recommended" for Element X: replaced "UK jurisdiction" with "Metadata not encrypted" | Unencrypted room metadata is a more direct security concern than jurisdiction alone |
| 04/26 | Added official links and filled blank cells in the Viber column | Links added to: company privacy stance (viber-privacy-policy), company collects data (viber-privacy-policy), app data collection (viber-privacy-policy), user data sent to third parties (viber-privacy-policy), encryption by default (viber-encryption), cryptographic primitives (viber_encryption_overview_doc.pdf), funding (Rakuten acquisition press release), design documentation (viber-encryption), disappearing messages help article — 9 cells total. Duplicate data-type entries removed from "App collects customers' data?" cell (location ×2, identifiers ×2, usage data ×2 deduplicated). Blank cells filled: metadata encryption → No (Viber servers see routing metadata), device data encryption → Yes, local authentication → Yes (App Lock feature). Cloud backup encryption → No (Viber backups to Google Drive/iCloud are not independently E2E encrypted). Certificate pinning left blank pending a verifiable official source. |