DateChangeReason
04/10/2016First release of the site
06/10/2016"Does the company provide a transparency report" for Signal changed from "No" to "Yes"Open Whisper Systems have effectively published a transparency report
12/10/2016"Does the app have self-destructing messages" for Signal changed from "No" to "Yes"Signal now supports self-destructing messages
14/10/2016Added initial assessment of Facebook MessengerFacebook Messenger now supports encrypted messages
26/10/2016"Does the app have self-destructing messages" for Wire changed from "No" to "Yes"Wire now supports self-destructing messages
29/10/2016Moved site to Cloudflare CDN, enabled cachingSite loaded too slowly outside of Australia/NZ
03/11/2016Site now has a maximum width of 1920 pixelsMain table width was restricted on widescreen monitors
06/11/2016Added that the messaging part of Signal is fully open source (client and server); however, the phone call part is not (client only)Clarification
06/11/2016Changed "Can the messages be read by the company?" for Skype from "Very likely" to "Yes"There's enough evidence to suggest that Microsoft can read Skype messages
06/11/2016Added "Does the app use certificate pinning" for Wire to "Yes"Thanks to the Wire team for clarification
06/11/2016Changed "Do you get notified if a contact's fingerprint changes?" for Wire from "No" to "Sometimes"Wire does notify users if they've previously verified the fingerprint; thanks to the Wire team for clarification
06/11/2016Added "Are messages encrypted when backed up to the cloud?" for WireThanks to the Wire team for clarification
06/11/2016Changed "Does the app use TLS to encrypt network traffic?" for Telegram from "Yes" to "No"Telegram uses its own protocol
31/12/2016Happy New Year! The first column is now fixedIt's easier to browse through the table when the first column (app name) is fixed
31/12/2016Added Viber assessmentIt's long overdue
31/12/2016Added "Does the company log timestamps/IP addresses?" for Google AlloIt's pretty clear from Google's privacy policy that they collect this information
31/12/2016Added "Does the app allow a secondary factor of authentication?" for Google AlloThe app doesn't provide 2-factor authentication
06/01/2017Instead of the first column being fixed, the header is now fixedIt's easier to browse through the table when the first header (app name) is fixed
06/01/2017Added "Does the company log timestamps/IP addresses?" for Skype It's pretty clear from Microsoft's privacy policy that they collect this information
10/01/2017Moved the Messenger column so that the apps are rated in alphabetical orderReadability
10/01/2017Added on the About page that Wire can also be used without Google Cloud MessagingThanks to the Wire team for clarification
11/01/2017Clarified in "Ratings" that although Apple encrypt iCloud backups, they have access to the encryption key and can hence read iMessages that have been backed up to iCloudClarification
11/01/2017Changed "Does the company provide a transparency report?" for Threema from "No" to "Yes" Threema does provide a transparency report; thanks to the Threema team for clarification
16/01/2017Added two more investors under "Funding" for WireBoth Janus Friis & Zeta Holdings Luxembourg, along with Iconical, fund Wire
16/01/2017Changed "Infrastructure jurisdiction" from "Switzerland" to "EU" for Wire Wire is hosted in the EU (appears to be in Ireland)
16/01/2017Changed the rating "Does the app use TLS to encrypt network traffic?" to "Does the app use TLS/Noise to encrypt network traffic?" Whatsapp uses Noise for transport layer authentication and encryption; SIgnal probably uses it, too (couldn't find any information to confirm this)
25/01/2017Added a FAQ to the "About" pageI've received a few emails asking similar questions
12/02/2017Changed "Has there been a recent code audit and security analysis?' for Wire from "No" to "Yes" Wire has now been independently audited; thank you to the Wire team and others for letting me know
25/02/17Under cryptographic primitives, I've changed any app that uses SHA-1 to redSHA-1 has been broken by Google; they have published two files with the same SHA-1 hash
25/02/17Changed "Are the app and server completely open source?" for Signal from "Yes (messaging is but phone calls is not)" to "Yes"Open Whisper Systems have released the source code for phone calls and video calling
11/03/17Changed "Does the app allow a secondary factor of authentication?" for Wire from "No" to "Yes"Wire now supports Touch ID on iOS
26/03/17Added "Does the app encrypt data on the device?" for WireIt's clear from Wire's security whitepaper that they encrypt data on iOS and Android
29/08/17Changed "Company jurisdiction" for Telegram from "Germany" to "US / UK / Belize"Telegram isn't a registered company in Germany; it is registered in the US, the UK, and Belize through a complex structure of shell companies
29/08/17Changed "Infrastructure jurisdiction" for Wire from "EU (appears to be in Ireland" to "Germany / Ireland"Wire's servers are hosted on AWS in Germany and Ireland
29/08/17Changed "Are the app and server completely open source?" for Wire from "No (clients only) to "No (clients, protocol, and API only; server partially open source)"
Wire have begun to open source their server code
29/08/17Changed "Does the app allow a secondary factor of authentication?" for Whatsapp from "No" to "Yes"Whatsapp have rolled out two factor authentication
29/08/17Changed "Are messages encrypted when backed up to the cloud?" from "No" to "iOS: Yes; Android: No" Whatsapp iCloud backups are now encrypted; Android backups on Google's cloud remain unencrypted
25/11/17Changed "Are the app and server completely open source?" for Wire from "No (clients, protocol, and API only; server partially open source)" to "Yes"Wire have made their server code open source; thanks to the Wire team for reaching out
25/11/17Changed "Company's general stance on customers' privacy" for Telegram from "Good" to "Poor" Telegram isn't designed to protect users' data by default, does not use strong security/encryption
25/02/18Added assessment of RiotThe assessment was requested 20+ times
25/02/18Added "Signal Foundation (Brian Acton)" Funding for SignalSignal have created the "Signal Foundation"; Brian Acton has given $50 million USD to the foundation and sits on its board
19/05/18Changed "Have there been a recent code audit and independent security analysis?" for Wire to "March, 2018"Wire has had another round of independent audits; thanks to the Wire team for reaching out
19/05/18Changed "Are the app and server completely open source?" for Riot from "No (clients and API only;)" to "Yes"Riot uses Matrix's home server by default
20/05/18Changed "Cryptographic primitives" for Telegram from "RSA 2048 / AES 256 / SHA-1" to "RSA 2048 / AES 256 / SHA-256"Telegram's new protocol uses SHA-256
10/01/21Added Big Tech's names to the main row Emphasise which companies own which apps
10/01/21Changed "Have there been a recent code audit and an independent security analysis?" for Threema from "Yes, (November, 2015)" to "Yes, (October, 2020)"Threema had an independent analysis conducted in October, 2020
10/01/21Changed "Infrastructure jurisdiction" for Wire from "Germany / Ireland" to "EU"Wire's website states that its servers are in the EU
10/01/21Replaced Google Allo with Google MessagesGoogle retired Allo in March, 2019
10/01/21Introduced "Reproducible builds" as part of the assessmentReproducible builds prove apps in app stores were compiled with published source code
10/01/21Changed "Are the app and server completely open source?" for Threema from "No" to "No apps only"Threema released its source code for iOS and Android apps
10/01/21Changed "Funding" for Threema from "User pays" to "User pays, Afinum Management AG"Threema introduced a new business partner
10/01/21Changed "Company jurisdiction" for Telegram from "USA / UK / Belize" to "USA / UK / Belize / UAE"Telegram developers work out of Dubai, although their complex set of shell companies is beyond my legal understanding
11/01/21Changed "App collects customers' data?" to align with permissions granted from the Apple StoreNow aligned to recent articles about Whatsapp's foreseeable privacy policy change
11/01/21Renamed "Riot" to "Element"
11/01/21Changed "Are messages encrypted when backed up to the cloud?" from empty to "Yes"Element encrypts the data with a user-supplied key
11/01/21Changed "Is encryption turned on by default?" for Element from "No" to "Yes"Element enabled default end-to-end encryption last year
11/01/21Changed "Does the app encrypt data on the device? (iOS and Android only)" for Element from empty to "Yes"Thank you to Element for reaching out
11/01/21Changed "Is personal information (mobile number, contact list, etc.) hashed?" for Element from empty to "No"App permissions hint that Element does not hash this data
11/01/21Changed "Does the app have self-destructing messages?" for Viber from "No" to "Yes"Viber introduced self-destructing messages last year
12/01/21Introduced "User data and/or metadata sent to parent company and/or third parties?" as part of the assessmentWhatsapp will change its privacy policy to send data to its parent company (Facebook)
23/01/21Added "Merlin International / Lytical Ventures" to funding for WIckrThank you to Wickr for reaching out
23/01/21Changed "User data and/or metadata sent to parent company and/or third parties?" for Wickr from empty to "No

(optional mobile number sent to third party for registration)"
Thank you to Wickr for reaching out
23/01/21Changed "Do you get notified if a contact's fingerprint changes?" for Wickr from "No" to "Yes"Thank you to Wickr for reaching out
23/01/21Changed "Are messages encrypted when backed up to the cloud?" for Wickr from empty to "N/A, Wickr is excluded from iCloud/iTunes & Android backups"Thank you to Wickr for reaching out
23/01/21Changed "Does the app have self-destructing messages?" for Whatsapp from "No" to "Yes"Whatsapp now has self destructing messages
23/01/21Added an "Overview" and "Details" sectionAttempted to make it more obvious that the first row is a recommendation
24/01/21Added Session assessmentAfter many requests, I decided to assess Session
24/01/21Changed "Does the app allow a secondary factor of authentication?" for Signal from "No" to "Yes"Signal offers second factor authentication through the device's fingerprint authentication
26/01/21Changed "Is personal information (mobile number, contact list, etc.) hashed?" for Element / Riot from "No" to "Yes.Element / Riot hashes contact details
26/01/21Changed "Have there been a recent code audit and an independent security analysis?" for Element / Riot from "No" to "No (Matrix's encryption library reviewed by an independent party)"Element / Riot have had Matrix's encryption library reviewed; however, their apps and infrastructure have not been assessed
26/01/21Added "Main reasons why the app isn't recommended?"
26/01/21Changed "Is encryption turned on by default?" for Skype from "Yes" to "No.Skype encryption isn't enabled by default.
26/01/21Changed "Does the app use certificate pinning?" for Wickr Me from "No" to "Yes"Wickr Me does SSL pinning
31/01/21Changed "Company jurisdiction" for Wire from "Switzerland" to
"USA / Switzerland"
Wire has its holding company, Wire Holdings Inc, located in the US
31/01/21Changed "Funding" for Wire from "Janus Friis / Iconical / Zeta Holdings Luxembourg" to "Janus Friis / Iconical / Zeta Holdings Luxembourg / Morpheus Ventures"Wire raised $8.2 million USD from Morpheus Ventures
05/04/21Completed the Session assessmentThank you to the Session team for answering my questions
27/06/21Changed "Funding" for Wickr Me to "Amazon"Amazon acquired Wickr
27/06/21Added "Former NSA chief Keith Alexander is on Amazon’s board of directors" to "Main reasons why the app isn't recommended" for Wickr MeAmazon acquired Wickr; Amazon is deeply connected to the US government and hence cannot be trusted
27/06/21Changed "Company's general stance on customers' privacy" for Wickr Me from "Good " to "Poor" Amazon acquired Wickr, and Amazon does not have a great record at securing people's data (e.g., Ring and Alexa)
27/06/21Changed "Company collects customers' data?" for Wickr Me from "No" to "Yes"Amazon acquired Wickr, and Amazon collects users' data