App nameAlloCryphoiMessageMessengerSignalSkypeTelegramThreemaViberWhatsappWickrWire
TL;DR: Does the app secure my messages and attachments?NoNoNoYesNoNoYesNoNoNoYes
Company jurisdictionUSANorwayUSAUSAUSAUSAGermanySwitzerlandLuxembourg & JapanUSAUSASwitzerland
Infrastructure jurisdictionUSA, Belgium, Finland, Ireland,the Netherlands, Chile, Taiwan,and SingaporeNorwayUSA (Ireland and Denmark planned); iMessage runs on AWS and Google CloudUSA, Sweden (Ireland planned)USAUSA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and JapanUK, Singapore, USA, and FinlandSwitzerlandUSAUSA (unsure of other locations)USA (unsure of other locations)EU
Implicated in giving customers' data to intelligence agencies?YesNoYesYesNoYesNoNoNoYesNoNo
Surveillance capability built into the app?NoNoNoNoNoYesNoNoNoNoNoNo
Does the company provide a transparency report?YesYesYesYesYesYesNoYesNoYesYesYes
Company's general stance on customers' privacyPoorGoodPoorPoorGoodPoorGoodGoodPoorPoorGoodGood
FundingGoogleNorwegian angel investorsAppleFacebookFreedom of the Press Foundation, the Knight Foundation, the Shuttleworth Foundation, and the Open Technology FundMicrosoftPavel DurovUser paysRakuten, friends and family of Talmon Marco (it's very unclear)FacebookGilman Louie, Juniper Networks, the Knight Foundation, Breyer Capital, CME Group, and WargamingJanus Friis, Iconical, Zeta Holdings Luxembourg
Company collects customers' data?YesNoYesYesNoYesYesNoYesYesNoNo
App collects customers' data?YesMinimalYesYesMinimalYesYesNoYesYesNoMinimal
Is encryption turned on by default?NoYesYesNoYesYesNoYesYes (if device supports it)Yes (if device supports it)YesYes
Cryptographic primitivesElGamal ECC 384 / AES 256 / HMAC-SHA256RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1Curve25519 / AES-256 / HMAC-SHA256Curve25519 / AES-256 / HMAC-SHA256RSA-1536 & 2048 / AES 256 / SHA-1RSA 2048 / AES 256 / SHA-1Curve25519 256 / XSalsa20 256 / Poly1305-AES 128Curve25519 256 / Salsa20 128 / HMAC-SHA256Curve25519 / AES-256 / HMAC-SHA256ECDH512 / AES-256 / HMAC-SHA256Curve25519 / ChaCha20 / HMAC-SHA256
Are the app and server completely open source?NoNo (client only)NoNoYes (messaging is; however, phone calls are not)NoNo (clients and API only)NoNoNoNoNo (clients only)
Can you sign up to the app anonymously?NoNoNoNoNoNoNoYesNoNoYesNo
Can you add a contact without needing to trust a directory server?NoNoNoNoNoNoNoYesYesNoNoNo
Can you manually verify contacts' fingerprints?NoYesNoYesYesNoNo (session only, does not provide users' fingerprint information)YesYesYesYesYes
Directory service could be modified to enable a MITM attack?YesYesYesYesYesYesYesYesYesYesYesYes
Do you get notified if a contact's fingerprint changes?NoYesNoYesNoNo (session only, does not provide users' fingerprint information)YesYesNo (setting turned off by default)NoIf contact was previously verified
Is personal information (mobile number, contact list, etc.) hashed?NoMostlyNoNoMostlyNoNoYesNoNoYesMostly
Does the app generate & keep a private key on the device itself?YesYesYesYesYesYesYesYesYesYes
Can messages be read by the company?YesNoNoYesNoYesYesNoNoNoNoNo
Does the app enforce perfect forward secrecy?NoNoYesYesNo (session keys do change after being used 100 times)NoYesYesYesYes
Does the app encrypt metadata?MostlyNoNoYesNoYesNoYesMostly
Does the app use TLS/Noise to encrypt network traffic?YesYesYesYesYesYesNoYesYesYesYesYes
Does the app use certificate pinning?YesYes (>=iOS 9.3)YesYesYes
Does the app encrypt data on the device? (iOS and Android only)YesYes (if passphrase enabled)Yes (if passphrase enabled)iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app)iOS: Yes (if passphrase enabled); Android: Yes (unsure of function)
Does the app allow a secondary factor of authentication?NoNoNoNoNoNoYesYesNoNoYes (password for account used)No
Are messages encrypted when backed up to the cloud?N/A, Crypho is excluded from iCloud/iTunes & Android backupsNoN/A, Signal is excluded from iCloud/iTunes & Android backupsYesNoN/A, Wire is excluded from iCloud/iTunes & Android backups
Does the company log timestamps/IP addresses?YesNoYesYesNoYesYesNoYesYesNoSome
Has there been a recent code audit and security analysis?NoNoNoNoYes (October, 2014)NoYes (Nov, 2015)Yes (November, 2015)NoNoYes (August, 2014)Yes
Is the design well documented?NoSomewhatSomewhatSomewhatSomewhatNoSomewhatSomewhatSomewhatSomewhatSomewhatSomewhat
Does the app have self-destructing messages?YesNoNoYesYesNoYesNoNoNoYesYes