If you’d rather not have the government, hackers, your Internet service provider, or anyone else potentially intercepting and reading your private communications, you should make sure you’re using a secure messaging app. Specifically, one that uses encrypted messaging.
As you’ve probably noticed (unless you live under a rock, which is slowly sounding more and more like the way to go) internet privacy has become one of the hottest topics of the decade. Last year the United States Congress repealed regulations that would help protect your data from being sold by broadband and wireless companies. In 2016, the UK’s Parliament passed the Investigatory Power Act (also known as the Snooper’s Charter), which expands the surveillance power of the UK Intelligence Community and police. Not to mention what’s going on in the news right now concerning privacy. If you aren’t already, now is a pretty good time to start wondering just how safe your online communications actually are.
What makes a messaging app secure?
The main thing to check for when choosing a messaging app is whether or not it uses end-to-end encryption. End-to-end encryption means your private chat messages are scrambled, and only the sender and the receiver of the messages have the “keys” to read them. This ensures that no one besides you and the person you’re talking to can decipher the messages.
Ironically, encryption used to be thought of as something only used by the paranoid or those with a compelling need for secrecy, such as political dissidents. It was only after whistleblower Edward Snowden leaked classified documents revealing the U.S. NSA’s global surveillance program that the world began to fully understand the importance of encryption and online privacy. Since then, many companies (including Facebook, Apple, and Google) have ramped up encryption protection on their software.
Default encryption settings
Just because an app offers end-to-end encryption, doesn’t mean that it’s the default setting. Some messaging apps require you to go into the app’s settings and actually turn on the encryption feature, while others only encrypt messages in certain scenarios (for instance, blue iMessages versus green text messages). Because the importance of encryption is still relatively new, many people may just assume the app is safe without knowing if or when their messages are encrypted.
Open source code
While fears of reverse-engineering or code backdoors may make it seem counterintuitive for an app maker to reveal an app’s source code, doing so is now widely regarded as an indicator of the app’s integrity. Open source code opens the app up to outside accountability and auditing by experts, which can be a useful way to bring attention to any weaknesses or vulnerabilities in the code.
While many messaging apps today have started using end-to-end encryption, some still collect data information about you, called metadata. Metadata is kind of like your electronic fingerprint, and includes data such as who you talk to (via your contacts list), for how long, and at what time, as well as information about the device you use, your IP address, phone number, and more. Setting up a VPN app on your mobile device, such as AVG Secure VPN for Android or AVG Secure VPN for iOS is an easy way to protect this kind of information.
Popular messaging apps ranked for security
Originally known as TextSecure Private Messenger, Signal has been touted as the gold standard of messaging security by both cryptographer Bruce Schneier and Edward Snowden. Though available as a free messaging app on both iPhone and Android phones, Signal is considered more of a messaging platform because it sends messages across its own data infrastructure.
Signal security features
- End-to-end encryption: Like WhatsApp, messages sent via the Signal app can only be viewed by the sender and receiver; not even the company behind the app, Open Whisper Systems, can decrypt the messages. In addition to instant messages, you can also make voice calls, group messages, and encrypted video calls.
- Open source: Signal has open source code that can be viewed by anyone. This kind of transparency allows for routine auditing and helps ensure that the app’s security is always up to date.
- Disappearing messages: For extra security, Signal allows you to make both sent and received messages “disappear” after a certain amount of time has elapsed.
- Data storage: Unlike many other messaging apps, Signal only stores the metadata required for the app to work, such as your phone number, random keys, and profile information.
- Password security: The app also allows you to set a password to lock it. So even if your phone falls into the wrong hands, your messages will still be protected.
Signal security risks
The best thing about Signal is that there are virtually no security risks. As long as the app’s developers continue to be diligent about fixing vulnerabilities, Signal will remain at the top of the messaging app food chain.
2. Wickr Me
Available on both iPhone and Android, Wickr has distinguished itself from the pack by offering secure messaging options for both personal use (Wickr Me) and for businesses and enterprises (Wickr Pro). While Wickr Me is free, Wickr Pro is a paid service that comes with a 30-day free trial.
Wickr Me security features
- End-to-end encryption: In addition to encrypted messaging, this year Wickr also announced that its “Me” service will also offer encrypted calling and voice messaging (already offered in the Pro version).
- Screenshot detection: Wickr recently announced that they will be offering a new feature that allows users to detect screenshots. This means that you will receive a notification if someone takes a screenshot of a message you send.
- Screen overlay protection: On Android devices, Wickr has released a new feature that allows users to disable “Screen Overlays”. This prevents users from being able to interact with the app when an overlay is detected, and helps protect the app from TapJacking.
- Third party keyboards: On iOS, Wickr lets you block Third Party Keyboards. This helps protect your information by preventing third party keyboards from recording usernames, passwords, and other information that is typed into the app.
- Secure Shredder: This feature adds an extra layer of security to making sure your already deleted files can't be recovered with special tools or technology. While Wickr does this for you periodically, you also have the option to manually erase information from your phone.
Wickr Me security risks
Like Signal, Wickr is generally considered almost foolproof from a security standpoint. Though it was previously criticized for keeping its code closed source, last year Wickr finally released its cryptographic protocol on github. If you feel like getting technical about the app’s security, you can check out Wickr’s Customer Security Promises.
Formerly known as Cyber Dust, Mark Cuban’s brainchild messaging app Dust is available on both iOS and Android. The main purpose of the app is to send private messages called “Dusts” to your contacts (though photos and videos can be sent as well); also per the app’s name, within 100 seconds of your message being read, it “turns to dust” and disappears. “Blasts” are another type of message that can be sent to a group of people, but are read privately. Finally, you can start group chats, simply known as “Groups”.
Dust security features
- End-to-end encryption: Dust’s encryption model is explained on its website, although the code is not actually available for viewing. You can send encrypted text, photo, or video messages, but the app does not allow for voice or video calls.
- No permanent storage: Not only are your messages not permanently saved on your phone or the company’s servers (instead they are sent to the app’s RAM memory until they are accessed by the receiver), you can also erase your messages off of other people’s devices.
- Screenshot alerts: If a screenshot is attempted on an Android phone, the name of the person who sent the message is removed, effectively eliminating context from the conversation. Apple prevents apps from blocking screenshots, so instead, iPhone users receive a notification if someone takes a screenshot of their sent message.
- Auto “Dust”: Messages are automatically erased either within 24 hours, or as soon as they’re read. You can choose.
Dust security risks
There are currently no significant security risks associated with Dust, aside from the potential risks and lack of transparency related to the app’s code not being open source.
With over one billion users, WhatsApp is one of the most popular messaging apps being used today. The app’s popularity is definitely one of its strong points, along with the fact that it’s available for free on both iPhone and Android and doesn’t show any ads. You can easily send text messages, photos, as well as short video and voice messages. But are WhatsApp chats private?
WhatsApp security features
- End-to-end encryption: In April 2016, WhatsApp implemented a super secure encryption protocol developed by Open Whisper Systems (the company behind secure messaging app Signal) across all mobile platforms. Thanks to this protocol, only the sender and receiver have the keys to decrypt messages sent via WhatsApp, meaning they can’t be accessed and read by anyone else. Voice and video calls are also encrypted.
- Verify encryption: WhatsApp also has a “Verify Security Code” screen in the contact info screen that allows you to confirm that your calls and messages are end-to-end encrypted. The code is presented as both a QR code and a 60-digit number.
- Two-step verification: An optional feature, two-step verification allows you to add more security to your account by setting a PIN number that is required to verify your phone number on any device.
- Messages not stored: The only time your message is kept on a WhatsApp server is the period after you send it and before it is delivered to the receiver. If it can’t be delivered for some reason, then the message is deleted from the server after 30 days.
WhatsApp Security risks
- Unencrypted backups: WhatsApp messages can’t be intercepted during transmission, but what about message backups on iCloud or Google Drive? The good news for iPhone users is that WhatsApp added encryption protection to iCloud backups in late 2016. But Android phone messages backed up on Google Drive are not encrypted, leaving them potentially vulnerable to hackers, governments that could legally force Google to turn over your messages, or even Google itself. So how can you protect your privacy on WhatsApp as an Android user? Fortunately, you can disable WhatsApp message backups on Google Drive.
- Facebook privacy issues: WhatsApp was bought by Facebook in 2014, transferring concerns about the social media conglomerate’s reputation for invasive data collection to the messaging app. While Facebook assures users that there is no possible way for them to view encrypted WhatsApp messages, WhatsApp did announce that they would be sharing user metadata with Facebook, for various purposes such as ad-targeting.
Claiming over 200 million users on both iPhone and Android, Telegram has been steadily growing in popularity since its debut in 2013 and is known for its unique group chat feature that can support up to 100,000 members. Earlier this year, however, a clash with the Russian government over the app makers’ refusal to hand over the encryption keys resulted in it being banned in Russia entirely. Telegram has also been viewed as controversial because of its status as the preferred messaging app of ISIS. This has further driven the conversation about what responsibility messaging apps have to work with law-enforcement versus keeping user data fully protected.
Telegram security features
- End-to-end encryption: Telegram offers a feature called “Secret Chat” that allows you to protect your messages with end-to-end encryption. However, the feature is not default, so you’ll need to know how to turn it on.
- Passcode Lock: You can set a 4-digit code to prevent intruders from accessing your messages, which can be useful if your phone gets lost or stolen.
- Two-step verification: Found in Settings, two-step verification requires you to use both an SMS code and a password (be sure you know what not to do when creating a password) to log in to the app. You can also set up a recovery email address in case you forget your password).
- Open source code: Anyone can check Telegram’s source code, protocol, and API to make sure it is up to par.
- Telegram Cracking Contest: Telegram challenges “hackers” to attempt to break through their encryption and decipher messages, offering a $300,000 reward for anyone who is able to do so.
- Self-destructing messages: Like many other messaging apps, Telegram also offers a Self-Destruct Timer (for Secret Chats only) that will delete private text messages and media within a preset time limit.
- Remote logout: Because you can log into Telegram from numerous devices at the same time (web, PC, tablet, smartphone, etc.), the app offers the ability to logout of other sessions from the current device you’re using through the Settings menu. This way, if your device is lost or stolen, you can still make sure your messages are secure.
- Account self-destruct: After your account has been inactive for a certain amount of time (six months being the default), your account will automatically self-destruct, completely wiping clean all of your messages and media.
Telegram security risks
- End-to-end encryption isn’t default: You must manually enable Telegram’s “Secret Chat” feature, otherwise chats are only encrypted between your device and Telegram’s server.
- Logging chat data: If you don’t enable the Secret Chat feature, then your chat data is saved on Telegram’s servers. The company claims this is in case you lose your device and want to recover your messages, but from a security standpoint, this is a big no-no.
- Possibly flawed encryption technology: Telegram created its own MTProto protocol, instead of using one that is already proven secure, such as the Signal protocol. Many experts have questioned the reasoning behind this, and have expressed skepticism about the lack of transparency surrounding the protocol.
6. Apple iMessage
The instant messaging service developed by Apple Inc., iMessage is supported by the Messenger application on iOS version 5.0 and later. Allowing users to send text, documents, videos, photos, contact information, and group messages over the Internet, iMessage is very popular among iPhone users (and can only be used between them). We’ve already gone over tips on how to keep your iPhone safe, but is iMessage actually secure?
iMessage security features
- End-to-end encryption: However, iMessage end-to-end encryption only protects messages between iPhone users (which appear in blue). If you send a message to an Android user for instance, the message is sent as a normal text message (in green) and is not encrypted. Unlike many of the other apps on this list, it seems like Apple won’t be coming out with iMessage for Android. Though iMessage doesn’t directly allow for video or voice calls, its sister app FaceTime does (with encrypted protection).
- Self-destructing messages: Many iMessage users are unaware that the app provides a feature that allows you to control how long each photo, video, or message will appear before it’s gone. You can also choose how many times the viewer can see the message. However, the feature is only available with iOS 10 and later.
- iMessages deleted from servers: Your encrypted messages only remain on Apple’s servers for 7 days before they are deleted.
iMessage security risks
- Encryption weaknesses: In 2016, researchers at Johns Hopkins University revealed a flaw with Apple’s encryption implementation that could leave iMessage vulnerable to the decryption of iMessage messages. While the flaw was quickly patched, it still raised questions about the app’s encryption protocol security level, which is closed source and can’t be third-party audited.
- iCloud backups: If you back up your iMessages to iCloud, these messages are encrypted on iCloud using a key controlled by the company, not you. This means that, if your iCloud is hacked or subpoenaed by a court, they could be revealed. And while Apple has been firm about not creating “back doors” into their system or weakening encryption, they and other tech companies do have a history of cooperating with authorities when it comes to turning over information stored in the Cloud.
7. Facebook Messenger
Facebook’s messaging app is available for both iPhone and Android phones, and provides a convenient way to keep up with friends and family thanks to its sheer popularity.
Facebook Messenger security features
- End-to-end encryption: In 2016, Facebook added its Secret Conversations feature to secure messages with the Signal end-to-end encryption protocol (also used by WhatsApp). However, Signal and WhatsApp have end-to-end encryption by default, while Secret Conversations must be activated.
- Self-destructing messages: You can set Facebook Messenger messages to self-destruct after a certain period of time (between five seconds and 24 hours).
Facebook Messenger security risks
- Encryption not by default: As mentioned above, end-to-end encryption for messages must be activated by the user. This means that messages sent without this feature are only encrypted when sent to Facebook’s server, and then encrypted again when sent to the recipient (whereas end-to-end is directly between sender and recipient). This means a copy of the message remains on Facebook’s servers.
- Privacy concerns: In the wake of Facebook’s Cambridge Analytica scandal, concerns about Facebook’s data collection overreach have only intensified, causing many to wonder how they can protect their personal data while on Facebook. To make matters worse, news broke in March that Facebook has been collecting information about the calls and texts of its Android users through a permission that allows the app to import their phone contacts, confirming doubts that Facebook Messenger is safe and private.
App to avoid: Google Hangouts
Despite being available for free on both iOS and Android, Google Hangouts is riddled with privacy and security concerns. Though it does encrypt hangout conversations, it doesn’t use end-to-end encryption — instead, messages are encrypted “in transit”. This means that they are only encrypted between your device and Google’s servers. Once they are on a server, Google has complete access to them. If ordered to do so, Google can tap into private communication sessions and relay that information to government agencies. And with Google’s Transparency Report revealing that the company does indeed receive and often fulfill requests for customer information, this is a very real concern.
Additionally, images sent via Hangouts are shared through public URLs, meaning that virtually anyone (who knows a thing or two about URLs) can view your private images. This is definitely not the app you should be using to send...sensitive...pics.
How can I stay safe?
We believe everyone has a right to online privacy, but sometimes it takes a bit of proactiveness to protect that right from those who would like unfettered access to it. In an ideal world, everyone would be using super secure messaging apps like Signal or Wickr to communicate. But with the popularity of less secure or privacy-questionable apps such as Facebook Messenger or WhatsApp, sometimes the middle ground is more convenient.
If you do choose to use a less secure messaging app, pair it with VPN protection, such as AVG Secure VPN, to keep your information as safe as possible.