If you’d rather not have the government, hackers, your internet service provider, or anyone else potentially intercepting and reading your private communications, you should make sure you’re using a secure messaging app. Specifically, one that uses encrypted messaging.

As you’ve probably noticed (unless you live under a rock, which is slowly sounding more and more like the way to go) internet privacy has become one of the hottest topics of the decade. In 2017, the United States Congress repealed regulations that would help protect your data from being sold by broadband and wireless companies. In 2016, the UK’s Parliament passed the Investigatory Power Act (also known as the Snooper’s Charter), which expands the surveillance power of the UK Intelligence Community and police. And in 2018, Australia forced famous messaging app WhatsApp to include spyware so they could see what you’re typing. Not to mention what’s going on in the news right now concerning privacy. If you aren’t already worried, now is a pretty good time to start wondering just how safe your online communications actually are, and what the most secure messaging app is.

What makes a messaging app secure?

An encrypted messaging app has something more important than cool widgets and a gigantic library of emojis: it has features that work quietly in the background to make sure the app is secure.

End-to-end encryption

The main thing to check for when choosing a messaging app is whether or not it uses end-to-end encryption. End-to-end encryption means your private chat messages are scrambled, and only the sender and the receiver of the messages have the “keys” to read them. This ensures that no one besides you and the person you’re talking to can decipher the messages.

Ironically, encryption used to be thought of as something only used by the paranoid or those with a compelling need for secrecy, such as political dissidents. It was only after whistleblower Edward Snowden leaked classified documents revealing the U.S. NSA’s global surveillance program that the world began to fully understand the importance of encryption and online privacy. Since then, many companies (including Facebook, Apple, and Google) have ramped up encryption on their software.

Default encryption settings

Just because an app offers end-to-end encryption, doesn’t mean that it’s the default setting. Some messaging apps require you to go into the app’s settings and actually turn on the encryption feature, while others only encrypt messages in certain scenarios (for instance, blue iMessages versus green text messages). Because the importance of encryption is still relatively new, many people may just assume the app is safe without knowing if or when their messages are encrypted — so look for one that has encryption on as the default for you and whomever you’re messaging.

Open source code

While fears of reverse-engineering or code backdoors may make it seem counterintuitive for an app maker to reveal an app’s source code, doing so is now widely regarded as an indicator of the app’s integrity. Open source code opens the app up to outside accountability and auditing by experts, which can be a useful way to bring attention to any weaknesses or vulnerabilities in the code.

Data collection

While many messaging apps today have started using end-to-end encryption, some still collect data information about you, called metadata. Metadata is kind of like your electronic fingerprint, and includes data such as who you talk to (via your contacts list), for how long, and at what time, as well as information about the device you use, your IP address, phone number, and more. Setting up a VPN app on your mobile device is an easy way to block the collection of this kind of personal information. Both AVG Secure VPN for Android and AVG Secure VPN for iOS are available to help you seamlessly protect your online privacy.

What are the most secure messaging apps for Android & iPhone?

1. Signal

additional-image-signal-620x300

Originally known as TextSecure Private Messenger, Signal has been touted as the gold standard of messaging security by cryptographer Bruce Schneier, Edward Snowden, US congress, and even the European Commission. Available as a free messaging app on iPhone and Android phones, as well as desktops, Signal sends messages across its own data infrastructure.

Signal security features

  • End-to-end encryption
    Messages sent via the Signal app can only be viewed by the sender and receiver. Not even the company behind the app, Open Whisper Systems, can decrypt the messages. In addition to instant messages, you can also make voice calls, group messages, and encrypted video calls.
  • Open Source
    Signal has open source code that can be viewed by anyone. This kind of transparency allows for routine auditing and helps ensure that the app’s security is always up to date.
  • Disappearing messages
    For extra security, Signal allows you to make both sent and received messages “disappear” after a certain amount of time has elapsed.
  • Minimal data storage

    Unlike many other messaging apps, Signal only stores the metadata required for the app to work, such as your phone number, random keys, and profile information. 

  • Password security 

    The app also allows you to set a password to lock it. So even if your phone falls into the wrong hands, your messages will still be protected.

Signal security risks 

The best thing about Signal is that there are virtually no security risks. As long as the app’s developers continue to be diligent about fixing vulnerabilities, Signal will remain at the top of the messaging app food chain.

2. Wickr Me

additional-image-wickr-620x300

Available on both iPhone and Android, Wickr has distinguished itself from the pack by offering secure messaging options for both personal use (Wickr Me) and for businesses and enterprises (Wickr Pro). While Wickr Me is free, Wickr Pro is a paid service that comes with a 30-day free trial. 

Wickr Me security features 

  • End-to-end encryption
    In addition to encrypted messaging, in 2018 Wickr announced that its “Me” service will also offer encrypted calling and voice messaging (which are already offered in the Pro version). 
  • Screenshot detection
    Wickr recently announced that they will be offering a new feature that allows users to detect screenshots. This means that you will receive a notification if someone takes a screenshot of a message you send. 
  • Screen overlay protection
    On Android devices, Wickr has released a new feature that allows users to disable “Screen Overlays”. This prevents users from being able to interact with the app when an overlay is detected, and helps protect the app from TapJacking
  • Third party keyboards
    On iOS, Wickr lets you block Third Party Keyboards. This helps protect your information by preventing third party keyboards from recording usernames, passwords, and other information that is typed into the app. 
  • Secure Shredder
    This feature adds an extra layer of security by making sure your already deleted files can't be recovered with special tools or technology. While Wickr does this for you periodically, you also have the option to manually erase information from your phone. 

Wickr Me security risks 

Like Signal, Wickr is generally considered almost foolproof from a security standpoint. Though it was previously criticized for keeping its code closed source, in 2017 Wickr finally released its cryptographic protocol on Github. If you feel like getting technical about the app’s security, you can check out Wickr’s Customer Security Promises.

3. Dust

Dust

Formerly known as Cyber Dust, Mark Cuban’s brainchild messaging app Dust is available on both iOS and Android. The main purpose of the app is to send private messages (or photos and videos) called “Dusts” to your contacts that “turn to dust” and disappear within 100 seconds of being read. “Blasts” are another type of message that can be sent to a group of people, but are read privately. Finally, you can start group chats, simply known as “Groups.”

Dust security features

  • End-to-end encryption
    Dust uses “heavy encryption,” although the code is not actually available for viewing. You can send encrypted text, photo, or video messages, but the app does not allow for voice or video calls.
  • No permanent storage
    Not only are your messages not permanently saved on your phone or the company’s servers (instead they’re sent to the app’s RAM memory until they are accessed by the receiver), you can also erase your messages off of other people’s devices. 
  • Screenshot alerts
    If a screenshot is attempted on an Android phone, the name of the person who sent the message is removed, effectively eliminating context from the conversation. Apple prevents apps from blocking screenshots, so instead, iPhone users receive a notification if someone takes a screenshot of their sent message. 
  • Auto “Dust”
    Messages are automatically erased either within 24 hours, or as soon as they’re read. You can choose.

Dust security risks

There are currently no significant security risks associated with Dust, aside from the potential risks and lack of transparency related to the app’s code not being open source.

4. WhatsApp

additional-image-whatsapp-620x300

With over 300 million daily users, WhatsApp is one of the most popular messaging apps being used today. The app’s popularity is definitely one of its strong points, along with the fact that it’s available for free on both iPhone and Android and doesn’t show any ads. You can easily send text messages, photos, as well as short video and voice messages. But are WhatsApp chats private?

WhatsApp security features

  • End-to-end encryption
    In April 2016, WhatsApp implemented a super secure encryption protocol developed by Open Whisper Systems (the company behind secure messaging app Signal) across all mobile platforms. Thanks to this protocol, only the sender and receiver have the keys to decrypt messages sent via WhatsApp, meaning they can’t be accessed and read by anyone else. Voice and video calls are also encrypted.
  • Verify encryption
    WhatsApp also has a “Verify Security Code” screen in the contact info screen that allows you to confirm that your calls and messages are end-to-end encrypted. The code is presented as both a QR code and a 60-digit number. 
  • Two-step verification
    An optional feature, two-step verification allows you to add more security to your account by setting a PIN number that is required to verify your phone number on any device. 
  • Messages not stored
    The only time your message is kept on a WhatsApp server is the period after you send it and before it is delivered to the receiver. If it can’t be delivered for some reason, then the message is deleted from the server after 30 days.

WhatsApp Security risks

  • Unencrypted backups
    WhatsApp messages can’t be intercepted during transmission, but what about message backups on iCloud or Google Drive? The good news for iPhone users is that WhatsApp added encryption protection to iCloud backups in late 2016. But Android phone messages backed up on Google Drive are not encrypted, leaving them potentially vulnerable to hackers, governments that could legally force Google to turn over your messages, or even Google itself. So how can you protect your privacy on WhatsApp as an Android user? Fortunately, you can disable WhatsApp message backups on Google Drive
  • Facebook privacy issues
    WhatsApp was bought by Facebook in 2014, transferring concerns about the social media conglomerate’s reputation for invasive data collection to the messaging app. While Facebook assures users that there is no possible way for them to view encrypted WhatsApp messages, WhatsApp did announce that they would be sharing user metadata with Facebook, for various purposes such as ad-targeting.

5. Telegram

additional-image-telegram-620x300

Claiming over 200 million users on both iPhone and Android, Telegram has been steadily growing in popularity since its debut in 2013 and is known for its unique group chat feature that can support up to 100,000 members. Earlier in 2018, however, a clash with the Russian government over the app makers’ refusal to hand over the encryption keys resulted in it being banned in Russia entirely. Telegram has also been viewed as controversial because of its status as the preferred messaging app of ISIS. This has further driven the conversation about what responsibility messaging apps have to work with law-enforcement versus keeping user data fully protected.

Telegram security features

  • End-to-end encryption
    Telegram offers a feature called “Secret Chat” that allows you to protect your messages with end-to-end encryption. However, the feature is not default, so you’ll need to know how to turn it on
  • Passcode Lock
    You can set a 4-digit code to prevent intruders from accessing your messages, which can be useful if your phone gets lost or stolen. 
  • Two-step verification
    Found in Settings, two-step verification requires you to use both an SMS code and a password (be sure you know what not to do when creating a password) to log in to the app. You can also set up a recovery email address in case you forget your password). 
  • Open source code
    Anyone can check Telegram’s source code, protocol, and API to make sure it is up to par. 
  • Telegram Cracking Contest
    Telegram challenges “hackers” to attempt to break through their encryption and decipher messages, offering a $300,000 reward for anyone who is able to do so. This helps ensure that any potential vulnerabilities will be found and fixed.
  • Self-destructing messages
    Like many other messaging apps, Telegram also offers a Self-Destruct Timer (for Secret Chats only) that will delete private text messages and media within a preset time limit. 
  • Remote logout
    Because you can log into Telegram from numerous devices at the same time (web, PC, tablet, smartphone, etc.), the app offers the ability to log out of other sessions from the current device you’re using through the Settings menu. This way, if your device is lost or stolen, you can still make sure your messages are secure. 
  • Account self-destruct
    After your account has been inactive for a certain amount of time (six months being the default), your account will automatically self-destruct, completely wiping clean all of your messages and media.

Telegram security risks

  • End-to-end encryption isn’t default
    You must manually enable Telegram’s “Secret Chat” feature, otherwise chats are only encrypted between your device and Telegram’s server. 
  • Logging chat data
    If you don’t enable the Secret Chat feature, then your chat data is saved on Telegram’s servers. The company claims this is in case you lose your device and want to recover your messages, but from a security standpoint, this is a big no-no. 
  • Possibly flawed encryption technology
    Telegram created its own MTProto protocol, instead of using one that is already proven secure, such as the Signal protocol. Many experts have questioned the reasoning behind this, and have expressed skepticism about the lack of transparency surrounding the protocol.

6. Apple iMessage

additional-image-imessage-620x300

The instant messaging service developed by Apple Inc., iMessage is supported by the Messenger application on iOS version 5.0 and later. Allowing users to send text, documents, videos, photos, contact information, and group messages over the internet, iMessage is very popular among iPhone users (and can only be used between them). We’ve already gone over tips on how to keep your iPhone safe, but is iMessage actually secure? 

iMessage security features 

  • End-to-end encryption 
    iMessage end-to-end encryption only protects messages between iPhone users (which appear in blue). If you send a message to an Android user for instance, the message is sent as a normal text message (in green) and is not encrypted. Unlike many of the other apps on this list, it seems like Apple won’t be coming out with iMessage for Android. Though iMessage doesn’t directly allow for video or voice calls, its sister app FaceTime does (with encrypted protection). 
  • Self-destructing messages
    Many iMessage users are unaware that the app provides a feature that allows you to control how long each photo, video, or message will appear before it’s gone. You can also choose how many times the viewer can see the message. However, the feature is only available with iOS 10 and later. 
  • iMessages deleted from servers 
    Your encrypted messages only remain on Apple’s servers for 7 days before they are deleted. 

iMessage security risks 

  • Encryption weaknesses 
    In 2016, researchers at Johns Hopkins University revealed a flaw with Apple’s encryption implementation that could leave iMessages vulnerable to decryption. Later, in 2019, researchers from Project Zero presented 6 high-level exploits that allowed them to use iMessages to take over a user’s device. All these issues were quickly patched, but it does imply the risk of other, unknown vulnerabilities lurking in the code.
  • iCloud backups
    If you back up your iMessages to iCloud, these messages are encrypted on iCloud using a key controlled by the company, not you. This means that, if your iCloud is hacked or subpoenaed by a court, they could be revealed. And while Apple has been firm about not creating “back doors” into their system or weakening encryption, they and other tech companies do have a history of cooperating with authorities when it comes to turning over information stored in the Cloud.

7. Facebook Messenger

additional-image-messenger-620x300

Facebook’s messaging app is available for both iPhone and Android phones, and provides a convenient way to keep up with friends and family thanks to its sheer popularity. 

Facebook Messenger security features

  • End-to-end encryption
    In 2016, Facebook added its Secret Conversations feature to secure messages with the Signal end-to-end encryption protocol (also used by WhatsApp). However, Signal and WhatsApp have end-to-end encryption by default, while Secret Conversations must be activated
  • Self-destructing messages
    You can set Facebook Messenger messages to self-destruct after a certain period of time (between five seconds and 24 hours). 

Facebook Messenger security risks 

  • Encryption not by default
    As mentioned above, end-to-end encryption for messages must be activated by the user. This means that messages sent without this feature are only encrypted when sent to Facebook’s server, and then encrypted again when sent to the recipient (whereas end-to-end is directly between sender and recipient). This means a copy of the message remains on Facebook’s servers. 

App to avoid: Google Hangouts

additional-image-hangouts-620x300

Despite being available for free on both iOS and Android, Google Hangouts is riddled with privacy and security concerns. Though it does encrypt hangout conversations, it doesn’t use end-to-end encryption — instead, messages are encrypted “in transit”. This means that they are only encrypted between your device and Google’s servers. Once they are on a server, Google has complete access to them. If ordered to do so, Google can tap into private communication sessions and relay that information to government agencies. And with Google’s Transparency Report revealing that the company does indeed receive and often fulfill requests for customer information, this is a very real concern.

Additionally, images sent via Hangouts are shared through public URLs, meaning that virtually anyone (who knows a thing or two about URLs) can view your private images. This is definitely not the app you should be using to send...sensitive...pics.

How can I stay safe?

We believe everyone has a right to online privacy, and deserves to message their friends and family without worrying about who might be sneaking a peak. In an ideal world, everyone would be using super secure messaging apps like Signal or Wickr to communicate. But with the popularity of less secure or privacy-questionable apps such as Facebook Messenger and WhatsApp, sometimes the middle ground is more convenient. If you do choose to use a less secure messaging app, pair it with VPN protection. A virtual private network encrypts everything you do online, including messaging as well as other tasks that may expose your sensitive personal info like online shopping and banking. We offer AVG Secure VPN for iOS and AVG Secure VPN for Android to keep your information safe on every device.

AVG Secure VPN for Android

AVG Secure VPN for Android FREE Download