In 2017, the United States Congress repealed regulations that would help protect your data from being sold by broadband and wireless companies. In 2016, the UK’s Parliament passed the Investigatory Power Act (also known as the Snooper’s Charter), which expands the surveillance power of the UK Intelligence Community and police. And in 2018, Australia forced famous messaging app WhatsApp to include spyware so they could see what you’re typing. Not to mention what’s going on in the news right now concerning privacy. If you aren’t already worried, now is a pretty good time to start wondering just how safe your online communications actually are, and what the most secure messaging app is.
What makes a messaging app secure?
An encrypted messaging app has something more important than cool widgets and a gigantic library of emojis: it has features that work quietly in the background to make sure the app is secure.
The main thing to check for when choosing a messaging app is whether or not it uses end-to-end encryption. End-to-end encryption means your private chat messages are scrambled, and only the sender and the receiver of the messages have the “keys” to read them. This ensures that no one besides you and the person you’re talking to can decipher the messages.
Ironically, encryption used to be thought of as something only used by the paranoid or those with a compelling need for secrecy, such as political dissidents. It was only after whistleblower Edward Snowden leaked classified documents revealing the U.S. NSA’s global surveillance program that the world began to fully understand the importance of encryption and online privacy. Since then, many companies (including Facebook, Apple, and Google) have ramped up encryption on their software.
Default encryption settings
Just because an app offers end-to-end encryption, doesn’t mean that it’s the default setting. Some messaging apps require you to go into the app’s settings and actually turn on the encryption feature, while others only encrypt messages in certain scenarios (for instance, blue iMessages versus green text messages). Because the importance of encryption is still relatively new, many people may just assume the app is safe without knowing if or when their messages are encrypted — so look for one that has encryption on as the default for you and whomever you’re messaging.
Open source code
While fears of reverse-engineering or code backdoors may make it seem counterintuitive for an app maker to reveal an app’s source code, doing so is now widely regarded as an indicator of the app’s integrity. Open source code opens the app up to outside accountability and auditing by experts, which can be a useful way to bring attention to any weaknesses or vulnerabilities in the code.
While many messaging apps today have started using end-to-end encryption, some still collect data information about you, called metadata. Metadata is kind of like your electronic fingerprint, and includes data such as who you talk to (via your contacts list), for how long, and at what time, as well as information about the device you use, your IP address, phone number, and more. Setting up a VPN app on your mobile device is an easy way to block the collection of this kind of personal information. Both AVG Secure VPN for Android and AVG Secure VPN for iOS are available to help you seamlessly protect your online privacy.
What are the most secure messaging apps for Android & iPhone?
Originally known as TextSecure Private Messenger, Signal has been touted as the gold standard of messaging security by cryptographer Bruce Schneier, Edward Snowden, US congress, and even the European Commission. Available as a free messaging app on iPhone and Android phones, as well as desktops, Signal sends messages across its own data infrastructure.
Signal security features
Messages sent via the Signal app can only be viewed by the sender and receiver. Not even the company behind the app, Open Whisper Systems, can decrypt the messages. In addition to instant messages, you can also make voice calls, group messages, and encrypted video calls.
Signal has open source code that can be viewed by anyone. This kind of transparency allows for routine auditing and helps ensure that the app’s security is always up to date.
For extra security, Signal allows you to make both sent and received messages “disappear” after a certain amount of time has elapsed.
Minimal data storage
Unlike many other messaging apps, Signal only stores the metadata required for the app to work, such as your phone number, random keys, and profile information.
The app also allows you to set a password to lock it. So even if your phone falls into the wrong hands, your messages will still be protected.
Signal security risks
The best thing about Signal is that there are virtually no security risks. As long as the app’s developers continue to be diligent about fixing vulnerabilities, Signal will remain at the top of the messaging app food chain.
2. Wickr Me
Available on both iPhone and Android, Wickr has distinguished itself from the pack by offering secure messaging options for both personal use (Wickr Me) and for businesses and enterprises (Wickr Pro). While Wickr Me is free, Wickr Pro is a paid service that comes with a 30-day free trial.
Wickr Me security features
Screen overlay protection
On Android devices, Wickr has released a new feature that allows users to disable “Screen Overlays”. This prevents users from being able to interact with the app when an overlay is detected, and helps protect the app from TapJacking.
Third party keyboards
On iOS, Wickr lets you block Third Party Keyboards. This helps protect your information by preventing third party keyboards from recording usernames, passwords, and other information that is typed into the app.
Wickr Me security risks
Like Signal, Wickr is generally considered almost foolproof from a security standpoint. Though it was previously criticized for keeping its code closed source, in 2017 Wickr finally released its cryptographic protocol on Github. If you feel like getting technical about the app’s security, you can check out Wickr’s Customer Security Promises.
Formerly known as Cyber Dust, Mark Cuban’s brainchild messaging app Dust is available on both iOS and Android. The main purpose of the app is to send private messages (or photos and videos) called “Dusts” to your contacts that “turn to dust” and disappear within 100 seconds of being read. “Blasts” are another type of message that can be sent to a group of people, but are read privately. Finally, you can start group chats, simply known as “Groups.”
Dust security features
Dust uses “heavy encryption,” although the code is not actually available for viewing. You can send encrypted text, photo, or video messages, but the app does not allow for voice or video calls.
If a screenshot is attempted on an Android phone, the name of the person who sent the message is removed, effectively eliminating context from the conversation. Apple prevents apps from blocking screenshots, so instead, iPhone users receive a notification if someone takes a screenshot of their sent message.
Dust security risks
There are currently no significant security risks associated with Dust, aside from the potential risks and lack of transparency related to the app’s code not being open source.
With over 300 million daily users, WhatsApp is one of the most popular messaging apps being used today. The app’s popularity is definitely one of its strong points, along with the fact that it’s available for free on both iPhone and Android and doesn’t show any ads. You can easily send text messages, photos, as well as short video and voice messages. But are WhatsApp chats private?
WhatsApp security features
In April 2016, WhatsApp implemented a super secure encryption protocol developed by Open Whisper Systems (the company behind secure messaging app Signal) across all mobile platforms. Thanks to this protocol, only the sender and receiver have the keys to decrypt messages sent via WhatsApp, meaning they can’t be accessed and read by anyone else. Voice and video calls are also encrypted.
WhatsApp Security risks
WhatsApp messages can’t be intercepted during transmission, but what about message backups on iCloud or Google Drive? The good news for iPhone users is that WhatsApp added encryption protection to iCloud backups in late 2016. But Android phone messages backed up on Google Drive are not encrypted, leaving them potentially vulnerable to hackers, governments that could legally force Google to turn over your messages, or even Google itself. So how can you protect your privacy on WhatsApp as an Android user? Fortunately, you can disable WhatsApp message backups on Google Drive.
Facebook privacy issues
WhatsApp was bought by Facebook in 2014, transferring concerns about the social media conglomerate’s reputation for invasive data collection to the messaging app. While Facebook assures users that there is no possible way for them to view encrypted WhatsApp messages, WhatsApp did announce that they would be sharing user metadata with Facebook, for various purposes such as ad-targeting.
Claiming over 200 million users on both iPhone and Android, Telegram has been steadily growing in popularity since its debut in 2013 and is known for its unique group chat feature that can support up to 100,000 members. Earlier in 2018, however, a clash with the Russian government over the app makers’ refusal to hand over the encryption keys resulted in it being banned in Russia entirely. Telegram has also been viewed as controversial because of its status as the preferred messaging app of ISIS. This has further driven the conversation about what responsibility messaging apps have to work with law-enforcement versus keeping user data fully protected.
Telegram security features
Telegram Cracking Contest
Telegram challenges “hackers” to attempt to break through their encryption and decipher messages, offering a $300,000 reward for anyone who is able to do so. This helps ensure that any potential vulnerabilities will be found and fixed.
Like many other messaging apps, Telegram also offers a Self-Destruct Timer (for Secret Chats only) that will delete private text messages and media within a preset time limit.
Because you can log into Telegram from numerous devices at the same time (web, PC, tablet, smartphone, etc.), the app offers the ability to log out of other sessions from the current device you’re using through the Settings menu. This way, if your device is lost or stolen, you can still make sure your messages are secure.
After your account has been inactive for a certain amount of time (six months being the default), your account will automatically self-destruct, completely wiping clean all of your messages and media.
Telegram security risks
End-to-end encryption isn’t default
You must manually enable Telegram’s “Secret Chat” feature, otherwise chats are only encrypted between your device and Telegram’s server.
Logging chat data
If you don’t enable the Secret Chat feature, then your chat data is saved on Telegram’s servers. The company claims this is in case you lose your device and want to recover your messages, but from a security standpoint, this is a big no-no.
Possibly flawed encryption technology
Telegram created its own MTProto protocol, instead of using one that is already proven secure, such as the Signal protocol. Many experts have questioned the reasoning behind this, and have expressed skepticism about the lack of transparency surrounding the protocol.
6. Apple iMessage
The instant messaging service developed by Apple Inc., iMessage is supported by the Messenger application on iOS version 5.0 and later. Allowing users to send text, documents, videos, photos, contact information, and group messages over the internet, iMessage is very popular among iPhone users (and can only be used between them). We’ve already gone over tips on how to keep your iPhone safe, but is iMessage actually secure?
iMessage security features
iMessage end-to-end encryption only protects messages between iPhone users (which appear in blue). If you send a message to an Android user for instance, the message is sent as a normal text message (in green) and is not encrypted. Unlike many of the other apps on this list, it seems like Apple won’t be coming out with iMessage for Android. Though iMessage doesn’t directly allow for video or voice calls, its sister app FaceTime does (with encrypted protection).
Many iMessage users are unaware that the app provides a feature that allows you to control how long each photo, video, or message will appear before it’s gone. You can also choose how many times the viewer can see the message. However, the feature is only available with iOS 10 and later.
iMessage security risks
In 2016, researchers at Johns Hopkins University revealed a flaw with Apple’s encryption implementation that could leave iMessages vulnerable to decryption. Later, in 2019, researchers from Project Zero presented 6 high-level exploits that allowed them to use iMessages to take over a user’s device. All these issues were quickly patched, but it does imply the risk of other, unknown vulnerabilities lurking in the code.
If you back up your iMessages to iCloud, these messages are encrypted on iCloud using a key controlled by the company, not you. This means that, if your iCloud is hacked or subpoenaed by a court, they could be revealed. And while Apple has been firm about not creating “back doors” into their system or weakening encryption, they and other tech companies do have a history of cooperating with authorities when it comes to turning over information stored in the Cloud.
7. Facebook Messenger
Facebook’s messaging app is available for both iPhone and Android phones, and provides a convenient way to keep up with friends and family thanks to its sheer popularity.
Facebook Messenger security features
In 2016, Facebook added its Secret Conversations feature to secure messages with the Signal end-to-end encryption protocol (also used by WhatsApp). However, Signal and WhatsApp have end-to-end encryption by default, while Secret Conversations must be activated.
Facebook Messenger security risks
Encryption not by default
As mentioned above, end-to-end encryption for messages must be activated by the user. This means that messages sent without this feature are only encrypted when sent to Facebook’s server, and then encrypted again when sent to the recipient (whereas end-to-end is directly between sender and recipient). This means a copy of the message remains on Facebook’s servers.
App to avoid: Google Hangouts
Despite being available for free on both iOS and Android, Google Hangouts is riddled with privacy and security concerns. Though it does encrypt hangout conversations, it doesn’t use end-to-end encryption — instead, messages are encrypted “in transit”. This means that they are only encrypted between your device and Google’s servers. Once they are on a server, Google has complete access to them. If ordered to do so, Google can tap into private communication sessions and relay that information to government agencies. And with Google’s Transparency Report revealing that the company does indeed receive and often fulfill requests for customer information, this is a very real concern.
Additionally, images sent via Hangouts are shared through public URLs, meaning that virtually anyone (who knows a thing or two about URLs) can view your private images. This is definitely not the app you should be using to send...sensitive...pics.
How can I stay safe?
We believe everyone has a right to online privacy, and deserves to message their friends and family without worrying about who might be sneaking a peak. In an ideal world, everyone would be using super secure messaging apps like Signal or Wickr to communicate. But with the popularity of less secure or privacy-questionable apps such as Facebook Messenger and WhatsApp, sometimes the middle ground is more convenient. If you do choose to use a less secure messaging app, pair it with VPN protection. A virtual private network encrypts everything you do online, including messaging as well as other tasks that may expose your sensitive personal info like online shopping and banking. We offer AVG Secure VPN for iOS and AVG Secure VPN for Android to keep your information safe on every device.