Encrypted messaging apps have quickly grown in popularity, both in the USA and abroad. They’ve even been at the center of national news stories, including the reporting that members of the 2017 Whitehouse staff were a secure messenger called Confide to leak to the press (and communicate internally).
It turns out, however, that confide may have some serious security holes.
Which raises the question: how do I know which apps are truly secure and trustworthy? And should I be using one for my conversations with friends and family? (Hint: Yes).
This guide is our best effort to answer these questions once and for all.
An introduction to encrypted messaging
Encrypted messaging has been around for decades, but only recently gained mainstream popularity. It used to be primarily a tool of governments employees and employees of companies that work in high-security industries (tech, biotech, aerospace).
But all that changed when the smartphone revolution dovetailed with Edward Snowden’s leaked documents proving the most US and European citizens were being spied on by our own governments, and far more extensively than we thought possible.
What is Encrypted Messaging?
Encrypted messaging is a method of securely sending and receiving text (or voice/video) messages to a friend or contact. The communications are secured using end-to-end encryption, meaning they cannot be read by someone monitoring the communication in-transit. The message will be encrypted (locked with a superstrong password) on the sender’s device and decrypted on the device of the recipient.
It’s an incredibly powerful to communicate securely, using the same technology banks use to protect your data, or the military uses to encrypt communications in the field. And most of the apps are free!
Why you should encrypt your messages
Text messaging is incredibly insecure. Any government or your wireless carrier can easily listen in. If you’re on a public wifi network, your full messages can be intercepted by anyone running free wireshark software on the same network. And cellular networks are still vulnerable to the SS7 flaw which lets basically any technically skilled person spy on unencrypted data on a cellular network.
And then there’s the fact that your wireless carrier almost certainly stores your text communications for months (if not years). Completely innocent text messages can (and have) be taken out of context as evidence to prosecute people for supposed crimes they committed later in life.
But I’ve got nothing to hide, I’m a good citizen right?
Just because you’re not a criminal doesn’t mean you shouldn’t care about privacy. Our communications are private thoughts, concerns and opinions. They often contain personal pictures, data (addresses, phone #’s), and other things we wouldn’t like made public.
And anytime you send/receive something over the internet, it gets transmitted over communication lines that you don’t control. You’ll likely never see the path your messages take across the internet or who is storing them. Encryption puts the control back in your hands. Privacy is a right but you need to exercise it.
Signal Private Messenger (iOS/Android/Chrome) | Free
Signal is still the encrypted messaging standard. While other existing messaging apps are adding encryption capabilities, Signal was built from the ground-up to be as secure as possible. Despite all the recent hype around apps like Confide, Signal is the gold standard. And it’s FREE.
And it’s an open-source project, meaning the code can be publicly inspected for bugs, backdoors, or any sort of undisclosed logging. Other apps (like Facebook messenger or Whatsapp are closed-source, so you have to place all your trust in a corporation (not great).
Signal is a end-to-end encrypted messaging app that also supports encrypted voice and video calls. It uses a proprietary double-ratchet encryption method that has been publicly reviewed and tested for security.
Signal also lets you verify your public encryption keys and match them to your contacts in person, to ensure your communications aren’t being tampered with. This prevents man in the middle attacks.
- End-to-End encryption
- Communications stored on your device, not on Signal’s servers
- Text, Voice, and Video Chat
- Validated cryptographic algorithm
- Prevent Man-in-the-middle attacks by verifying encryption keys
- Group texting
Interface and Requirements
Signal is designed for Mobile devices (not tablets) and requires you to have a phone number in order to use the app and identify contacts. VOIP numbers (like google voice) do work, and you don’t have to use the same phone# as your device. You could use a landline phone number for your mobile app.
Security & Verdict
Signal is considered incredibly secure and unlike other ‘secure’ messaging apps, no major vulnerabilities for signal have been identified by researchers. The Intercept (a leading privacy/whistleblower site) regards Signal as the best publicly available app. The Intercept also has helpful tips on locking down Signal for maximum security.
Perhaps the most compelling evidence of Signal’s security is disinformation and ‘leaks’ attempting to paint it as compromised, countries ban or block it. Until a crypto-researcher publishes evidence of a backdoor or flaw, you should consider it quite safe.
What the Experts say:
Renowned security expert Bruce Schneier has given Signal his top rating among encrypted messaging apps. And even blogged about it’s adoption by the US senate as a security tool. In other-words, the U.S. government regards Signal as highly secure. You should too.
Bottom Line: Signal is currently the most secure and trustworthy encrypted messaging app. It is feature-rich and completely free. Get it.
Whatsapp (Android, iOS) | Free
Whatsapp is the world’s most popular 3rd-party messaging app, and is now one of the most secure since they added an end-to-end encryption option in 2016. All Whatsapp messages are now encrypted by default as long as you and your contact are on a recent version of the app.
Whatsapp uses the same double-ratchet encryption method as Signal, though it is implemented slightly differently which has given some experts concern about the potential for a government to intercept/decrypt messages with Whatsapp’s help.
It should be noted that Whatsapp is now owned by Facebook, which is not exactly a privacy hub. Most of Facebook’s revenue is derived directly from renting/selling demographic marketing data to advertisers. So TRUE privacy may not be in their financial best interest. You’ve been warned.
Whatsapp lets you text, call, or send video to contacts worldwide. And it’s completely free. It also includes multimedia and group messaging features. There are no fees for international calls/texts and calls use your data rather than phone minutes.
- Uses Signal’s double-ratchet encryption technology
- Full-time end-to-end encryption (if you’re running current/recent app version)
- Group messaging
Whatsapp was applauded when they announced that they would be using the same encryption scheme as Signal to secure communications. There are a few notable differences in the implementation, however, that have drawn concern by experts.
The Guardian reported that Whatsapp may update encryption keys of your contacts without notifying you in-chat that anything has changed. This may even allow them to decrypt and re-encrypt previous texts with the new keys. Reportedly this decision was made to avoid problems if your contacts change phones or sim cards in the future.
The problem is that an attacker (such as the NSA) could initiate a man-in-the-middle attack with Facebook/Whatsapp’s help and intercept or even tamper with encrypted communications.
Unlike Signal, Whatsapp may keep communications metadata on their servers. Metadata includes things like your IP address, timestamps, and identity of your contact. Your encrypted communications also pass through their servers, though Whatsapp says that they don’t actually store the encrypted communications, and Quora seems to agree.
Summary & Verdict
While it may have some possible security concerns, an encrypted Whatsapp is better than a non-encrypted one. And while an app like Signal is definitely more secure than Whatsapp, it’s hard to convince your friends and family to install another messaging app.
Whatsapp is incredibly popular (more than 1 billion users worldwide) so there’s a good chance that most of your important contacts are already on it. So for run of the mill personal communications, Whatsapp’s encryption should be more than adequate.
If we’re talking whistleblower secrets level stuff, opt for Signal.
Bottom Line: Whatsapp encryption is solid, and most of your contacts probably already use the app. There are some privacy data-sharing concerns with Facebook’s ownership, but it should be secure from outside hackers. It’s a great choice for low to medium security uses.
Telegram is one of the more popular messaging apps. They boast 100 million + users, and is cross-platform capable. In fact, they claim a ‘Native app for every platform.’
Telegram is partially open-source and while their app is capable of some genuinely cool stuff, it takes a little extra work to maximize security. For example, the default encryption scheme for convos is server-to-device encryption rather than true end-to-end encryption like Whatsapp & signal.
You can turn on end-to-end encryption and even set conversations to self-destruct, but this isn’t the default and your contacts need to choose the same setting.
Telegram’s main strength is it’s incredible feature list and support across multiple devices. Of course extra features sometimes bring tradeoffs in security.
Here the main highlights:
- iOS/Android/Windows/Mac/Linux/Web app/Firefox support
- All messages encrypted (but only ‘Secret Chats’ use end-to-end encryption)
- Group chat mode
- Sync chats across multiple devices
- Cloud feature so you can access saved chats from anywhere
- Self-destruct feature for sensitive short-term messaging
- An API allows for 3rd-party apps and additional functionality
Telegram is a mixed bag when it comes to privacy and security. Here are the major concerns:
Cloud Storage and server encryption
By default Telegram uses a ‘cloud’ model, meaning all chats are stored on Telegram’s servers. Worse, by default conversations are encrypted between the cloud server and each user, not from user-to-user. This means that Telegram holds the encryption keys and can read (spy on) any cloud conversation.
Sure, the cloud is useful because it lets you sync conversations between devices, but it’s also a huge security hole. The whole point of encrypted messaging is that nobody (including the messenger app) can spy on them.
Telegram does have an end-to-end encrypted option called ‘Secret Chats.’ Secret chats work very similar to Signal/Whatsapp end-to-end encryption. The only problem is you have to manually create a secret chat session. Just like Facebook messenger’s encryption option, it’s not the default.
Man in the middle attacks
Telegram is vulnerable to man-in-the-middle attacks because it doesn’t allow you to verify the private key or identity of your contacts when messaging them. This means an attacker could theoretically intercept or alter messages prior to delivery and you wouldn’t know.
The EFF encryption scorecard also notes that past conversations could be vulnerable if encryption keys are compromised because Telegram doesn’t use forward secrecy for different chats. On a positive note, Telegram’s code has been inspected for security but there are still real concerns.
Other security concerns
Though Telegram’s encryption is built upon standard algorithms like 256-bit AES, their custom implementation (called MTProto) hasn’t been rigorously tested by cryptographic researchers. Professor Alan Woodward called the algorithm ‘Homegrown’ and criticized the lack of transparency around its development.
Which raises the question: why use some homemade encryption scheme when there are perfectly good peer-reviewed algorithms available. It’s at least suspicious if not actually nefarious.
Finally, according to Gizmodo, Telegram’s servers aren’t encrypted at rest. This means that any conversations stored in the cloud are unencrypted.
Telegram has alot of features and it’s nice that you can sync between devices, but there is a big tradeoff when it comes to security. Conversations don’t use end-to-end encryption by default. Worse, Telegram uses a non-validated encryption mechanism that researchers find concerning.
Bottom Line: Telegram might be better than nothing, but it’s definitely not bulletproof. If want high-security messaging, look elsewhere.
Confide is an encrypted messenger with a ‘self destructing’ message feature. It rocketed to mainstream usage when major news outlets reported that the Trump white house and staffers were using it for internal communications as well as external leaks.
Unfortunately Confide has been deemed a ‘triumph of marketing over substance’ by famed security researcher Alan Woodward. As such, Confide may have been a poor choice for such high stakes White House communications. Casual users should use caution as well.
Confide’s feature set is reminiscent of Snapchat. Top features include:
- One-time (ephemoral) messages that disappear after they are viewed.
- End-to-end encryption
- Document and photo sharing
- Screenshot protection (designed to prevent screenshotting of conversations).
Platforms: Confide is available as a standalone app for Windows, Mac, iOS, Android. It even works on Apple watch.
Confide’s code is completely closed-source (can’t be inspected or validated for security). Security researchers have raised numerous concerns about Confide’s security, exposing serious flaws in their security implementation.
Confide uses the OpenSSL library of encryption algorithms to encrypt conversations. OpenSSL is open-source and regarded as high-quality free encryption library. The only problem? Confide was using an insecure version dating back to 2014 that had over 60 known security flaws.
Serious App Vulnerabilities
Crypto researchers have raised attention about some absolutely critical security flaws in the Confide app and security implementation. Some (but possibly not all) of these vulnerabilities has since been patched.
Non-Validated SSL Certificate:
Apparently previous versions of the Confide app didn’t verify whether clients were using a valid TLS/SSL certificate. This means an attacker could forge their own certificate and intercept or modify messages.
Vulnerable Client Database
Confide didn’t have any protection against brute-forcing passwords (guessing multiple username/password combinations rapidly). Researchers were able to gain access to 7,000 user records in the Confide database before the intrusion was noticed.
For it’s part, Confide’s team put out a statement, stating:
…Not only have these issues been addressed, but we also have no detection of them being exploited by any other party. Privacy and security is always an ongoing process. As vulnerabilities arise, we remain committed to addressing them quickly and efficiently, as we have done in this and every instance.
Facebook Messenger Secret Conversations
Facebook (which also owns whatsapp) also release an end-to-end encryption feature for their Facebook messenger. The feature, called ‘Secret Conversations’ allows you to use end-to-end encryption for certain chats within the main messenger interface. To use this feature, both you and your contact must have the feature enabled.
The functionality and implementation is very similar to Whatsapp’s, and has the same vulnerabilities.
- end-to-end encryption using similar protocol to signal
- Can use ‘secret’ conversations with any Facebook friend that has the feature enabled
- Ability to create ‘self-destructing’ chats that disappear after being viewed.
- Functionality identical to normal Facebook chats
The encryption method used for secret chats is based on the double-ratchet encryption used by Signal and very similar to the implimentation used by Facebook-owned Whatsapp.
The main security concern with Facebook messenger is the ability to rescind and reissue encryption keys mid-conversation. In theory, this is designed for user-friendliness so that you don’t lose your conversations if you or your friends switch devices or Sim cards. In practice this is a real security concern, mainly because Facebook could issue new keys to an attacker instead, allowing a man-in-the middle attack.
This likely isn’t an issue for the average user, but if you were chatting about something that has national security importance, it’s pretty unlikely that Facebook’s secret chats are secure enough.
As a safety measure, The ‘Secret Conversations’ option allows you to compare public keys with your contacts in person to verify that they haven’t changed. In practice, most users never do this (because it requires you to be in the same physical location).
‘Secret’ chats are more secure than standard Facebook messaging, but it’s owned by a for-profit company that makes money by monetizing user data. There’s also a clear man-in-the middle vulnerability. It’s a nice option for casual users because it’s one of the most popular messengers and all your friends are probably on facebook. But for real security, try Signal.
Bottom Line: It’s convenient, and a decent security upgrade vs standard chats. But it’s not bulletproof (nor is it likely meant to be). Use it for off-color conversations with friends but you can safely assume that Facebook (or the NSA) could read the entire conversation if they really wanted to.
Conclusion and overall rankings
As you can see, these encrypted messaging apps run the full gamut in terms of features/functionality and security. Usually they are tradeoffs between the two, we believe Signal offers the best combination of the two.
You may not get cloud sync (insecure) and the ability to carry conversations between devices, but you do get rock solid security and an open-source (read: verifiably secure) messaging ecosystem.
Here are current rankings of the apps featured in this guide. Our rating is subjective, but factors in overall functionality of the app while prioritizing security and privacy.
- Signal: Works on all devices, open source, solid security/cryptography
- Whatsapp: Minor concerns (and privacy issue of being Facebook-owned) but benefits from a massive user-base, full-time end-to-end encryption, and it’s totally free.
- Facebook Secret Conversations: The security is almost identical to Whatsapp. The main annoyance is your contacts have to enable secret chats and actually use them. It’s not ‘always-on’ encryption like Whatsapp
- Confide: The number of security holes researches have found is pretty terrifying. The company has shown an effort to patch vulnerabilities as the arise, but we’d rather see fewer bugs in the first place. The feature set isn’t amazing, so there’s no compelling reason to ever choose Confide over Signal (unless you want to message Sean Spicer).
- Telegram: Where to begin…lax security, you don’t control your encryption keys, messages are stored unencrypted in Telegram’s cloud, and they use non-validated encryption algorithms for some unexplicable reason. The list of features is quite strong, so if security isn’t a concern it may be worth a look. But if your specifically looking for a secure messaging app, look elsewhere.
What’s your favorite app for secure messaging? What did we miss? Hit up the comments and let us know.