Messaging apps have become a de facto standard for communication. With so many options out there, it’s hard to choose which app should become the main means to chat with friends.
However, with huge data breaches and government surveillance scandals becoming commonplace, you have more reason to worry about how secure your conversations are and who has access to the private and personal information you share with your friends, family, and colleagues.
While there are a lot of articles that will rank messaging apps based on their level of security, in this one, we’ll take a different approach and familiarize you with the basics of messaging security, and let you judge for yourself how secure your favorite app is.
Not all encryption is created equal
The most basic form of protecting your messages is encrypting them, i.e., scrambling the text to protect it from prying eyes. You’ll be hard-pressed to find an app that doesn’t encrypt messages in one way or another.
But not every form of encryption is safe.
Messages encrypted with keys that are stored by the service provider will be decipherable by hackers that break into the servers or government agencies that knock on their door with a search warrant.
In contrasts, end-to-end encryption (E2EE) is an encryption technology where the keys are stored on user devices instead of centralized servers. E2EE ensures that only the intended recipient of the message will be able to read the message, and that it cannot be intercepted by the accessing server or networks via which it is sent.
Not every messaging app has end-to-end encryption. Examples include Microsoft Skype, Google Hangouts, and Tencent WeChat, which has a large user-base in China.
Signal (Apple and Android) by Open Whisper Systems, on the other hand, is one of the pioneers of end-to-end encrypted messaging and is providing security for other popular software. Other apps with end-to-end encryption include Facebook’s WhatsApp, Apple’s iMessage, and Viber.
Be careful, though, not every app that features end-to-end encryption have it activated by default. Examples include Facebook Messenger, Snapchat, and the new Google Allo.
Signal, WhatsApp, Facebook Messenger, Snapchat, Allo, and Viber are all available for both Apple‘s iOS and Android, but iMessage is only available for iOS.
So, in terms of encryption, first make sure that the app you use features end-to-end encryption; and second, make sure it’s activated by default. If it’s not, turn it on.
Can you delete?
Another factor that, while not as important as end-to-end encryption, is important nonetheless: how long the message you send will be stored.
Some apps store messages indefinitely and do not allow users to delete them, which isn’t a good thing.
Other messaging apps, such as Facebook Messenger, enable you to delete entire conversations, but only from your own inbox. You don’t have the power to delete messages from the inbox of a friend you’ve chatted with. This can become problematic if the devices or account of a friend is hijacked by a malicious actor and they gain access to their chat logs.
Gliph is a messaging app that offers a “real delete” function, which will enable you to permanently delete messages from both the sending and receiving devices.
Signal and Wickr allow you to set timeouts for your conversations. Messages that become older than the specified interval will be automatically deleted from all of the devices that are taking part in the conversation.
Remember: While real deletes and auto-deleting messages offer an added measure of security for cases where a device or account used for sensitive messaging falls into the wrong hands, it will not protect you when you’re chatting with an adversary. They can very well take a picture or copy of the chat log before it disappears.
Keep it transparent
Developers who are open about the inner workings of their software offer more secure and reliable applications. This is true for apps that are offered as open-source, which means the programming source code is offered to all for examination and scrutiny.
Experts can thus vet the code to confirm the correct implementation of security protocols and make sure that the app has not been inflicted with backdoors, secret entrances that allow government agencies and hackers to circumvent the app’s encryption and security.
Signal and ChatSecure are examples of open-source messaging apps.
Developers that don’t offer their application as open source have a harder time convincing their audience that their product is totally secure.
Metadata, metaviolated
While a messaging app might profess encrypting the contents of your messages, the feature might not extend to all the information that goes with those messages and the users.
Some messaging apps such as WhatsApp store timestamps, sender and recipient information, account phone numbers, and possibly your contact list on their servers. While unwanted parties accessing the servers might not be able to read the text of your messages, they’ll still be able to access a trove of associated metadata.
On the other hand, Signal and Wickr store very little metadata. According to Moxie Marlinspike, the funky developer of Signal, the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second.
What is the most secure messaging app?
There are different opinions about which messaging app is more secure. You can find some good options here. Amnesty International has also ranked some of the most popular messaging platforms by security here.
My personal recommendation (if you haven’t guessed it already) is Signal, the app that has been favored by some of the most distinguished figures in privacy and cryptography, including NSA whistleblower Edward Snowden and cybersecurity expert Bruce Schneier.
But Signal is not necessarily the most popular app, and your friends might not be using it. So if you’re going to stick to your current messaging app and you care about your privacy, you can now at least know how secure it is and what you’re in for.
Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983