Secure Messaging Apps Comparison | Privacy Matters

8 min read Original article ↗

Overview Is the app recommended to secure my messages and attachments? No No No No Yes No Yes No No No Yes Yes Yes No Main reasons why the app isn't recommended

/

Improvements to apps that are recommended

Named as NSA partner in Snowden revelations

Makes money from personal data

Data not protected, not all data protected

No independent, recent code audit and security analysis

Named as NSA partner in Snowden revelations

Data not protected, not all data protected

No independent, recent code audit and security analysis

Named as NSA partner in Snowden revelations

Messages can be read by Facebook if marked as "abusive"

Encryption not enabled by default

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis

No independent, recent code audit and security analysis Remove the mandatory requirement for users to sign up with a mobile number Bespoke cryptography

Encryption not enabled by default

Data not protected, not all data protected

Make APIs and server code open source

Provide more comprehensive independent assessments of security/privacy

Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source

Named as NSA partner in Snowden revelations

Messages can be read by Facebook if marked as "abusive"

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source

Former NSA chief Keith Alexander is on Amazon’s board of directors

Funded by the CIA

Recent security audits are not public

Has contracts with the US government

Closed source

Further limit metadata storage and logging

Provide more comprehensive independent assessments of security/privacy

Implement perfect forward secrecy at the end-to-end encryption layer

Provide more comprehensive independent assessments of security/privacy

Provide more comprehensive independent assessments of security/privacy End-to-end encryption not implemented for all users and group chats

No implementation details

No comprehensive independent assessments of security/privacy

Closed source

Details Company jurisdiction USA USA USA UK USA USA / UK / Belize / UAE Switzerland Luxembourg / Japan USA USA USA / Switzerland Switzerland UK USA Infrastructure jurisdiction Worldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions) USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud USA, Sweden (Ireland planned) UK (and potentially all jurisdictions, given it's a decentralised messaging platform) USA UK, Singapore, USA, and Finland Switzerland USA USA (unsure of other locations) USA (unsure of other locations) Messages: Worldwide (uses de-centralised servers)

Attachments: Centralised server in Canada

Worldwide (uses de-centralised servers) Worldwide (uses de-centralised servers) USA, worldwide (unsure of other locations) Implicated in giving customers' data to intelligence agencies? Yes Yes Yes No No No No No Yes No No No No Yes Surveillance capability built into the app? No No No No No No No No No No No No No No Does the company provide a transparency report? Yes Yes Yes No Yes No Yes No No Yes Yes Yes Yes Yes Company's general stance on customers' privacy Poor Poor Poor Good Good Poor Good Poor Poor Poor Good Good Good Poor Company collects customers' data? Poor Poor Poor Good Good Poor Good Poor Poor Poor Good Good Good Poor Funding Google Apple Facebook New Vector Limited Freedom of the Press Foundation

The Knight Foundation

The Shuttleworth Foundation

The Open Technology Fund

Signal Foundation (Brian Acton)

Pavel Durov User pays / Afinum Management AG Rakuten

Friends and family of Talmon Marco (very unclear)

Facebook Amazon

the CIA

Janus Friis

Iconical

Zeta Holdings Luxembourg

Morpheus Ventures

LAG Foundation Ltd Venture Capital fund Village Global Twitter App collects customers' data? Yes

(Difficult to assess given the app is integrated into Google's greater ecosystem)

Yes

(Difficult to assess given the app is integrated into Apple's greater ecosystem)

Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other data Contact info / contacts / identifiers / diagnostics / user content

(Contact info not sent when using anonymously)

Contact Info Contact info / contacts / identifiers Contact info / identifiers / diagnostics

(Contact info not sent when using anonymously)

Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnostics Purchases / financial info / location / contact info / contacts / user content / identifiers / usage data / diagnostics Contact info / identifiers / diagnostics

(Contact info not sent when using anonymously)

Contact info / identifiers / usage data / diagnostics No No Purchases / Location / Contact Info / Contacts / User Content / Search History / Browsing History / Identifiers / Usage Data / Diagnostics User data and/or metadata sent to parent company and/or third parties? Yes Yes Yes No

(User data is sent to a third party if a payment is made)

Minimal

(Mandatory mobile number sent to third party for registration & recovery)

Yes No

(Optional mobile number sent to third party for registration)

Yes Yes No

(Optional mobile number sent to third party for registration)

Yes No No Yes Is encryption turned on by default? Yes Yes No Yes Yes No Yes Yes (if device supports it) Yes (if device supports it) Yes Yes Yes Yes No Cryptographic primitives Curve25519 / AES-256 / HMAC-SHA256 P-256 ECDH & Kyber-768/1024 / AES-256 / HMAC-SHA384 Curve25519 / AES-256 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 Curve25519 & Kyber-1024 / AES-256 / HMAC-SHA256/512 RSA 2048 / AES 256 / SHA-256 Curve25519 256 / XSalsa20 256 / Poly1305-AES 128 Curve25519 256 / Salsa20 128 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 ECDH512 / AES-256 / HMAC-SHA256 Curve25519 / ChaCha20 / HMAC-SHA256 X25519 / XSalsa20 256 / Poly1305 Curve25519 & sntrup761 1158 / XSalsa20 256 / Poly1305 Are the app and server completely open source? No No No Yes (clients Element / Riot, server/API matrix.org) Yes No (clients and API only) No (apps only) No No No Yes Yes Yes No Are reproducible builds used to verify apps against source code? No No No No Android only iOS and Android Android only No No No No No No No Can you sign up to the app anonymously? No No No Yes No No Yes No No Yes No Yes Yes No Can you add a contact without needing to trust a directory server? N/A, Google Messages uses RCS, which doesn't use a directory service No No no No No Yes Yes No No No Yes Yes No Can you manually verify contacts' fingerprints? Yes Yes Yes Yes Yes No (session only, does not provide users' fingerprint information) Yes Yes Yes Yes Yes Yes Yes Yes Directory service could be modified to enable a MITM attack? N/A, Google Messages uses RCS, which doesn't use a directory service Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Do you get notified if a contact's fingerprint changes? Yes Yes Yes No (session only, does not provide users' fingerprint information) Yes Yes No (setting turned off by default) Yes If contact was previously verified N/A N/A Is personal information (mobile number, contact list, etc.) hashed? N/A, Google Messages uses RCS, which doesn't use a directory service No No Yes Mostly No (session only, does not provide users' fingerprint information) Yes No No (setting turned off by default) Yes Mostly N/A N/A Does the app generate & keep a private key on the device itself? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Can messages be read by the company? No No Yes No No Yes No No Yes No No No No Does the app enforce perfect forward secrecy? Yes Yes Yes Yes Yes No (session keys do change after being used 100 times) Yes Yes Yes Yes Yes No Yes Does the app encrypt metadata? No No No Yes No Yes No Yes Mostly Yes Yes Does the app use TLS/Noise to encrypt network traffic? Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Does the app use certificate pinning? Yes (>=iOS 9.3) Yes Yes Yes Yes Yes Does the app encrypt data on the device? (iOS and Android only) No Yes (if passphrase enabled) Yes Yes (if passphrase enabled) iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app)s iOS: Yes (if passphrase enabled); Android: Yes (unsure of function) Yes Yes Yes Does the app allow local authentication when opening it? No No Yes No Yes Yes Yes No Yes Yes Yes Yes Are messages encrypted when backed up to the cloud? Yes (>= Android P) Yes Yes N/A, Signal is excluded from iCloud/iTunes & Android backups; Signal offers an opt-in, end-to-end encrypted backup service Yes iOS: Yes / Android: Yes N/A, Wickr is excluded from iCloud/iTunes & Android backups N/A, Wire is excluded from iCloud/iTunes & Android backups N/A, Session is excluded from iCloud/iTunes & Android backups Does the company log timestamps/IP addresses? Yes Yes No Yes No Yes Yes No Some No No Yes Have there been a recent code audit and an independent security analysis? No No No No (Matrix's encryption library reviewed by an independent party) Yes (many in the last few years) Yes (November, 2015) Yes (October, 2020) No No Yes (August, 2014) Yes (March, 2018) Yes (April, 2021) Yes (November, 2022) No Is the design well documented? No Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat No Does the app have self-destructing messages? No No Yes No Yes Yes No Yes Yes Yes Yes Yes Yes Yes