With the abuse of online privacy by social media monopolies and the rise of
alternative messaging applications, I was looking for a safe channel to
communicate with my friends and family. I decided to summarize and publish my
assessment results to be able to share it with my friends for their benefits,
In principle, I consider a messaging application secure to use if
It has end-to-end encryption between the reciever and the sender by
default. In other words, only you and me will be ever able to read our
messages, noone else. Not the service provider, not the government. Some
applications provide end-to-end encryption as an option, but you need to turn
it on for each contact which many people don’t do. Some only provide
end-to-end encryption in direct chats and not in group chats.
The encryption protocol is published and reviewed by security experts.
This ensures both in theory and in practice that the encryption is reliable.
Some services claim to have strong encryption methods because they were not
hacked yet. While it might be considered a proof of the practical aspect, it
falls short on the theoritical level.
The whole software stack is
open-source. If software was food, then open-source would mean that you get the
ingredient list and recipe along with the food you order. No need to blindly
trust the marketing of the service provider, open source gives the power to the
community of programmers, security specialists to study the intention and the
implementation details of software products. Experts have the chance to even
contribute back to the software to improve its quality. This is not possible
with closed-source software (like Windows, Spotify, or Gmail). Some messaging
plaforms open sourced their mobile applications, but their service that
transfers the message is still closed-source.
No user data and the least amount of meta data are collected. This ensures the
minimum chance for privacy abuse in the first place.
There is an option to sign up anonymously without the need of associating
your phone number with the account. In many countries purchasing a SIM is only
possible with an ID.
In the following chart, I’m evaluating Signal, Telegram, WhatsApp, Facebook
Messenger, Viber, Surespot, and Wickr Me.
|Owner||Signal Foundation (US), non-profit||Wickr (US), for profit||Surespot (US), for profit||Telegram (US/UK), for profit||Facebook (US), for profit||Facebook (US), for profit||Rakuten (LUX), for profit|
|Default end-to-end encryption||yes||yes||only in direct chat||no||yes||no||no|
|Encryption protocol||reviewed (Signal Procotol)||reviewed (Wicker Procotol)||reviewed (SureSpot Protocol)||not reviewed (MTProto Protocol)||reviewed (Signal Protocol)||reviewed (Signal Protocol)||not reviewed (Viber Protocol)|
|Open-source products||yes||yes||only mobile apps||only mobile apps||no||no||no|
|Messages are stored||on your phone||on your phone||on your phone||in the cloud||on your phone||in the cloud||on your phone|
|Data collection||minimal meta data||minimal meta data||minimal meta data||user data, record of data breach||user data, record of data breach||user data, record of data breach||user data|
|Registration||phone number||username||username||phone number||phone number||phone number, Facebook account||phone number|
Use Signal or Wickr Me. If anonymous sign up is important to you, use Wickr Me
or SureSpot. SureSpot doesn’t support group chats, though. WhatsApp is not that
bad after all. Telegram, despite its rising popularity, performs very poor from a
security perspective–it’s an insecure messenger.
To back up my analysis with accurate and up-to-date data, I read the websites of
the respective vendors, I reviewed the comparison chart of cross-platform
on Wikipedia, and studied the Minimum Security Standards research
summary (2020) published
by Mozilla. I also used an in-depth comparision on discussing the differences
between a bunch of secure messaging apps,
but since it was last updated in 2018, I cautiosly double-checked its content.❧