With the abuse of online privacy by social media monopolies and the rise of alternative messaging applications, I was looking for a safe channel to communicate with my friends and family. I decided to summarize and publish my assessment results to be able to share it with my friends for their benefits, too.
In principle, I consider a messaging application secure to use if
It has end-to-end encryption between the reciever and the sender by default. In other words, only you and me will be ever able to read our messages, noone else. Not the service provider, not the government. Some applications provide end-to-end encryption as an option, but you need to turn it on for each contact which many people don’t do. Some only provide end-to-end encryption in direct chats and not in group chats.
The encryption protocol is published and reviewed by security experts. This ensures both in theory and in practice that the encryption is reliable. Some services claim to have strong encryption methods because they were not hacked yet. While it might be considered a proof of the practical aspect, it falls short on the theoritical level.
The whole software stack is open-source. If software was food, then open-source would mean that you get the ingredient list and recipe along with the food you order. No need to blindly trust the marketing of the service provider, open source gives the power to the community of programmers, security specialists to study the intention and the implementation details of software products. Experts have the chance to even contribute back to the software to improve its quality. This is not possible with closed-source software (like Windows, Spotify, or Gmail). Some messaging plaforms open sourced their mobile applications, but their service that transfers the message is still closed-source.
No user data and the least amount of meta data are collected. This ensures the minimum chance for privacy abuse in the first place.
There is an option to sign up anonymously without the need of associating your phone number with the account. In many countries purchasing a SIM is only possible with an ID.
In the following chart, I’m evaluating Signal, Telegram, WhatsApp, Facebook Messenger, Viber, Surespot, and Wickr Me.
|Owner||Signal Foundation (US), non-profit||Wickr (US), for profit||Surespot (US), for profit||Telegram (US/UK), for profit||Facebook (US), for profit||Facebook (US), for profit||Rakuten (LUX), for profit|
|Default end-to-end encryption||yes||yes||only in direct chat||no||yes||no||no|
|Encryption protocol||reviewed (Signal Procotol)||reviewed (Wicker Procotol)||reviewed (SureSpot Protocol)||not reviewed (MTProto Protocol)||reviewed (Signal Protocol)||reviewed (Signal Protocol)||not reviewed (Viber Protocol)|
|Open-source products||yes||yes||only mobile apps||only mobile apps||no||no||no|
|Messages are stored||on your phone||on your phone||on your phone||in the cloud||on your phone||in the cloud||on your phone|
|Data collection||minimal meta data||minimal meta data||minimal meta data||user data, record of data breach||user data, record of data breach||user data, record of data breach||user data|
|Registration||phone number||username||username||phone number||phone number||phone number, Facebook account||phone number|
Use Signal or Wickr Me. If anonymous sign up is important to you, use Wickr Me or SureSpot. SureSpot doesn’t support group chats, though. WhatsApp is not that bad after all. Telegram, despite its rising popularity, performs very poor from a security perspective–it’s an insecure messenger.
To back up my analysis with accurate and up-to-date data, I read the websites of the respective vendors, I reviewed the comparison chart of cross-platform instant messaging clients on Wikipedia, and studied the Minimum Security Standards research summary (2020) published by Mozilla. I also used an in-depth comparision on discussing the differences between a bunch of secure messaging apps, but since it was last updated in 2018, I cautiosly double-checked its content.