Have you ever had a private conversation with someone that you didn’t want others to hear? We all have. These days, many of us spend more time talking to people online than we do face to face.
If you knew that every piece of mail you sent was opened at the post office, read, and resealed before it was delivered, would you still feel comfortable divulging personal information in those letters? Unfortunately, many chat apps that we use may be subject to this exact type of inspection.
Concerned about the recent updates to the WhatsApp Privacy Policy 2021 and considering switching to an alternative? WhatsApp apparent ‘encrypted chats’ have been found to share data and/or metadata on numerous occasions with parent company, associated advertisers & law enforcement companies.
Why you should use secure messaging
When you chat with someone online, you might assume that only yourself and the other person are privy to the conversation. But as we’ve learned over the years, there are lots of groups that are expending considerable effort to spy on your communications.
- Corporations want to read your messages so they can better target ads to you or sell your personal information to the highest bidder.
- Hackers want to use the information to steal your identity, break into your bank account, sell your company’s new business plans to the competition, or blackmail you with those pictures from the wild night in Vegas.
- Governments want to know everything you think and say and do, and maybe even catch a terrorist or two.
Unless you are using a secure messaging service, any or all of these groups will have an easy time of intercepting your messages should they choose to do so. We believe that privacy drives success, growth and innovation. It enables democracy and ensures stability in an increasingly unstable world.
Free and open-source software (FOSS) has a number of advantages, but to most people, the main benefits are security & privacy. All the code is out in the open, so anyone with programming knowledge can go through it and see exactly what an app is doing. Proprietary apps (such as WhatsApp, Facebook & Instagram Messengers) on the other hand can sometimes feel like black boxes, where you don’t really know what’s going on behind the scenes.
Philosophical reasons why secure messaging apps are useful
Privacy is one part of our basic human needs and is protected by the UN Declaration of Human Rights.
- Freedom of speech. The right to speak those views without censorship.
- Freedom of association. The right to associate (i.e., talk) to anyone without the government knowing or preventing the association.
- Freedom of conscience. The right to believe in unpopular views without intervention.
Here’s a few app recommendations…
1) Session
“Session is an end-to-end encrypted messenger that minimizes sensitive metadata, designed and built for people who want absolute privacy and freedom from any form of surveillance.”
https://getsession.org
That could be a description of Signal messenger. And that shouldn’t be a surprise, since Session began life as a fork of Signal. But Session has evolved far from there. Signal is a super-secure, centralized messaging service. Session is an anonymous, private, decentralized messaging system. There’s a big difference.
There are no central servers in Session. Apps communicate through an onion routing network (similar to Tor) comprised of thousands of independent nodes. These nodes are part of Oxen, a decentralized, censorship resistant, trustless network*. You don’t need to know how Oxen works, beyond the fact that it makes Session anonymous and decentralized.
* If you want to learn more about Oxen and the blockchain magic it does behind the scenes, here’s a link to the Oxen website.
Session also was designed to expose the absolute minimum of metadata. Metadata is the data about the messages that flow back and forth between your app and that of whomever you are communicating with.
Metadata doesn’t expose the content of your messages. But depending on the design of the messenger app, metadata can tell snoops all sorts of things that you probably wouldn’t want to be exposed. Things like who you talk to, when and how long you talked to them, what kind of device you are communicating with, your operating system, mobile device battery status, even your IP address. Clever enemies can do a lot with that kind of metadata, and the less of it outsiders have, the more privacy you have.
Session addresses this problem in a few ways. They don’t require you to enter an email address or phone number to create an account. You can’t, even if you want to. The app generates a random Session ID that has no connection with any personal information.
Session also functions without gathering any metadata about your activities. Even if they wanted to, thanks to Oxen, there are no central servers on which to log such data. It uses end-to-end (E2E) encryption for everything: sending text and voice messages, sharing files, images, and attachments, even doing group chats. Closed group chats support up to 100 people at once, with full E2E encryption, or open group chats without the encryption, but with an unlimited number of participants.
Session doesn’t have some of the features that competitors like Signal or Threema do. You won’t find voice or video calls, for example. They are coming sometime down the road, but aren’t available yet. If you need those features right now, then Session isn’t for you. However, if you are good with chat-type communication in exchange for anonymity and privacy, go for Session!
2) Signal
Signal is generally considered to be one of the most secure messaging services available, and probably the most popular. Originally published by Open Whisper Systems, their encryption protocol (the Signal Protocol) is well-respected in the industry and very secure. Signal is end-to-end encrypted, open source, and free of charge. It allows you to create disappearing messages (a.k.a. self-destructing messages), has successfully completed third-party audits, and also publishes Transparency Reports.
And if that wasn’t enough, it has recommendations from top privacy advocates including Bruce Schneier and Edward Snowden.
As Signal is not owned by a big tech conglomerate and operates as an independent non-profit, this can be a benefit for some users seeking greater privacy. Signal is also trusted by government departments around the world for secure encrypted communications.
We can only think of two reasons you might not want to at least give Signal a try: you don’t want to use a telephone number to register an account; or the people you need to communicate with don’t use, and won’t switch to, Signal.
Note: There are some reported workarounds for the Signal phone number registration issue.
+ Pros
- End-to-end (E2E) encryption
- Encryption algorithms: Signal protocol, with Perfect Forward Secrecy (PFS) for text messages, voice messages, and video calls
- Open source
- Disappearing messages (aka self-destructing messages)
- Published transparency reports
- Logs minimum amount of data
- Does not log IP Addresses
- Can replace your phone’s SMS messaging app
- Focus is totally on individual users
- All Signal products are free of charge
– Cons
- Mandatory requirement for users to sign up with a mobile number
- Does not support 2FA (Two-Factor Authentication)
- More recent comprehensive & independent assessment of security/privacy are somewhat lacking
https://signal.org
3) Element / Matrix
Element is a Matrix-based end-to-end encrypted (E2EE) secure collaboration and messaging app. It’s available to use across Web, Android, iOS, macOS, Windows & Linux.
Element (previously known as Riot.im) takes a different approach to security than the other options in this article. For this reason, it’s perhaps the future of secure messaging. While it offers encryption throughout instant messaging, file sharing, video chat, voice-over-IP calling, screen sharing, chat rooms with thousands of users, and more, it does everything using a decentralized network. This means there’s no single server that stores or processes your encrypted messages. It’s a cool concept and you can read more about the geekier side of federation at Matrix.org.
Federation basically means that instead of connecting to centralised servers run by the platform’s operators, users can set up their own servers or connect to any of the many Matrix servers that others have set up. The default option is to connect to the large public server run by matrix.org, but you can instead connect to any user-created Matrix server.
Element, including the Matrix chat server network, is all completely open-source. Matrix encryption uses the Olm implementation of the Double Ratchet algorithm, with Megolm (an AES-based cryptographic ratchet) for group communications. Neither Element nor Matrix have been fully audited, although Olm and Megolm have been. Cryptographic primitives used include Ed25519 and Curve25519 keys, AES-256-CBC, and HMAC-SHA256, with perfect forward secrecy provided by a Triple Diffie Hellman exchange. So if a password or encryption key is compromised in the future, the contents of previous messages won’t leak. For security, a conversation that starts as encrypted can’t have encryption disabled later. Matrix’s mission is to preserve your right to privacy, in the face of an increasingly centralised internet, and routine surveillance.
+ Pros
- End-to-end (E2E) encryption
- Olm/Megolm open source encryption, with Perfect Forward Secrecy (PFS)
- Open source
- Anonymous messaging (Username based registration); no telephone number or email address needed
- Cross-platform independent apps: Mobile apps, desktop apps, and browser-based app
- Decentralised Matrix chat network (you can host your own chat server), which caters to business & government
- Strict security (User authentication & encryption keys are stored securely; if you forget your password, previously encrypted messages are lost)
- Bridges into other business platforms if required. Integrates with Discord, Jitsi, Microsoft Teams, Slack, Telegram, IRC XMPP, plus more
– Cons
- Small user base
- No independent & recent published security code audit (yet, although there has been for the Matrix network)
- Some interface improvements needed (no audio messages, no disappearing messages)
4) Threema
Threema is one of the less well-known secure and private messaging apps. With around 5 million users and over 8 years on the market, it is a mature, powerful product that somehow never gained a widespread fame like Signal. But none of this means that Threema isn’t a good option for certain use cases. Here’s why…
First, you can use Threema totally anonymously. Unless you choose to link the app to an email address or phone number, the only way to identify a user is through a randomly generated ID that has no connection to any user-identifiable data. Likewise, each user’s private key is stored on their device, meaning only the user of the relevant device can read messages sent to it.
Even Threema’s relative obscurity can be an advantage in some circumstances. Anyone trying to spy on, hack, or otherwise tamper with a messaging service is much more likely to target the services with larger user bases or greater notoriety. There can be advantages to being overlooked.
While there is currently no free version of Threema, you can still purchase this app for a once-only low price through the Threema store for direct download, or the Google Play and Apple stores.
+ Pros
- End-to-end (E2E) encryption
- NaCl open source encryption
- Anonymous messaging (ID based registration); no telephone number or email address needed
- Mobile apps plus browser-based, secure desktop chat
- Client transition to open source is complete
- No IP Addresses or metadata logging
- They own all their own servers for better security and privacy
- Regular security audits and transparency reports
- GDPR compliant
– Cons
- Small user base
- No free version
- No 2FA
- Server-side & API transition to open-source not yet complete
- No ‘perfect forward secrecy’ at the end-to-end encryption layer
- No disappearing messages (aka self-destructing messages)
Runners-up worthy to mention are Dust & Wire. Although Telegram is open-source, it doesn’t make our list due to the fact encryption is not enabled by default for new private chats, and no support for encryption in group chats.
View detailed technical & security-focused comparison of popular messaging apps
SecureMessagingApps.com
A word on trust
In order to consider any of the apps “secure”, you must trust the people behind their creation/maintenance. Each of the apps has one weakness in common: you must trust a third party (them) in order for it to work. Namely you must:
- trust that they have no incentives not to protect your data,
- trust that they have designed and implemented a secure solution,
- trust that they won’t/can’t hand over your data to the authorities,
- trust that the source (e.g., Apple/Google stores) from which you downloaded the app hasn’t modified it,
- trust that the source code they publish, if they do, is solely what was used to compile the app, and
- trust that there are no back-doors or security vulnerabilities.
Conclusion
Recent years bring the boom in new messaging services that claim to be private, secure, anonymous, or any combination of those. But most of them fail to do the job for one reason or another. Some only protect your messages in transit, while leaving them accessible to the employees of the service. Others are owned by companies with bad reputations for protecting your privacy. Some may even have been hacked or contain secret back-doors by relevant national intelligence agencies.
We do not condone or support unlawful activities, specifically any activity that causes harm or loss. Criminals will always be brought to justice, whether robust encrypted messaging apps exist, or not. What we care about is everyone’s basic right to privacy, just like we close our curtains and windows at night to keep our basic activities private to ourselves.
When using proprietary apps & online services (that are not free & open-source), it can be said that if you are not paying for the product, you are the product! Does ‘your data’ stay ‘your data’, or is it being shared to who-knows-who for corporate espionage, surveillance power or monetary gain? Trust is vitally important with companies we outsource our technology experience to.
While there doesn’t seem to be one ultimate app we can recommend, and for good reason (competition is healthy); we hope these above recommendations help you to choose the features that matter the most to you. Enjoy your new secure messaging experience using apps that care for your privacy, and communicate with freedom!
* Some information in this article is subject to change, especially if these apps change or evolve their specifications.