Popular messaging service WhatsApp has recently added end-to-end encryption to every form of communication made by using the platform on Android, iOS, and Windows devices. Is this the most secure and private app?
More than a billion people write messages, make phone calls, send photos and videos using WhatsApp, a service owned by Facebook. On April 4, WhatsApp announced it has completed the roll-out of end-to-end encryption to chat and calls, a statement that came during a troubled time for internet privacy, marked by Apple’s battle with the FBI. Feds had asked the Cupertino giant to unlock the iPhone of a mass shooter, however, the company declined to do that, fearing that such a decision would set a dangerous precedent.
The scandal raised awareness on topics such as encryption, privacy and digital freedom. This is our take on most secure and easy to use IM apps for mobile!
5. Telegram
This highly popular messaging app Telegram has reached 100 million monthly active users, so you’ll be able to find many of your friends there. It’s supported by Russian-born entrepreneur Pavel Durov who is also the founder of social networking site VK. Telegram in highly popular in countries dealing with censorship, such as Iran. You can use it to send messages, photos, videos, stickers, and files on mobile devices running Android, iOS, Windows and Ubuntu Touch. There are also friendly desktop versions for Windows, OS X, Linux and web-browsers as an add-on. The client-side of the platform is open-source.
Although it’s easy and fun to use, Telegram fails to get the green light on three categories, on EFF’s scorecard:
- Encrypted so the provider can’t read it?
- Can you verify contacts’ identities?
- Are past comms secure if your keys are stolen?
Secret chats, however, get 7 out of 7 points on Electronic Frontier Foundation’s Scorecard.
This being said, we advise you to use Telegram’s secret chats only if you’re a fan of this platform. However, you won’t be able to see those conversations on the desktop version.
We’ve added Telegram to this list mostly because it’s widely used and it works on most modern platforms. It doesn’t encrypt anything by default and the protocol they employ is questionable, since it was developed in-house and it has received negative feedback from the crypto community.
4. Wire
Made by a company headquartered in Switzerland and having a development center in Germany, Wire advertises end-to-end encryption on text messages, photos as well as on voice and video calls. Backed by a Skype co-founder, Janus Friis, the app looks pretty and is easy to use. It’s available for iOS, Android, OS X and Windows.
Janus Friis has recently told Bloomberg Business that the app has about 150,000 to 200,000 new user sign-ups each month.
The chat interface is modern and good looking. It includes a drawing tool and integrates the GIF database from giphy.com so you can embed funny gif animations into your messages.
For text and pictures delivery, Wire use Off-the-Record (OTR) end-to-end encryption. Wire uses the Axolotl ratchet and pre-keys which are optimized for mobile messaging. The WebRTC standard is used for voice calls and the SRTP protocol is used to encrypt voice calls. Perfect forward secrecy is enabled for both text and calls, which means that even if an adversary would get the encryption keys, it won’t be possible to decrypt sessions from the past. For more technical details, visit wire.com/privacy and check the whitepapers at the bottom.
The initial handshake required to established the encrypted calls wasn’t always working on the first attempt, which was annoying. But once established, we found Wire’s audio and video quality quite good, actually.
3. Threema
This is also a Swiss instant messaging app running on iOS, Android and Windows Phone. Its name is derived from EEEMA (end-to-end encrypting messaging application). Last summer, the app had 3.5 million users, most of them located in German-speaking countries.
The app scored 6 out of 7 on EFF’s website, the only problem being that the code is not open to independent review.
On the technical side, Threema relies on the open source NaCl library for encryption. NaCl (pronounced “salt”) is an abbreviation for “Networking and Cryptography library”, a software library that can be used to integrate encryption, created by Daniel J. Bernstein, who is widely regarded as one of the best crypto-experts in the world.
To learn more about Threema’s cryptography implementation, check the Cryptography Whitepaper.
2. WhatsApp
The Facebook-owned app has recently announced that it was rolling out end-to-end encryption for all its users. This is big news, as it helps encryption become a mass phenomenon, not just a thing within the geek community.
The new and improved WhatsApp has a score of 6 out of 7 points given by the EFF. As with Threema, the code is not open to independent review.
The good thing about WhatsApp encryption is that they integrated the Signal’s protocol instead of rolling out their own. The complete roll-out was announced by Moxie Marlinspike, owner of Whisper Systems. Just like Daniel J. Bernstein, Moxie Marlinspike is also a security/crypto guru. Thus, his participation into WhatsApp encryption integration is a sign of trust, given the fact that Facebook is far from being one of the privacy enhancing companies.
For technical detail on whatsapp encryption, visit whatsapp.com/security.
While the encryption is likely implemented correctly and can be trusted, be aware that there are weaknesses, such as metadata. Then there’s the “Show security notifications” which must be enabled manually from the Settings. This setting ensures that you are notified if a contact’s security code is changed, for example in a man-in-the-middle attack.
The backup of charts and media is also a problem if you don’t disable the option “Backup to Google Drive” in Settings > Chats > Chat Backup.
We found the voice quality surprisingly good, both over Wi-Fi and mobile broadband. The amount of traffic transferred is very low, just a few MBs for several long talks.
What we’d like to see in the future:
- encrypted backups, both locally and in the cloud if the user enables it
- PIN/pattern authentication for opening WhatsApp, similar to Threema
- an easier way to authentication other parties
- video calls?
1. Signal
This is Edward Snowden’s favorite, and he said he uses it every day. It scores a perfect 7 on EFF’s website, is free, and it works on both Android and iOS. There is even a desktop version if you don’t like the small keyboard on your phone.
Signal can be used to send encrypted text messages, attachments and to make encrypted calls. You can verify someone’s identity by comparing the key fingerprints.
Electronic Frontier Foundation included Signal in their surveillance self-defense guide and many privacy-conscious users recommend it as the de-facto app for secure and private instant messaging.
One of the biggest advantages over other apps, is that Signal is open source and it’s been audited by third-party security firms and individual researchers. Here you can read the security & technical details.
We’ve been using it extensively ourselves, on a day-by-daay basis and it works very well. For some reasons, calls quality isn’t as good as WhatsApp and Wire, but satisfactory nonetheless.
Bonus
SMSSecure is worth the mention because it is a complete SMS app replacement for Android. It is based on TextSecure (early version of Signal), it is open source and its advantage is that it doesn’t require access to Internet in order to communicate securely with others, as the messages are encrypted over SMS and MMS. It also features encrypted backups, easy import/export of messages including importing clear-text SMS messages from the device. We recommend SMSSecure as your default SMS app on Android.
Wickr seems interesting, but we haven’t used it yet. It is available for iOS, Android and desktop (Windows, Mac, Linux). The code is not open source, though the application and backend APIs have been audited and acknowledged to be secure by 3rd party security companies, such as iSEC Partners and Aspect Security. Wickr Professional is available in premise for corporations who need a secure, self-hosted communication service.
Wickr scored 5 out of 7 in EFF’s scorecard.
Final words
WhatsApp decision to implement end-to-end encryption is remarkable and this brings security, enabled by default, to over 1 billion users. It’s worth noting that the user-base is much higher than all other secure messaging apps, combined. So this is a huge step forward against surveillance. However, WhatsApp is not perfect and some security is sacrificed for convenience, thus Signal is currently the best chat/voice app for those who are really serious about security and privacy.
Have you tested other secure and private chat apps? Tell us what you think!
What about CallProtector? It appears to be safe but is rather unknown.