Best secure mobile messaging apps | Apps
As online instant messaging becomes increasingly popular, the security of the information transferred on them is critical to pay attention to.
Instant messaging users around the world seek protection from hackers, yet surprisingly only a few apps provide end-to-end encryption.
Home secretary Amber Rudd has called for technology companies to build backdoors into their encrypted content for security services to use when they require access in the fight against terrorism. And prime minister Theresa May talked at the World Economic Forum summit in Davos, Switzerland about the need for a balance between privacy and security – in short, undermining the security of encrypted messaging apps.
Secure messaging applications have been a cottage industry for desktop computers for years, usually for secure email or instant messaging, but the arrival of mobile platforms has given them the sort of kick that is leading many to dream of reaching mainstream adoption.
The software used to be seen as the preserve of the technical users with a paranoid bent or political dissidents, but a number of new platforms have emerged in recent years. Once small scale in their ambitions, the mostly new companies making these apps sense a huge opportunity to grab business users anxious about the implications of living in the post-Snowden world.
The main contenders in the game are really Signal and Telegram. WhatsApp gets a mention because it does feature levels of privacy and encryption by default.
Read next: Best smartphones for entrepreneurs 2017
Android still tends to be the default platform for secure messaging apps, but iOS versions usually become available after a short delay. The issue of platform support is more important than it might first appear.
Even if you don’t personally use an iPhone, for example, the fact that your favoured contacts do will render any app that doesn’t support both platforms useless if the same app is needed at both ends.
Some apps integrate with third-party applications, for instance email clients. That can be important for businesses – can the app support the preferred communications software used by an organisation and will it work across desktop as well as mobile? Some can, some can’t.
It should be noted that Apple has significantly ramped up privacy and security in its devices of late. Controversially, American intelligence recently demanded that Apple undermine its own encryption as part of a terrorist shooting investigation. But Apple said that it couldn’t, even if it wanted to.
Read on for an overview of the best secure messaging apps.
Messenger is Facebook’s private messaging app. It was originally developed as Facebook Chat in 2008, but was revamped in 2010 with the standalone releases launched on iOS and Android in 2011.
The platform application allows users to send and receive messages, photos and videos with the additional support of voice and video calling. There is also added end-to-end encryption based on its integration of third-party apps.
Facebook Messenger also boasts of some interesting features such as a bot platform, launched in 2016 and its artificial intelligence virtual assistant which enables the competition of tasks automatically.
Facebook Messenger recently launched an unsend feature, which allows users to remove sent messages from the recipient’s inbox in the first 10 minutes using the ‘Remove for Everyone’ feature. The feature is currently available on iOS and Android apps in some countries such as Poland, Lithuania and Bolivia and is expected to be rolled out globally soon.
However, privacy- and security-conscious users might want to give this one a miss – despite all of Facebook’s bluster for valuing privacy and security, its business model is essentially built on profiling its users, and the recent Cambridge Analytica scandal – for which it was recently hit with a £500,000 fine by the ICO in the UK – will not be of much reassurance either.
Amongst its many communication and collaboration features, Skype offers an instant messaging feature that is integrated with the Skype and Skype for Business apps.
It allows users to send instant messages in real time, which also includes video messaging, voice messaging and photo, video and file transfer.
Skype ensures that there is added encryption for all its services and claims to use TLS (transport-level security) to encrypt all messages between the Skype user and service in the cloud.
It also uses AES (advanced encryption standard) for all messages sent and received between Skype users.
The end-to-end encryption feature became available for all users on iOS, Android, Linux, Mac and Windows desktop in August 2018.
Whatsapp CEO and cofounder Jan Koum grew up in communist Ukraine – where open dissent was not tolerated by the government. Leaving the country at 16 for Mountain View, California, in 1992, it wasn’t until 2009 when he and Whatsapp cofounder Brian Acton created an app designed to cut the number of missed calls they were getting.
This eventually mutated into Whatsapp, and by 2014 it had over 400 million users. Today it’s one of the most popular messaging apps out there. In 2016, the company revealed that it had more than one billion users.
There were three principles integral to Koum, listed in this extensive profile from Wired. The first two could be traced back to his Soviet roots, the good and the bad: one that the app should promote privacy and protect freedom of speech. The second: no adverts. The third was that it should be a gimmick-free user-friendly experience.
That said, the fact that Facebook owns Whatsapp will not be reassuring to the privacy-conscious. Facebook is notoriously aggressive about collecting user data and Facebook has signposted its intention to target users with ads based on Whatsapp data.
Where Whatsapp tends to be unavoidable at the moment is the sheer number of people on it, similarly to Facebook Messenger. While there are more secure messaging apps on the market, its popularity does sell it – and at least it does tout a degree of privacy (even if it’s Facebook that owns the data).
Here’s the technical stuff.
Whatsapp started using the TextSecure platform (now called Signal – see below) from the Open Whisper Systems in 2015, which improves security by using true end-to-end encryption with perfect forward secrecy (PFS). This means the keys used to scramble communication can’t be captured through a server and no single key gives access to past messages.
In April 2016, the Signal protocol was rolled out as a mandatory upgrade to all WhatsApp users across all mobile platforms, an important moment for a technology that had spent years on the fringes. At a stroke it also made Open Whisper Systems the most widely used encryption platform on earth.
In February 2017 WhatsApp incrementally introduced two-factor authentication to all of its users as an optional added layer of security.
Two-factor authentication essentially means verifying your identity twice – and in this case users will choose to access their account through a six-digit number. WhatsApp users will need to enable the feature through their settings and once switched on, the passcode will remain on the associated account, no matter which device it’s being accessed through.
Earlier this year, a Guardian report claimed that a security vulnerability in WhatsApp meant Facebook – WhatsApp’s parent company – could read encrypted messages sent through the service. Security researcher Tobias Boelter told the paper that WhatsApp is able to create new encryption keys for offline users, unknown to the sender or recipient, meaning that the company could generate new keys if it’s ordered to.
And although Facebook insists that it couldn’t read your WhatsApp messages even if it wanted to, critics have been suspicious since the buy – since Facebook’s entire platform depends on data and advertising, and its own Messenger service is infamously intrusive.
In terms of security, it’s important to distinguish pure secure messaging apps from apps that happen to have some security. Many use encryption but operate using insecure channels in which the keys are stored centrally and hide behind proprietary technologies that mask software weaknesses.
But it was presumably the sort of innovation Whatsapp brought to the table that so upset then-British prime minister David Cameron when in early 2015 he started making thinly veiled references to the difficulty security services were having in getting round message encryption used by intelligence targets. Current PM Theresa May has ramped up this rhetoric and focused on Telegram in particular. (Again – see below).
It’s fair to say that police and intelligence services are now worried about the improved security on offer from these apps, which risks making them favoured software for terrorists and criminals. That said, they are not impregnable. Using competent encryption secures the communication channel but does not necessarily secure the device itself. There are other ways to sniff communications than breaking encryption.
Most recent apps will, in addition to messaging, usually any combination of video, voice, IM, file exchange, and sometimes (though with a lot more difficulty because mobile networks work differently) SMS and MMS messaging. An interesting theme is the way that apps in this feature often share underlying open source technologies although this doesn’t mean that the apps are identical to one another. The user interface and additional security features will still vary.
Signal (formerly TextSecure Private Messenger) is arguably the pioneering secure mobile messaging platform that kick-started the whole sector.
Originally created by Moxie Marlinspike and Trevor Perrin’s Whisper Systems, the firm was sold to Twitter in 2011, at which point things looked uncertain. In 2013, however, TextSecure re-emerged as an open source project under the auspices of a new company, Open Whisper Systems, and since it has gained endorsements from figures such as Bruce Schneier and Edward Snowden.
We call it a platform because Signal is more than an app, which is simply the piece that sits on the Android or iOS device and which holds encryption keys.
The app itself can be used to send and receive secure instant messages and attachments, set up voice calls, and has a convenient group messaging function. It is also possible to use Signal as the default SMS app but this no longer uses encryption for a host of practical and security reasons. https://signal.org/blog/goodbye-encrypted-sms/
Signal was designed as an independent end-to-end platform that transports messages across its own data infrastructure rather than, as in the past, Google’s Google Cloud Messaging (GCM) network.
The Axolotl protocol underlying the platform’s security is also used by G Data as well as Whatsapp, which isn’t to say that Facebook’s implementation won’t have other vulnerabilities – as ever use with care.
Using the app is pretty straightforward. Installation begins with the phone number verification after which the software will function standalone or as the default SMS messaging app after offering to import existing texts. The most secure way to use it is probably as the default messaging app, so that an insecure message doesn’t get sent by accident.
Signal is based on the OTR protocol, uses AES-256, Curve25519 and HMAC-SHA256; voice security (formerly RedPhone app) and is based on ZRTP.
Interestingly, Signal added encrypted video calls to its feature roster in 2017, stepping up its current level of encryption. The app previously supported voice call end-to-end encryption but this update ensures video capabilities hold the same level of security as its chat functionality.
Additional security features include an app password and with a blocker that stops screen scraping. It is also possible to control what types of data are exchanged over Wi-Fi and mobile data. Obviously both sender and receiver need to have the app installed, which worked simply by entering the phone number of any other registered user.
Developed by Wire Swiss, Wire is a private messaging app that boasts that it’s in line with all European Union data laws, and is available on iOS, Android, Linux, Windows, macOS, and also operates web client options that work on browsers such as Firefox, Chrome, Safari and Opera. Even better, it’s free and open source – meaning that if you are worried about what’s in the code you can take a look at it yourself.
When the app first launched encryption was limited between client and the company server but end-to-end encryption was quickly added, along with a video calling feature. Messages are encrypted by Proteus, a protocol developed independently by Wire Swiss but based on Signal.
It is consumer-facing too. Private messaging clients can be a tough sell to users but Wire is integrated with various content platforms including Youtube and Spotify.
But – there is a trade-off. Motherboard security reporter Joseph Cox points out that Wire does store a record of people you’ve contacted through the app, and in plain text. Wire Swiss says that this is to make cross-device synchronisation easier. Wire confirmed to Motherboard that connections, emails, phone numbers and usernames are stored while an account is active, but are nixed when the account is deleted.
Launched by two Germany-based brothers in 2013 Telegram’s distinctiveness is its multi-platform support, including not only Android and iPhone but Windows Phone as well as Windows OS X and even Linux.
Telegram uses the MTProto protocol, 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie–Hellman secure key exchange.
With the ability to handle a wide range of attachments, it looks more like a cloud messaging system replacing email as well as secure messaging for groups up to 200 users with unlimited broadcasting.
There are some important differences between Telegram and the other apps covered here, starting with the fact that users are discoverable by user name and not only number. This means that contacts don’t ever have to know a phone number when using Telegram, a mode of communication closer to a social network.
The sign-up asks for an optional user name in addition to the account mobile number, and requires the user verify the number by receiving and entering an SMS code. The app is polite enough to ask for access to the user’s phone book and other data, which can be refused, and handily notices which contacts within that list already have signed up for the app.
The platform is also open to abuse – if that’s the correct term – including reportedly being used by jihadists for propaganda purposes, which exploit its broadcasting capablity. This is not the fault of the developer but does bring home how such apps can be misused in ways that are difficult to control. British prime minister Theresa May has since specifically singled out Telegram as a threat.
Wickr first launched for iOS and Android, touting an encrypted way for ‘teams and enterprises’ to communicate with one another. It received millions in funding, including from big name financiers including Thor Halvorssen of the Human Rights Foundation and In-Q-Tel, the CIA’s venture capital wing, reports Vice.
Privacy and security advocates the Electronic Frontier Foundation audited the app and gave it a score of five out of seven – not bad considering the encryption was closed off at that time. To soothe those fears Wickr published a paper that provided some details on its end-to-end encryption protocol. But in August 2017 Wickr made its cryptographic protocol open source, and so, possible to review.