Everyone is after your data. Government surveillance teams are scouting for it, carrier companies want to use it to market you to their advertisers, and cybercriminals will do anything to get their hands on your information. Even the company behind the app may be reading your messages, as was the case with Facebook Messenger, revealed in its own admission following the Cambridge Analytica fiasco.
End-to-end encryption is one of the means you can use to secure your information and make it inaccessible to third parties. Basically, only the sender and recipient of the message can read it – while any third party intercepting it will just see a mass of jumbled data that doesn’t make sense. That way you won’t have to worry about surveillance, the messages being tampered with, the app provider snooping around your private inbox, or your service provider getting hacked and leaking out the sensitive information that is in the messages. Let’s look at the best encrypted messaging apps that you can use to protect yourself.
Signal
This is an open-source software from Open Whisper Systems (OWS), which has seen widespread adoption from regular internet users to activists protesting out on streets. While your phone number is needed to create the Signal account, the rest of the information – including your profile picture and name, to the messages and video calls, are end-to-end encrypted. Signal Protocol actually powers popular messaging apps like WhatsApp, and the defunct Allo from Google. The conversations can also be set to self-destruct.
What about those conversations which you’d like to keep? They remain on the device, but Signal itself doesn’t store the data. This means that you’re protected even when law enforcement agencies go knocking on OWS’ doors. The impact of this can be seen in instances like when a subpoena was issued to obtain information from the app, but the government could not get much. OWS complied with the directive, but since there was no message data stored, all that could be provided were the dates and times that accounts were created, and when they last connected to Signal’s servers.
Additional features that make the app popular include the automatic face blur for the photos taken through the app – which has proved beneficial in protecting the privacy of protesters who are sharing visuals during demonstrations. Being an open-source software, the code can be independently inspected by anyone.
With over 2 billion users around the world as of October 2020, WhatsApp is the undisputed king of messaging apps. Since 2016, it has fully implemented end-to-end encryption on the platform, securing the privacy of the users. Your chats are protected from prying government eyes and snooping third-parties.
Even if WhatsApp were to be breached, the cybercriminals couldn’t read the conversations, thanks to the encryption, plus the fact that the messages are not stored on the app’s servers. Some security flaws are disconcerting though. For instance, if the WhatsApp servers are compromised by sophisticated hackers, or the staff themselves coerced by law enforcement agencies, they can easily add new people into a private group chat. This uninvited member can then access any new messages posted there.
Telegram
Unlike other apps on this list, Telegram’s messages are not end-to-end encrypted by default. Instead, the default encryption is between the cloud server and user. This cloud model enables you to seamlessly sync chats on different devices, but since Telegram has the encryption key, it can read the messages stored on the servers.
However, you can get the end-to-end encryption by using the “Secret Chats” feature. Here are more reasons why this feature stands out:
- Message forwarding is disabled.
- Once you delete messages on your end, the party on the other end gets ordered to delete them too.
- You can set a specific time after which the messages (including videos, photos and files) will self-destruct after the recipient opens or reads them.
- Chats are device-specific, and can only be accessed from the device of origin. They aren’t part of the Telegram Cloud.
You can turn on the “Secret Chats” feature from Telegram’s advanced settings. Once enabled, the chats won’t leave any data on the app’s servers.
Note that Telegram will need basic information like your phone number for you to use the app. You can protect yourself from unauthorised access by enabling 2FA (two-factor authentication). The code is open-source as well.
Viber
Both individual and group chats have been encrypted by default on this cross-platform messaging app, and this extends to voice and video chats. You can also set the chats to self-destruct. This Luxembourg-based app uses similar encryption methods to Signal, but the code is private.
Chats also have colour-coded padlocks to show the encryption and trust level:
- Green indicates that you’re connected to a contact you trust, and the chat is encrypted;
- Grey shows that the contact isn’t marked as trusted, though the chat is still encrypted;
- Red indicates that there is a problem with the authentication key of the contact, like when they are using a different device, or there is a man-in-the-middle attack where a third party tries to access the data.
It’s a nifty feature that adds to the security of the conversations.
Additional features, from playing games to following public accounts, are key drivers behind the popularity of the app, which clocked 1.17 billion users worldwide by March 2020, according to Statista. Note that Viber stores the metadata – basic information about activity on the app, such as the time and identity of the persons who were communicating. Registration information, including the email and phone number are also stored.
Threema
While the other apps on this list are free, Threema comes at a $2.99 cost. But on the other hand, it doesn’t require your phone number or email to register an account. You get a unique Threema ID, which is particularly beneficial in keeping you anonymous.
With this open-source and end-to-end encrypted messaging app, you get to protect your voice calls, files, group chats, all through to the status messages. Once you send a message from the app and it’s delivered to the recipient, it is deleted immediately from the app’s Switzerland-based servers.
You could choose to link your email address and/or phone number to the ThreemaID (it’s optional). In this case, only the only checksum values (HMAC-SHA256 hash) of the number or email are sent to the server. Note that a brute force attack can be used to determine the phone number that’s associated with a particular checksum due to the few digit combinations required. You can remove the phone number or address any time you choose.
Final thoughts
The 5 apps on this list are available for both Android and Apple devices. The messages are encrypted across the different platforms and devices. Note that for the apps that allow messages to be backed up to the cloud, the encryption keys will be controlled by the app providers, which will create a security loophole, since the messages could be retrieved were the server or cloud provider hacked or subpoenaed.
An additional app worth mentioning is Apple’s iMessage, but this only offers the end-to-end encryption between iMessage users. Messages that are sent to non-Apple devices are not protected by the encryption. Another app that’s steadily growing its userbase is Wickr. It comes with the default end-to-end encryption, self-destructing messages, and even screenshot detection that notifies the other participant in the conversation that a screenshot has been taken. The Android version of Wickr goes further to disable the screenshots altogether.
