Thankfully, several messaging apps take your security and privacy seriously and use end-to-end encryption to prevent anyone except you and the intended recipient from seeing the message’s contents.
What is encrypted messaging?
End-to-end encryption (E2EE) is a method of encrypting data that only allows the sender and receiver of the message to decrypt and read messages passed between them. More important, encryption prevents apps from storing copies of your messages on servers, which would put them within reach of government authorities.
The best messaging apps for security
With many good options available, here’s our take on some of the most secure messaging apps on the market.
Apple’s iMessage is only available on Apple devices, but it packs a punch in providing security to those users.
On top of offering end-to-end encryption between iMessage users, the app allows users to control how long the message stays up and how many times the recipient can view the message. Note: This feature is only available to those who have iOS 10 and above.
One issue with iMessage, though, is the option to backup your iMessages to iCloud. On the cloud, messages are encrypted by keys controlled by Apple, meaning that if your iCloud were ever hacked or subpoenaed, those messages could be revealed.
Apple’s CEO, Tim Cook, is a big advocate for personal privacy, and its end-to-end encrypted messaging app seems to indicate that the company is committed to providing security to its users. Just avoid storing your messages on web-based platforms like iCloud.
Founded by privacy and security advocates in San Francisco in 2012, Wickr was one of the first messaging apps to adopt end-to-end encryption. Messages are encrypted by default, and the company undergoes regular security audits. As of 2017, Wickr is also open-source.
The messaging app comes in two forms: Wickr Me and Wickr Pro. The former is free and for personal use, while the latter is for businesses and collaborating teams, who pay a subscription fee. Wickr has several features that make the app secure, including screenshot detection, blocking third-party keyboards on iOS, and ensuring any deleted files are completely unrecoverable.
Unfortunately, Wickr doesn’t have as many users as WhatsApp, Viber, and Signal, so you might have to recruit people to talk to.
Viber has about 260 million monthly active users and is primarily positioned as a competitor to the less-secure Skype. Historically, Viber never offered advanced security features, but it finally delivered end-to-end encryption in April 2016.
The app has end-to-end encryption on all its available platforms (Mac, Windows, iOS, and Android) and also color codes your chats based on how secure they are. Gray denotes encrypted communication, green means an encrypted communication with a trusted contact, and red means the authentication key has an issue.
The one big limitation to Viber is that it only supports end-to-end encryption for one-on-one chats—group chats are not given the same level of security as individual conversations.
Formerly called RedPhone, Signal is the darling of the information security community and is growing slowly in popularity among the masses. It still has nowhere near the same reach as WhatsApp, though.
By default, Signal provides end-to-end encryption for all voice calls, video calls, and instant messages with its own protocol. The Signal Protocol is arguably the most secure messaging protocol developed—it amalgamates the Extended Triple Diffie-Hellman (X3DH) key agreement protocol, Double Ratchet algorithm, AES-256, and Sesame for managing encryption across multiple devices.
This technology is entirely open-source, which means its security can be vouched for and has been adopted by other messaging services like WhatsApp and Skype.
— Edward Snowden (@Snowden) November 2, 2015
To verify that your conversation with another person is private, each Signal conversation has a unique device safety number to verify the security of your messages and calls with specific contacts. This is especially useful for preventing man-in-the-middle attacks—if a safety number changes more frequently than you’d expect for someone switching devices or reinstalling Signal, for instance, it may indicate that something is awry.
Back in 2016, Signal proved its trustworthiness when the messaging app was subpoenaed and the only data it could produce was the time of an account’s creation and the most recent date that a user connected to its servers.
Signal also allows you to secure the app with a password so you can protect your messages if they fall into the wrong hands. There’s also an option to set a time limit for how long you want your message to show in a chat.
The only problem with Signal is that you have to provide a phone number to use it, although you can get around this by using a “burner” phone or SIM card. As an added plus, the app doesn’t need to run on the same phone it was registered with.
Jabber and OTR are different from the rest of the pack: Technically speaking, they’re not a messenger app. They are two protocols that when stacked on top of each other provide a free, secure, open-source, decentralized platform. Plenty of apps support Jabber with OTR, such as Pidgin for Windows/Linux or Adium for Mac. There is also the newly released Tor Messenger and Chat Secure for your mobile phone.
Sadly, Jabber/OTR does not function very smoothly on mobile, as the protocol needs an almost continuous connection between you and your peer. The lack of features, even as basic as sending attachments, can also be frustrating. However, if you need a protocol that can be trusted to keep out even the most powerful of adversaries, Jabber/OTR is the best choice.
Jabber/OTR is also the only solution that can be set up anonymously. Read more in ExpressVPN’s guide to anonymous messaging.
Telegram was built by brothers Nikolai and Pavel Durov, exiled Russian-born billionaires, previously famous for the Facebook clone Vkontakte (now VK). Pavel Durov had to leave VK in 2014 over a dispute about handing over Ukrainian protesters’ user data. Consequently, the brothers left Russia for Berlin and founded Telegram there.
The messaging app uses its own protocol, MTProto, to encrypt your messages, though they aren’t encrypted by default, and you have to create new “Secret Chats” to encrypt them. When enabled, you can set messages to self-destruct across all your devices automatically or at a set time. If you don’t encrypt your chat, then your data is stored on Telegram’s servers, which puts the security of your messages at risk.
While the client-side code for Telegram is open-source, server-side code is not, making the app only partially open-source. The app also leaks a lot of metadata. A security researcher found a way for an attacker to know when a user is online or offline, therefore allowing them to work out who is talking to who, and when. We recommend caution if you’re using Telegram.
What is the best secure messaging app?
There’s a lot of messengers to choose from, but Signal is really your best bet, in terms of all-around reach, security, and features. WhatsApp may be used by more people, but its ties to Facebook are worrying. Jabber is certainly the most secure, but its reach and lack of features make it challenging for everyday use.
For more ways to secure your mobile device, check out ExpressVPN’s mobile security guide.