Messaging App Security: Which Apps Are Best for Preserving Privacy?

Messaging apps are an easy way to keep in touch with friends, family and colleagues. However, it is important to remember online privacy and security when using them.

The main security concern for messaging apps is privacy. It reflects the extent to which personal communications are accessible to third parties, which companies develop applications, and even whether government agencies collect data on citizens. When assessing the security of messaging apps, the following key points need to be considered:

End-to-end encryption

Does the app use end-to-end encryption? With end-to-end encryption of personal messages, only the sender and the recipient of the messages have the keys to decrypt them.

Open source

Is it open source? Open source means that the application is open to external scrutiny and auditing by experts, which can be useful in drawing attention to weaknesses or vulnerabilities in the code.

Disappearing messages

Self-destructing or disappearing messages disappear after a set period of time, depending on the settings you choose.

data usage

Many secure messaging apps use end-to-end encryption, but they may collect data about users called metadata. Metadata includes information about who you are talking to, for how long, on what device, your IP address and phone number.

Signal

What is Signal?

Signal is a cross-platform encrypted messaging service for end-to-end encrypted voice calls and encrypted text messages. It is considered one of the most secure messaging apps on the market.

The Signal app is free and available on Android and iOS operating systems. There is also a desktop version of the application for Windows, Mac and Linux. To use the application, you only need a phone number.

Signal's user interface is similar to other popular messaging apps like WhatsApp and Facebook Messenger. Features include private messaging, group messaging, sending stickers, photos, file transfers, voice and video calls.

Signal has been around since 2013, but its popularity has skyrocketed in 2022 and 2022.

How secure is Signal?

• Signal is not owned by any major technology company, but is an open source project supported by grants and donations. This means there are no ads, affiliate links, or hidden tracking.
• Conversations in the Signal app are end-to-end encrypted. This means that they are not accessible to anyone (even Signal owners) except the participants themselves.
• Other messaging apps offer end-to-end encryption as an option, but Signal comes with it by default.
• Signal uses self-destructing disappearing messages that are automatically deleted after a set amount of time.
• Signal tries not to collect excessive user data. All messages, images and files in the Signal app are stored locally on your phone.
• Other apps, including WhatsApp and Wire, use the Signal messaging protocol for the most secure modes.

How did the messengers compare?

Now we will briefly describe the methodology of the security analysis performed. The figure below shows a diagram for generating ratings for each messenger.

For the analysis, we chose three main categories:

1. Openness to the community
2. Architecture
3. Basic functionality

In the “Openness to the Community”
the following were judged:

• availability of reports from external auditors (including the presence of bug bounty programs)
• availability of the messenger source code for researchers (client and server parts, encryption protocol)
• Availability of accessible and detailed documentation for messenger users

In this category, no technical checks are carried out, and the result obtained is based on the assessment of specialists participating in the project.
The maximum possible score for a messenger in this category is 12 points. In the “Architecture” and “Basic Functionality” categories, the assessment was based on the results of technical (instrumental) tests that were carried out according to the OWASP Mobile Security Testing Guide standard.

In the category "Architecture"

After conducting instrumental checks, we received the following assessment:

• security of the messenger data (for example, configuration files necessary for the messenger to work)
• security of communication channels (for example, implementation of data transfer to the messenger server)
• security of backup copies (for example, application files created by both the messenger and the smartphone operating system)
• security of user profile data (for example, user login, location)

If there were deficiencies in any of the checks, the maximum category score was reduced, and the maximum possible score was 200 points.
In the category "Basic functionality"

The correct operation of the following messenger functions was assessed:

• messaging (including files of various formats)
• making video and audio calls

The maximum score in this category is 120 points.
Thus, the maximum final score for the messenger can be 332 points and is added up in the following ratio:

If you are interested in learning more, full information about the methodology of the security analysis performed can be found here.

Let us immediately make a reservation that the scope of our research did not include:

• source code analysis: it is not available for all messengers.
• research of the server side of messengers: it may include invasive effects and requires written consent to carry out this work.
• cryptographic analysis of the encryption algorithms used and reverse engineering messengers: this work will take much more time than was allocated for the project, so we will not take away the bread of cryptographic specialists.

Telegram

What is Telegram?

Telegram, founded by Russian entrepreneur Pavel Durov, is a cross-platform messaging service that first launched on iOS and Android in 2013. Telegram's core features are the same as most other messaging apps: you can send messages to other Telegram users, create group chats, make calls, and send files and stickers.

How secure is Telegram?

• Telegram also uses end-to-end encryption. Telegram encryption prevents anyone - no company, government, attackers or anyone else - except the participants in the two-way dialogue from seeing sent messages.
• However, Telegram only uses this encryption for calls and for the "secret chats" feature, not for regular chats. Only data transferred from the client to the server is encrypted. WhatsApp, considered by some to be less secure, has had end-to-end encryption for messages, calls and video calls since 2016.
• The reason is that Telegram, for the most part, uses cloud storage. Essentially, all messages and photos are stored on a secure server. This means they can be accessed from any connected device, making Telegram less platform dependent than other apps like WhatsApp.

What messengers will we talk about?

Let’s immediately make a reservation that the selection of messengers for our review was made based on an analysis of existing open research on the security of messengers, their popularity in Russia and their positioning in the market.
Based on the results of an assessment and study of the opinions of industry experts, our team selected three messengers focused on protecting user data:

1. Signal
   is a non-profit project of Open Whisper Systems
2. Telegram
   is a non-profit project Telegram FZ-LLC
3. Wickr Me
   is a commercial project of Wickr Inc with a free version

To study instant messengers, we used the latest versions available at the time of the study in the App Store and Google Play.

The messengers were installed on smartphones with iOS version 13.3.1 and Android version 7.1.2, and superuser rights were obtained on the smartphones in advance (jailbreak for iOS and root access for Android).

Wire

What is Wire?

Wire, launched in 2014, is positioned as a secure messaging app. Wire is based in Switzerland, one of the most favorable countries in the world for developing secure online services and messaging applications. Wire can be used in Android, iOS, macOS, Windows operating systems and popular browsers.

How secure is Wire?

• Wire also uses end-to-end encryption. Wire encryption works transparently in the background and does not require activation because it is always on.
• Wire does not sell analytics or data usage information to third parties.
• Like Signal, Wire is open source, available for users to explore, review, and improve (in this case, via GitHub).
• External experts conducted a public audit of Wire. Published audit results can be viewed online if you do not have the time or knowledge to view the source code.
• To register with Wire, you only need an email address, not a phone number.
• The application is fully GDPR compliant.

whatsapp

What is WhatsApp?

WhatsApp has 1.5 billion users worldwide and probably needs no introduction. WhatsApp was one of the first messaging apps to offer end-to-end encryption for secure communication. The WhatsApp messenger is owned by Facebook, an association whose confidentiality of credentials is in question.

How secure is WhatsApp?

• WhatsApp uses encryption; Users receive an explicit warning if end-to-end encryption is not applied to a specific chat.
• WhatsApp doesn't store messages on servers, so if cybercriminals hack the platform, they won't be able to decrypt messages.
• Additionally, WhatsApp does not have a key to view encrypted messages. By default, messages are stored in WhatsApp in such a way that you can back them up to the cloud using iOS or Android.
• WhatsApp features two-step verification to enhance account security. This is done by setting a PIN code, which is necessary to verify the phone number on any device.
• WhatsApp is owned by Facebook, which is sometimes perceived as a privacy flaw. WhatsApp receives and shares information with other Facebook companies. This means that the data is shared with advertisers, who use it for targeted advertising.

Basic functionality

This category can be expanded indefinitely, but our team did not have a goal to examine all the implemented features, and we settled on studying the basic functionality of instant messengers and their security:

• message exchange
• making audio and video calls

Note: Not considered for use in an enterprise environment.
The leaders in this category are Wickr Me

and
Telegram
, gaining the maximum number of points.

Signal messenger version

for the Android platform contains a flaw in exception handling that causes the application to stop (that is, the messenger immediately closes), so Signal scored lower in this category.

Threema

What is Threema?

Threema is an end-to-end encrypted messaging app. Unlike other apps, creating a Threema account does not require you to provide an email address or phone number, which provides users with a very high level of anonymity. Threema features include text and voice messaging, voice and video calling, group chats and mailing lists. The Threema app is not free. The app developer company Threema is based in Switzerland.

How secure is Threema?

• A key principle of Threema is limiting metadata. To prevent data abuse, Threema servers permanently delete messages after delivery to recipients.
• Data that other apps would typically manage on the server is managed locally on the user's device in Threema. This means that any conversation is protected from eavesdropping.
• As a result, decrypted connections are not forwarded, so no one other than the intended recipient can read the message.
• Threema is open source, so users can check the encryption strength themselves.
• However, the app does not support two-factor authentication.

Wickr Me

What is Wickr Me?

Wickr was founded in 2012 by a group of security and privacy experts. This is one of the few secure messaging apps that can be used truly anonymously. Wickr has different applications aimed at different groups of users: Wickr Me, Wickr Pro, Wickr RAM and Wickr Enterprise. Wickr Me is aimed at individual users.

When you sign up for Wickr Me, you don't need to provide an email address or phone number. This ensures that the application does not have access to or collect user data. Wickr can also be used as a collaboration tool, not just a messaging app, as Wickr allows you to share your screen, location, and online statuses.

How safe is Wickr Me?

• The app uses end-to-end encryption for all messages and files, including images and videos. This ensures that when data is transferred from one device to another, unauthorized persons will not be able to access it.
• All Wickr messages are encrypted locally on the device using a separate key for each message. This means that only Wickr users have the keys to decrypt messages. In addition to encrypting user data and conversations, Wickr removes metadata from content sent over the network.
• Encryption is enabled by default and transparency reports are available to all Wickr users.
• The application supports two-factor authentication.
• Wickr does not log IP addresses or other metadata.
• Wickr is an open source app and also supports disappearing messages.
• Wickr has a feature that allows users to detect screenshots: if someone takes a screenshot of a sent message, the sender of that message will receive a notification.

And what happened?

Wickr Me
scored the highest number of points - 304 out of 332 possible:

The table shows how each messenger was rated:

Let's take a look at the leaders in each category and the shortcomings we found, then look at each of them in a little more detail.

Viber

What is Viber?

Viber is a cross-platform voice over IP and instant messaging application developed by the Japanese multinational corporation Ratuken. The application can be downloaded for free. It allows you to make free calls, send text messages, images and videos to other Viber users. Viber can be used to create group chats with up to 250 people and group calls with up to 20 people at a time.

How secure is Viber?

• If users choose the appropriate data transfer method, Viber provides encryption for voice and video chats on mobile devices and major operating systems.
• Previously, only personal communications were protected, but now group chats are also protected with end-to-end encryption.
• Each Viber chat is color coded depending on the level of encryption:
  Green – the chat is encrypted, therefore the corresponding contact is trusted.
• Gray – the chat is encrypted, but the corresponding contact is not marked as trusted.
• Red —contact authentication problem.

Skype – secure chat and convenient video calls with friends

Skype is often used to communicate with colleagues and business partners.

A worldwide popular program that is mostly used for making video calls. End-to-end encryption technology makes all conversations as safe and secure as possible; you can create secret chats. As a rule, Skype is used for work, although many people prefer this program for personal communication.

Skype releases updates frequently and you need to install them to improve your security when communicating with users.

Messenger has been around for many years and is still popular. Not long ago it was adapted for mobile gadgets. The functionality of the mobile version includes the following:

• sending voice messages;
• sending audio messages;
• making video calls;
• making voice calls;
• sending text messages;
• sending documents, images, photographs, media objects.

The program is available free of charge for downloading on any device.

Dust

What is Dust?

The Dust application, formerly known as Cyber ​​Dust, is designed for private messaging. To ensure the security of communications, the application uses end-to-end encryption. The app's website says: "You can erase your messages from other people's phones. They are not stored on phones and servers permanently. The messages are securely encrypted and inaccessible to anyone, not even us.”

How safe is Dust?

• The application allows you to send private messages to people from your contact list. Such messages are called Dusts. You can set messages to disappear within 24 hours or immediately after being read.
• You can also send messages to a group of people that each recipient reads privately. These messages are called Blasts.
• The Dust app is configured to not display usernames in messages. It also informs you if a screenshot has been taken from an app.
• Not only is Dust a secure messenger, it also has a privacy control feature and a tool for maintaining privacy while searching the web.

Conclusion

We conducted a comparative analysis of the security of three messengers that position themselves as safe, and found that all messengers have a number of common shortcomings, and Signal and Telegram also had shortcomings in the implementation of storing sensitive information in local storage.
Despite the fact that the exploitation of the above shortcomings is only possible if you have physical access to the smartphone, according to our team’s assessment, all these shortcomings reduce the level of security of user data.

Based on the results of all checks, the leader of our research was the Wickr Me messenger, which scored 304 points and which had the fewest flaws identified.

The conclusion is simple: there are no absolutely secure instant messengers, but we hope that thanks to this research you will be able to maintain confidentiality and increase the security of your communications, knowing about all the pitfalls of the service you choose.

iMessage

What is iMessage?

iMessage is an instant messaging service developed by Apple and launched in 2011. iMessage runs exclusively on Apple platforms: iOS, macOS, iPadOS and watchOS.

How secure is iMessage?

• iMessage provides end-to-end encryption for data sent between users.
• A potential security issue is the ability to back up iMessages to iCloud. Messages stored in the cloud are encrypted with keys controlled by Apple, so if your iCloud was ever hacked, those messages could be exposed.
• The solution to this problem is to not store private messages on web platforms such as iCloud to enhance security.
• iMessage allows users to control how long photos, videos and messages are displayed before they disappear. You can also specify how many times the recipient can view the message. However, this feature is only available on iOS 10 and above.

Line

What is Line?

Line is a free, secure messaging app created after the 2011 tsunami in Japan. As a result of the natural disaster, many normal communication channels were disrupted. The Line app was developed by internet company Naver as a communication tool for employees.

Later that year, Naver released the app to the general public in Japan, where it became incredibly popular. The app then gained popularity in Asia.

How safe is Line?

• Line provides end-to-end encryption as long as users agree to use this feature. In the application it is called “Letter Sealing”.
• You can use your phone number or Facebook account to register in the app.

Using a secure communication app protects you from criminals trying to steal your data. Different apps have different security features and general functionality, so which app you choose depends on which features are most important to you.

Messaging app security

While the security of the apps themselves is important, it's also a good idea to follow these messaging security tips:

Be careful when using public Wi-Fi networks

Public Wi-Fi networks are often free, but they also pose security problems. Public networks tend to be used by many people, so they are often targeted by attackers. Attackers can easily intercept data sent over Wi-Fi: photos, messages, passwords, usernames and banking information. Using a VPN can help protect against security breaches.

Avoid sending personal information on messaging apps or text messages

>
Do not provide passwords, credit card information, or other personal information in messages. Beware of revealing personal information to strangers with whom you communicate via instant messaging. Attackers can use even such seemingly innocent information as the name of your employer against you.

Be careful when following links from messages

To avoid falling victim to phishing scams, never click on links in instant messages from people you don't know, trust, or have never met in real life.

Protect your phone with security software

In addition to protecting your device with a password or PIN, it is also recommended to use a security program. For example, Kaspersky Internet Security for Android blocks suspicious apps, websites, and files, and prevents spyware from tracking calls, text messages, and location.

Related articles:

• How hackers violate your online privacy
• How to protect a hacked smartphone
• How to detect spyware
• VPN for smartphones: what you need to know

Facebook Messenger – full synchronization with Facebook, chat with friends around the world

With Facebook Messenger you can chat with friends around the world

The program is available separately from the Facebook social network, so you can install it even if you do not have a personal profile in the Mark Zuckerberg project. It is enough to use anonymous mail, and the message is encrypted using the Secret Conversations function.

Facebook Messenger brings people together on its social network and allows you to send messages to the other side of the planet. Regardless of your location, you can quickly and comfortably communicate with family, loved ones and friends.

In terms of the number of downloads, WhatsApp is catching up, but is still inferior to it. Works in any region of the world. The address book is formed based on the phone number and identification of friends on the social network Facebook.

Full synchronization of data with the social network is provided. If you send a message through the browser version, it will be displayed in the mobile application. The situation is similar in reverse.