How to Choose the Right Private and Secure Messaging Application?
At this point, after the shocking revelations of the Snowden files, it is more than evident that anyone can read what you type on your computer or phone. And knowing that the companies you trust, like Microsoft and Google, have been in on this, it is time for you to look for alternative applications that are private and secure––that make it impossible for any third party to access or modify your conversations and data.
This Geekswipe edition is from our test range, where I have picked the best and popular private instant messaging applications from the multitude of choices from the stores and tested them all from the perspective of user privacy, security, and convenience––in that order.
For a message to be private between the sender and receiver, it should only be decrypted and read by the two parties involved in the conversation. Not the ISP, not the company that makes the application, and not even your dog. So the first feature you’d need to look in a private messenger is the type of encryption algorithm it uses, how the keys are exchanged, and is it end-to-end encrypted by default.
But watch out for businesses that lure you in with the word ‘encryption’. For example, one of the most popular IMs today is WhatsApp, which is owned by Facebook. It does have E2EE enabled by default and claims to use the Signal protocol. But as it is proprietary software, there is no way to vet anything. Also, Facebook can do anything they want during the transit of your message (man-in-the-middle attack), and you would never know if your message has been mined for keywords and interests. And above all, the metadata harvested by Facebook for their unwarranted psychological studies and personal ad targeting on their users is well-known. The case is no different with Microsoft either.
So even if an application claims to be E2EE you need to be wary of how it is applied and how transparent the creators are. Most open-source applications are transparent to a certain point where you can assess the client-side code for yourself to verify E2EE. And for server-side implementation, you can read on third party audits to understand the level of security in the application and follow transparency reports published by the creators to ensure the privacy status of all the data they handle. One of the advantages of open-source projects is that any vulnerabilities and zero-day exploits will be identified and fixed sooner than the closed source projects.
Wire and Signal
Applications like Wire and Signal are some good examples on this front. They are open-source, with regular third-party audits on the server-side, and they do publish transparency reports.
Wickr is a proprietary application, yet with open-source components and a very strong device to device encryption standards based on the open-source Wickr protocol. Wickr stands out with its forensic deletion of messages––which means you cannot forensically recover any of the messages from a device that you deleted.
Then there are also apps like Telegram that is not E2EE by default, with much of the server-side implementation non-transparent, and with some security trade-off for cross-platform sync and usability. Telegram also uses its own in-house encryption protocol MTProto that is considered weak and untested in the field of cryptography when compared to well-tested standard ones like Signal protocol or Matrix.
This is one of the essential features an application focused on privacy should have. This basically allows you to have text conversations with an expiry timer for each message. Helps in cases where one wouldn’t want to retain the conversation on the device. Wickr is well-known for this particular feature. Both Wire and Signal support them too. Telegram supports this in their secret chats.
Server sync and message handling
For foolproof privacy, you don’t want a copy of your non-E2EE message lingering around the servers of the application provider. Server retention policies differ from different applications.
For popular applications like Wire, Wickr, and Signal, they are E2EE, and the providers wouldn’t have access to the keys. Which means, even in case of server breaches, your message will remain encrypted.
In the case of Telegram, they claim that their non-E2EE messages are encrypted and stored on their servers, and the keys of that encryption are distributed among different jurisdictions. So use it at your own discretion.
So when you choose an application, make sure the server-side storage is encrypted, make sure the encryption keys are distributed, and you have the control to delete your messages at any time.
Metadata and anonymity
Apart from your actual message, your metadata around the conversation can be used for analytics and other private profiling. This is a common concern when it comes to proprietary applications like WhatsApp, Skype, and Facebook Messenger, which are known to profile on the texting habits of their users. Avoid anything that is proprietary and closed-source.
Also, apps like Signal and Telegram, require a phone number to register with their service. And Wire requires an email. In this front, Wickr is pretty neat as they don’t require any identifiable information to create an account. If you are looking for anonymous chat, go for Wickr or Ricochet.
A private and secure IM for everyday use
There is no fully secure app in this world. You just have to pick the application that suits you the most based on the technical information available. I tested the following applications with my friends, family, and co-workers to get a consensus on their inclinations.
I got to admit! It was quite hard to get a few of them out of the network effect and make the switch to one of these apps. Obviously, the less technically informed prefer Telegram over the rest I suggested. The geek monkeys like me, however, found Wire outstandingly good, despite its UI bugs and quirks. My Signal and Wickr contact lists though, they are still crickets.
Now for one on one conversations with my close friends whom I can request to switch to a temporary application for some sensitive conversations, we found Wickr and Ricochet to be the perfect candidates. Ricochet is an exception here, as it cannot be used as an everyday IM. And Wire wasn’t that good with their sluggish electron app when it comes to desktops.
So the conclusive result for an average person is that they prefer usability despite the trade-offs in security and privacy. It is up to you to choose the right application, depending on the level of trust you need, how much usability are you willing to trade-off for security, how willing are you to convince your family and friends to switch to a better application.
- Greenwald, Glenn, Spencer Ackerman, Laura Poitras, Ewen MacAskill, and Dominic Rushe. 2019. “Microsoft Handed The NSA Access To Encrypted Messages”. The Guardian. https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data.
- Cain Miller, Claire. 2019. “Tech Companies Concede To Surveillance Program”. Nytimes.Com. https://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html.
- Gebhart, Bill. 2019. “Where Whatsapp Went Wrong: EFF’s Four Biggest Security Concerns”. Electronic Frontier Foundation. https://www.eff.org/deeplinks/2016/10/where-whatsapp-went-wrong-effs-four-biggest-security-concerns.
This post was first published on September 24, 2013.