From WhatsApp to Snapchat, messaging apps provide a free and easy-to-use service to communicate with friends, family, and co-workers.
Before you search on the app stores or ask your friends about their messaging app of choice, be sure to take a step back and examine each app’s practices when it comes to protecting your privacy. One feature to look for is end-to-end encryption (E2EE).
[Get the latest on online privacy and security in our weekly blog newsletter.]
Without encryption, private messages can be read by the company behind the app, as well as third parties such as governments that collect private data on their citizens. Not even using the best VPN would help you if you’re using a messaging service that stores identifiable metadata about your conversations on its server.
Encryption makes societies freer, despite government efforts to undermine it, and thankfully several messaging apps use E2EE to prevent anyone except you and the intended recipient from reading the messages you send.
What is encrypted messaging?
End-to-end encryption (E2EE) is a method of encrypting data that only allows the sender and receiver of the message to decrypt and read messages passed between them. More importantly, encryption prevents apps from storing copies of your messages on its servers, which would put them within reach of government authorities.
Apps that don’t have E2EE for messaging by default, if at all, as of writing are:
- Snapchat (has E2EE for photos and videos)
- Kik
- Google Hangouts
- KakaoTalk
- Line (opt-in E2EE)
- Skype (opt-in E2EE)
- Facebook Messenger (opt-in E2EE)
- Telegram (opt-in E2EE)
Privacy and security review of encrypted messaging apps
With many good options available, here’s our take on some of the most widely used and secure messaging apps, in no particular order. We also want to note that while some of these apps have enterprise (paid) versions, we’ll mostly be focusing on the features they have in the free versions of these apps.
1. Messages (formerly iMessage)
Compatible operating systems: MacOS, iOS
Price: Free (on Apple devices)
Apple’s Messages is only available on Apple devices, but it packs a punch with its security features.
The good
On top of offering end-to-end encryption between users, Messages allows users to control how long the message stays up and how many times the recipient can view the message (although this feature is only available to those who have iOS 10 and above).
Regardless of which Apple device you’re using, whether it’s iOS, watchOS, or iPadOS, your messages are end-to-end encrypted and cannot be accessed without a passcode. Users of Apple’s FaceTime can also rest easy knowing that their video calls are E2EE too.
The bad
Messages is only available on Apple devices, meaning any message you send via Messages to a non-Apple device will not be encrypted. One major security loophole is the option to backup your Messages to iCloud. On the cloud, messages are encrypted by keys controlled by Apple, meaning that if your iCloud were ever hacked or subpoenaed, those messages could be revealed.
Apple’s CEO, Tim Cook, has said that Apple “believe(s) that privacy is a fundamental human right,” and at least in its Messages and Facetime it appears to take this commitment seriously. Just avoid storing your messages on web-based platforms like iCloud—toggle off messages in settings so they’re not stored on the cloud.
Would we recommend this app? Only if you know the other person is receiving the message on an Apple device. You should avoid using Messages if you’re communicating with people who do not have it on their devices.
2. Wickr
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free, or up to 25 USD/month for an enterprise account
Founded by privacy and security advocates in San Francisco in 2012, Wickr was one of the first messaging apps to adopt end-to-end encryption. Messages are encrypted by default, and the company undergoes regular security audits. As of 2017, Wickr is also open source.
There is a free version of the Wickr app, which allows up to 10 users, and three paid tiers that charge up to 25 USD/month, and allow unlimited users.
Wickr has several features that make the app secure, including screenshot detection, blocking third-party keyboards on iOS, and ensuring any deleted files are completely unrecoverable.
The good
The app’s free and paid versions both have plenty of security features, such as self-destructing messages, content shredding, and an inability to take screenshots (on Android only).
The bad
Unfortunately, Wickr doesn’t have as many users as WhatsApp, Viber, and Signal, so you might have to recruit people to talk to.
The messages are also bound to both your account and your device, and the app won’t sync your messages across devices. That could amount to multiple separate conversations with your contacts—which makes it seems like they’ve made the app secure to a fault.
Would we recommend this app? Yes, if you can find more people who also use it.
3. Viber
Compatible operating systems: Windows, MacOS, Android, iOS, HarmonyOS
Price: Free
Viber has about 260 million monthly active users and is primarily positioned as a competitor to the less-secure Skype on mobile. It’s enabled end-to-end encryption since April 2016.
The good
The app has end-to-end encryption on all its available platforms (Mac, Windows, iOS, and Android) and also color codes your chats based on how secure they are: Gray denotes encrypted communication, green means an encrypted communication with a trusted contact, and red means the authentication key has an issue. Viber also supports self-destructing messages in its secret-chats feature.
The bad
The one big limitation to Viber is that it only supports end-to-end encryption for one-on-one chats—group chats are not offered the same level of security as individual conversations. It also requires a phone number to sign up.
Would we recommend this app? Only if you’re using the app for directly messaging and individual video calls. Group chats will not be encrypted, so if you want an app that encrypts both, don’t use Viber.
4. Signal
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Née RedPhone, Signal has become the darling of the information security community since its release in 2014, and has grown in popularity among ordinary users too. It still has nowhere near the same number of active users as WhatsApp, though.
The good
By default, Signal provides end-to-end encryption for all voice calls, video calls, and instant messages with its own protocol.
This technology is 100% open source, which means its security is vetted by cybersecurity experts and its technology has been adopted by other messaging services like WhatsApp and Skype as well.
To verify that your conversation with another person is private, each Signal conversation has a unique device safety number to verify the security of your messages and calls with specific contacts. This is especially useful for preventing man-in-the-middle attacks—if a safety number changes more frequently than you’d expect for someone switching devices or reinstalling Signal, for instance, it may indicate that something is awry.
Signal also allows you to secure the app with a password so you can protect your messages if they fall into the wrong hands. There is an option to send self-destructing messages too.
The bad
You’ll need to provide a phone number to sign up, although you can opt to use a “burner” phone or SIM card. Signal’s aware of this limitation and is currently experimenting with PINs to reduce reliance on phone numbers. This Signal PIN will allow users who may have lost their devices or had them stolen to recover their data on a new device without starting from scratch, or having to use a phone number. It’s a start, but it’s not quite there yet.
Would we recommend this app? Yes—Signal is one of the best messaging apps you can use for secure communication. If you don’t want to use your phone number, you can resort to a burner phone. The company aims to reduce its reliance on phone numbers anyway, so this small irritant may also go away soon.
5. Jabber/OTR
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Jabber and OTR are different from the rest of the pack: Technically speaking, they’re not messaging apps. They are two protocols that when stacked on top of each other provide a free, secure, open-source, decentralized platform. Plenty of apps support Jabber with OTR, such as Pidgin for Windows/Linux or Adium for Mac. You can also download Tor Messenger and Chat Secure for your mobile phone, both of which support Jabber.
The good
Jabber/OTR can be set up anonymously. This means they don’t require a phone number or personally identifiable information during the sign up and registration process.
The bad
Sadly, Jabber/OTR does not function very smoothly on mobile compared to others on the list, as the protocol needs an almost continuous connection between you and your peer. The lack of supporting features, even as basic as sending attachments, can also be a frustrating limitation.
Would we recommend this app? If you need a protocol that can be trusted to keep out even the most powerful of adversaries, Jabber/OTR is the best choice.
Read more: ExpressVPN’s guide to anonymous messaging
6. Telegram
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Telegram was built by brothers Nikolai and Pavel Durov, exiled Russian-born billionaires, previously famous for the Facebook clone Vkontakte (now VK). Pavel Durov had to leave VK in 2014 over a dispute about handing over Ukrainian protesters’ user data. Consequently, the brothers left Russia for Berlin and founded Telegram.
Telegram has recently gained popularity for organizing protests largely because it allows large chat groups of up to 10,000 members. This has in turn drawn the attention of state actors.
The good
The messaging app gives you the option to encrypt your messages, which you can enable with “Secret Chats” to encrypt them. When enabled, you can set messages to self-destruct across all your devices automatically or at a set time.
The bad
If you don’t encrypt your chat, then your data is stored on Telegram’s servers, which puts the security of your messages at risk.
Telegram also does not have E2EE by default—you’ll need to use its secret chats feature to enable it.
The client-side code for Telegram is open-source, but its server-side code is not. Telegram uses its own protocol, MTProto, to encrypt your messages, and they have not yet revealed the coding behind it. The app also leaks a lot of metadata. A security researcher found a way for an attacker to know when a user is online or offline, therefore allowing them to work out who is talking to who, and when. And just this year, Telegram’s ”People Nearby” feature has been demonstrated to show precise location data to hackers, which they don’t plan to fix.
Would we recommend this app? We can’t recommend Telegram for secure messaging. Consider deleting Telegram if you’re using it for secure messaging.
7. Wire
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free, or up to 9.50 USD/month for an enterprise account
Wire is an open-source and collaborative messaging app that has both a free version and plenty of useful features: fully encrypted video calls, secure file sharing, synced messages between devices, and others. Wire also offers a paid corporate subscription plan.
The good
On top of having E2EE for text messages, Wire also offers the same level of encryption for its video calls. It is open source, and if you want the convenience, you can transfer your messages across any device that you’re signed in to. It also has self-destructing messages, session verification to make sure you’re talking to the person you want to talk to, and a password lock for your app.
The bad
While Wire has E2EE and security features, it retains some significant metadata on its servers, including timestamps and participants lists. In fact, a 2018 report from the CrySP team at the University of Waterloo found that the app “…does not attempt to hide metadata, other than the central server promising not to log very much information.” It also keeps server-side logs for up to 72 hours “for the sole purpose of facilitating troubleshooting, improving the service and preventing abuse,” but it’s not clear what specific metadata is logged.
Would we recommend this app? Not until it stops collecting personally identifiable metadata.
8. Threema
Compatible operating systems: Android, iOS
Price: Free, 2.16 USD/month for enterprise accounts
Unlike a lot of apps on this list, Threema is a paid chat service that uses E2EE to encrypt calls and texts. It is partly open source and has been audited several times.
The good
Threema generates a unique key that allows you to use the app anonymously. It’s also open source, which often means it’s more secure.
The bad
Threema says that it deletes the messages you send from its servers once delivered, but it’s not clear whether that actually happens. If you do use Threema, bear in mind that the app collects significant amounts of metadata that it will provide to government authorities if a request is made.
Would we recommend this app? No.
9. WhatsApp
Compatible operating systems: Windows, MacOS, Android, iOS, KaiOS
Price: Free
Brian Acton and Jan Koum founded WhatsApp in 2009 originally for people to publish status updates, not dissimilar to Facebook’s statuses. It was the messaging feature, however, that saw its popularity skyrocket, and Facebook bought it in 2014. WhatsApp is end-to-end encrypted, but its ownership has raised concerns about how it could be used in future.
The good
Security-wise, WhatsApp’s default E2EE enhances its privacy and security from malicious actors (which could arguably include its Facebook owners too). Security flaws have appeared in the past, but if cybercriminals breached WhatsApp today, they couldn’t decrypt your conversations. It also has a lot of what may now be considered standard features like video calling, voice messaging, and file sharing.
The bad
It’s owned by Facebook. ’Nuff said.
Would we recommend this app? Not with better alternatives in the market. Like with Telegram, if you want secure messaging, consider deleting WhatsApp.
What is the best secure messaging app?
There are a lot of messaging apps to choose from, but Signal is really your best bet, in terms of reach, security, and privacy-enabled features. WhatsApp may be used by more people, but its ties to Facebook are worrying. Jabber is certainly the most secure, but its reach and lack of features make it challenging for everyday use.
However, keep in mind that end-to-end encryption is not the catch-all security feature to protect yourself from surveillance. Even if you use a secure messaging app, an unsecured device will allow anyone access to your messages. Protect your messaging apps with a password, and practice basic mobile security to ensure no one can gain entry to your device.
Read more:
Comments
signal is nice app Making all my communication secure ,and now they updated payment features too .
Thank you for the article. However, I wonder why,if we are talking about encrypted applications, the Utopia p2p https://u.is/en/ is not on the list? I believe, at the moment, this is one of the best applications that guarantees real data security.
Hi it’s james stook here i m the active user of signal app it’ really a nice app this makes full control of my messages , it has lot of advanced features like ‘disappearing messages’, ‘screen lock’, ‘incognito keyboard’, ‘read receipts’, ‘message trimming’ etc.
Signal is now compromised, the fbi is able to read communications between two users using signal
Signal copies every message you send! And what they encrypt they can unencrypt. What’sApp is OWNED BY FACEBOOK, a company with record of selling and logging your info, reading private messages and group chats and issuing censorship. Their recently changed privacy policy allowing them to collect even more of your private data. They advertised end-to-end encryption, but copy and store your messages unencrypted forms. Even Telegram copies every message you send. Nor does it automatically use end to end encryption. By default, it encrypts messages between you and it’s server, and it doesn’t encrypt group chats at all.
The only messaging app that is OFF-THE-WEB is ShazzleChat! ShazzleChat allows you to send directly to your receiver, off the web, with no copies. Shazzle even encrypts end-to-end for added protection.
Have you tried TwinMe? P2p protocol seems to be very secure and Olvid? (they say “most secure messaging app in the world” )
Signal is the only app that should be on this list. It should at least be number 1 on the list. Why? Because it is open source. Telegram, while I like it, should be on the “not E2EE or opt-in only” list, simply because that is the truth. Bias is the reason it is on the incorrect list, not error.
Such a biased article. Please fix it!
“Threema says that it deletes the messages you send from its servers once delivered, but it’s not clear whether that actually happens. ”
The same holds true for Signal. But only the latter gets a recommendation
“If you do use Threema, bear in mind that the app collects significant amounts of metadata”
It collects less metadata than Signal (no phone numbers!). But only the latter gets a recommendation.
“that it will provide to government authorities if a request is made. [Link to transparency report]”
Signal does not even have a transparency report. So it’s completely unclear what they do when the US government knocks on their door – which it certainly does considering CLOUD act.
I’m agree with you.
what about JAMI.
https://jami.net/
It is open source and encrypted
What u failed to review is Signal and many other apps have major ISSUES with taking too much permission like Full N/W access, Wifi access etc that will compromise Device and its contents, So even though they everything is encrypted, its actually steeling lot of information that you dont know.
It seems like Signal is paying to publicize its app big time, and diverting ordinary unsuspecting publics attention.
Just go an read its t&a and privacy…..it contradicts itself many places. Devil is in the details….
Example One hand it says it doesnt store data, another place it says it gives your data to authorities if they are bound to….how do u think its possible?
I use WhatsApp as a means of texting my son who lives in the UK while I’m in the US. Signal doesn’t seem to offer this option…
Hi Michael, Signal works in U.S. and UK, so this shouldn’t be a problem.
I exchange messages via Signal with friend in Paris.
As far as I know all messengers above use RSA for key exchange.
According to NIST quantum computers (and Shor’s algorithm) “will be able to break many of the public-key cryptosystems currently in use.
This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.”
(see https://csrc.nist.gov/projects/post-quantum-cryptography).
Recently I’ve found messenger wich does not use RSA.
It does not require registration and does not collect user data.
And in addition it uses Vernam algorithm for encryption – the only algorithm wich has an absolute cryptographic strength.
I use it for communication with my wife and closest friends.
But I’m not a specialist in cryptography and would like to ask you to make a review.
The official site is https://vernam.app/
In your article, you have mentioned Signal is the best app and recommended one, also highlighted Signal is having E2EE for all metadata. I appreciate your comparative study, but the fact is at the end of your article you have not given signal as an option to share this article, you have given only a few options that are FB, Twitter, Whatsapp, Telegram, and Gmail only. The most recommended app Signal is not there in the sharing option, I would like to know the reason for the same if Signal is too good.
What u failed to review is Signal and many other apps have major ISSUES with taking too much permission like Full N/W access, Wifi access etc that will compromise Device and its contents, So even though they everything is encrypted, its actually steeling lot of information that you dont know.
It seems like Signal is paying to publicize its app big time, and diverting ordinary unsuspecting publics attention.
Just go an read its t&a and privacy…..it contradicts itself many places. Devil is in the details….
One hand it says it doesnt store data, another place it says it gives your data to authorities if they are bound to….how do u think its possible?
Recently i install Signal app Really it’s have Great features of privacy , Frankly Guys it’s nice and best App For our Privacy . Thanks to Signal Team
What u failed to review is Signal and many other apps have major ISSUES with taking too much permission like Full N/W access, Wifi access etc that will compromise Device and its contents, So even though they everything is encrypted, its actually steeling lot of information that you dont know.
It seems like Signal is paying to publicize its app big time, and diverting ordinary unsuspecting publics attention.
How about you repeat yourself a few more times… just to be certain…
What is Jamie’s favorite sandwich?
Best encrypted messaging service – Signal – has unveiled a new logo. With this, Signal is more confident about protecting their user’s data from hackers and attackers.
Hi there! I’m an active user of Signal Private Messenger. The messenger is awesome because it offers me full control over my messages. The best part is that it has a lot of advanced features like ‘disappearing messages’, ‘screen lock’, ‘incognito keyboard’, ‘read receipts’, ‘message trimming’ etc.
Hi From India Using signal App last 1 year it’s Better Than What’s App and Other Messaging App so Thanks Signal Looking For New Update
What about Utopia?
I also wonder why there is no Utopia here
nice article , since I had to force all of the colleagues to use iMessage and switch over to macOS and also my boss had been wavering between what’s an app and iMessage and he always wanted to force me to use what’s an app because many of his retarded friends and business associates uses ‘ what’s an app by Facebook , tho he’s a huge fan of express vpn , now this article would be convincing enough to make him stick with apple iMessage , iMessage is clearly supreme comparing with other apps
“I’m really Conscious about my privacy and I always use a different apps to chat online. After extensive research, I found the Signal Private Messenger app which has been consistently ranked as one of the best messaging app so I decided to try it. It’s easy to use .
There are different options to chooce, knowing W app and messenger (FB). Are not garanty safety..
My Question is :
Witch App is the Best and most Secure in combination with Express VPN.
Regards,
Marc Dinius.
&. Why ?. Express VPN,
A (Express) Browser.. build in all facilities nessesary., to show Chrome Google .. FB.. messenger. The dont Rule The World.!!!
I think ,, the CEO from Huawei, with all problems Huawei got a while ago They are interested to, or for being a Partner Ship.
It’s kinda funny, Signal is your best choice for a secure messaging app. Yet, I can only share ut with WhatsUp, Viber,… but not with Signal or Telegram.
What about Threema?
Hmm… At Telegram you said “The messaging app uses its own protocol, MTProto, to encrypt your messages, though they aren’t encrypted by default, and you have to create new “Secret Chats” to encrypt them.”
But you gotta see, that every single message over Telegram is encrypted. See: https://core.telegram.org/mtproto
And so are End-to-End encrypted messages: https://core.telegram.org/api/end-to-end
So you should change the “…though they aren’t encrypted by default…” cause its simply not correct.
Thank you.
LOKI https://loki.network/ is supposed to be the most secure messaging app ever, though I believe it is still in beta
It would be nice if you could make a review of it when the time is right
Very nice topic
Heyy
Hey!
Hi Jamie,
tl;dr version: There is no perfect communication platform yet. Telegram is close, but isn’t open source. Signal is most secure, but lacks many features. Everything else is a compromise of the two.
Full version:
I noticed you suggest Signal, Telegram, and Viber in this article (which I believe ExpressVPN originally published in 2016) you were pretty cautious/hesitant about recommending Telegram given it’s history, use of proprietary encryption, and not being fully open source. I’m curious if you feel Telegram has become more reputable and secure over time, of if it’s still not a great choice.
I’ve recently been evaluating the features, multi-platform availability, and flexibility of Signal, Telegram, Wickr, Wire, and Viber for mass consumer use (not business). By far Telegram is the most flexible and feature rich at the free tier. Viber has ads and “suggestions” you can’t turn off (ick!), and Wickr and Wire are nearly identical in offerings (which is pretty limited at the free tier). Signal, while the most secure, is not very feature rich when it comes to text-formatting, group chats, and multi-platform use. It is tied to a phone number, and you can’t really use it simultaneously as well as the other offerings (and no iPad version at all means you can’t use it on a phone AND your iPad at the same time).
At this point, as an individual looking at secure communication options, my options seem limited to fairly basic, non-rich-text chats if we want the best security (Signal), or trusting Durov’s Telegram if we want full-featured options that could be a viable alternative to privacy-invading apps like Facebook Messenger. We need something that combines the best of both worlds: the security-focus of Signal and the feature-focus of Telegram. None of the options I’ve evaluated above hits the mark.
I feel the underlying reason for the problem is money. It takes a lot of money to create and maintain a platform that can support millions of simultaneous users. We’ve become accustomed to “free” platforms like Facebook (obviously it’s not free. We pay with ads, and they sell our data for their income), so I’m not certain how this is going to change. Viber comes close since it’s fairly feature rich and free for consumers, but I really dislike the sponsored material. I think the time may be approaching where we see a shift toward paid services again that ensure our privacy. That will mean a shift away from Yahoo, Hotmail, Gmail, and onto private paid (and hopefully open sourced) platforms (I use protonmail). I really dislike seeing websites I use having options like “Log in with Facebook or Google”. I’m tracked enough as it is, each time I log into a service with those, I feel I just get deeper ensnared into giving away my privacy at the expense of convenience.
Looking back on Viber as a possible model, it would almost be the perfect platform IF you could pay a small fee to opt out of all advertising and internal tracking. That way they have income to maintain the service, those who want no-cost services could put up with the ads, and those of us who would pay to maintain privacy could do so, without losing moving to platforms that don’t have anyone on them. I’d still want the service itself to be open-sourced.
The Matrix.org Open Standard for communication also looks very promising, but right now it’s main client implementation (Riot.im) is very unfriendly to anyone who isn’t a part of the geek community. If someone were to write a clean, simple client that utilized the Matrix.org system, that would be a step in the right direction.
Thank you for this article and helping me look into this issue deeper.
A very good review and some serious food for thought, thnx
Wire is missing in this review
Yes, I found my personal data privacy and security with Signal private messenger
Thanks to Signal team, they made privacy easy
How can apps with public servers be secure? Only self-hosted (MyChat enterprise messenger, etc.) can get closer to secure communication as they do not have social engineering, third-party interference, and able to work in local networks.
Most of these apps on the list I do not agree with and so called “most secure messaging apps” but I’m glad the Signal Private Messenger is on the list.
I was looking a very long time a secure SMS and internet app and you gave me the solution with one article!
Nice guys, this are very useful articles, keep doing the excellent work for us!
Thanks!
Absolutely could not agree more. I expected nothing but the best from Express. Awesome article guys!
Superb VPN server it’s very useful tooo
What about whatsapp, i really like this app…easy to use and nice color…..
nyampling
I don’t know much about all this, but one area I also don’t understand, but am bothered about is this open source code. If the app is open source wouldn’t that allow a hacker to figure out how it works on a base level and be able to find vulnerabilities within the app. Thanks for your hard work!
Ahh.. hello? I though whatsapp is operating by facebook? And also had lots of leaks in past..(and they also save all photos and messages for sure)
How about Verizon’s Message+ ?
How about Telegram?
What about Telegram?
In your next review, please include zoom.us. It alleges to be a fully encrypted video conference system, but I’d like to know about that from a trusted third party like ExpressVPN.
If you want to communicate more securely then use Wire. Wire is open source and using end-to-end encryption for everything, messages, audio and video calls.
https://wire.com
It’s the goto app to recommand for privacy.
Telegram is no longer open source : https://lucb1e.com/?p=post&id=129
Telegram for Android is now a closed source application. According to the repository and the Telegram website, it is covered by the GPL license which states one must publish changes. However, since early October 2016, there have been many releases but no updates of the source code. Everyone involved is pretending there is no issue because they have their fingers in their ears.
Signal is based on GCM (Google Cloud Messaging) so all the metadata are known by Google. It cannot be installed on an alternative ROM like LineageOS.
I hope Threema also reviewed in this article.
I have bye Express VPN, but I can’ downloadede it to my Microsoft Windows 10 Mobil, and I have’t odder pc
Hello. Kindly contact our support team via Live Chat and they’ll assist you right away: http://blog-staging.xvtest.net/contact