The world is getting more digital, and instant messaging apps have become an inherent part of our daily lives. We want to stay in touch with friends, respond to work matters, exchange files, and share our stories in the moment, no matter where we are. While the great convenience of messengers is undeniable, more and more people are getting concerned about their privacy and have started looking for more secure alternatives, such as encrypted messaging apps.
Most instant messengers are free of charge; however, are they really free? Are we trading our personal data for the convenience of real-time communication? As a mobile app development company and creator of BAMM, a layer 3 transport protocol with end-to-end encryption and onion routing, we know what it takes to make communication secure.
Stay tuned to find out what messenger features may expose you, the best options for encrypted messaging, and how to choose and set up your secure messenger.
How Messengers Leak Your Data
Understanding what messenger features make you vulnerable to data leakage is the first step to protecting your privacy online. Here are the essentials to keep in mind while using an instant messenger.
Granting Access to Contacts
To start exchanging messages, it’s often essential to grant the application permission to access the contact list — this way, all the contacts are uploaded to the app’s servers. This process is called mobile contact discovery, and it simplifies the app usage. However, if the servers are hacked, cybercriminals will get access to the sensitive data. Even the phone numbers of people who don’t use the app may be affected, as they are on the contact list.
The most obvious thing you can do to prevent the leakage is to grant the app no access to your contacts and enter the required numbers manually. In case this isn’t possible for your particular messenger, consider downloading a different app not requiring access to the contact list.
Ignoring Privacy Settings
Another common mistake first-time users make is ignoring privacy settings. Default settings are not that privacy-friendly as you may think. First off, even those messengers that offer encrypted communication may not have this feature enabled by default. So it makes sense to do some research on the app of your choice and explore the settings to ensure encryption is on. Some messengers will encrypt only one-to-one chats; others will cover group chats as well – something to double-check before initiating any communication.
Secondly, if there is an option to turn on the two-factor authentication, make sure to do so. This step is an additional security layer against malicious actors who may already have some personal data and attempt to gain access to your account.
Thirdly, identity theft is easier when users provide their real information, such as pictures, names and surnames, date births, etc. It is better to use an alias and consider messengers that don’t require your phone number or email for registration.
If your messenger does rely on a phone number, then make sure to disable the Search User by Phone Number feature. In this case, even if your phone number happened to be in a data dump on the dark web, the bad guy won’t be able to easily find your profile.
Here is a checklist on how to use instant messengers safely:
anonymous
- Use fictitious data for your profile
- Deny access to your geolocation
- Use secret chats or ephemeral messages for confidential info
- Wipe out chat history regularly
security
- Use two-factor authentication
- Turn passcode lock on
- Use VPN
- Make sure encryption is on
- Disable automatic file downloads
others
- Ensure your most frequent contacts & confidants have implemented the same security controls
- Before clicking the link sent by a friend, verify its contents with the friend
- Remember what goes on the Internet, stays there
least privilege
- Ensure only contacts can see your phone number
- Ensure only contacts can see your profile picture
- Ensure only contacts can call and message you
- Ensure only contacts or nobody can see your timestamp
- Ensure only contacts can add you to groups and channels
- Read changes to security policies
- Keep your app updated
- Never add strangers to your contact list
- Never use the app on public Wi-Fi networks
Enabling Link Preview
Link previews are super handy; however, they provide users with a false sense of confidence. We are all aware that clicking links may result in infecting your device with malware, so link previews must be a way out – a short snippet of the website content allows you to quickly verify the website’s credibility before following that link.
What if we tell you that your messenger may have already opened that link in order to show you the preview? It all comes down to the way the link preview is implemented in your app. Usually, link preview is done in either of the ways:
- Link preview is generated by the sender. This approach can be considered safe as the receiver doesn’t automatically open the link. In case a bad actor sends a malicious link, the user won’t be affected unless they decide to click the link.
- Link preview is generated by the receiver. This is where things can turn sour. First off, the receiving app automatically opens the link in order to generate the preview, so the user has no control over it. Secondly, for the app to receive the data, it needs to reveal the user’s IP address to the server. Lastly, if the sent link leads to a large file, the messenger will automatically put a strain on your battery and consume your data plan.
- Link preview is generated by the server. In this case, neither the receiver nor the sender opens the link; instead, the link is forwarded to an external server, and the server then sends the preview both to the sender and the receiver. The problem with this approach is that you don’t want a corporate server to make a copy of your private files and store them.
The thing you can do right now is to check your app settings and disable link preview if possible. Another option is to choose an app that generates previews on the sender’s device.
Sending Files
One more potential danger is that app servers can view and store links to private materials (for instance, documents uploaded to your OneDrive account) for an indeterminate period. Messengers like Facebook and Instagram load files in full even if their sizes exceed several gigabytes. What is worse, if the servers are hacked, cybercriminals can access your private information.
Some messengers can also execute any JavaScript contained in the sent link. The problem is that users do not have the means to check the safety of the JavaScript code on the site and cannot expect instant messengers to have the same exploit protection as modern browsers.
To prevent this from happening, do your research to answer the following questions:
- Do your messages travel to a centralized server or routed through a P2P network?
- Are they stored locally on the device or the server?
- For how long is the data stored?
- Are media and files also end-to-end encrypted?
Insecure Messengers to Avoid
It is important to remember that a commercial success of a messenger does not equal its security. Nevertheless, billions of people continue to use insecure messengers without a second thought. Why? Well, because they are fun, convenient, and boast a massive adoption rate, making it easier to communicate with friends and people from other countries without the need to install another messenger.
Here are some successful and well-known messengers we advise to steer clear of. Let’s dive into the reasons why.
Facebook, now branded as Meta, is infamous for its negligent attitude to user privacy and data security. It tracks every user’s step to improve its ad delivery service: the buttons you click, the videos you watch, the ads you view, your biometric data, and the list goes on. More so, it made headlines several times because of data breaches leaving millions of users exposed.
Software developers and architects Talal Haj Bakry and Tommy Mysk found out that Facebook’s servers had been downloading all the data regardless of the volume from any link sent via Instagram or Messenger. Currently, the servers don’t generate previews, but only for users in Europe, while the data of the rest of the world is still downloaded.
Nevertheless, Messenger is used by 1.3 bln users worldwide, apparently for its large user base, modern look and feel, and cool features like group video chats or fun AR effects. From the security standpoint, Messenger is not recommended because of the following reasons:
- End-to-end encryption is not enabled by default
- Requires email or phone number for sign-up
- The business model relies on harvesting user data
- User metadata is not encrypted
- Reported offensive media can be accessed by the company
- Security audit reports are kept undisclosed
- Closed source
WhatsApp is the most popular global mobile messenger — as of October 2021, it has 2 billion monthly active users. The app positions itself as a highly secure and reliable messenger because of the end-to-end encryption turned on by default. The other security features it offers are disappearing media files, two-factor authentication, screen locks, and standard options to enhance privacy, like hiding your activity status or profile picture.
At the same time, WhatsApp has been owned by Facebook since 2014, and in 2021, it was fined 225 million euros by the Irish Data Protection Commissioner for GDPR violations. The 2021 changes to its privacy policy opened the eyes of many WhatsApp users on how their data is handled. Not willing to share even more data with Facebook, thousands of users switched to Signal and Telegram. The WhatsApp abandon rates further skyrocketed after one succinct yet very persuasive tweet:
Use Signal
— Elon Musk (@elonmusk) January 7, 2021
In 2019, WhatsApp was all over the news because of its zero-day vulnerability exploited by NSO Group’s Pegasus spyware, infecting about 1400 WhatsApp users. All of these events raise doubts about the app’s security and user privacy. In a nutshell, here is why we classify WhatsApp as an insecure messenger:
- Shares user data with Facebook
- Requires phone number for sign-up
- View-once media are not protected against screenshots or screen-recording
- View-once encrypted media is stored on WhatsApp servers for a few weeks, not instantly deleted
- User metadata is not encrypted
- Reported offensive media can be accessed by the company
- Closed source
Telegram continues to rise in popularity, taking fifth place globally and second place in Russia, the home country of its founder – Pavel Durov. The team has consistently delivered pioneering features and instantly reacts to changing user demands. One can move chat histories from other apps, enjoy an extensive list of animated emojis, stay anonymous as a group admin, host live talks for millions of listeners, format text as a spoiler, among tons of other handy features.
In terms of security, Telegram allows creating secret device-specific chats with end-to-end encryption and self-destructing messages, offers two-step verification, screen locks, and multiple privacy settings.
At the same time, Telegram’s contact discovery functionality makes it vulnerable to crawling attacks. Researchers from Germany discovered that Telegram transfers the user’s entire contact list to their servers. With limited resources and fairly simple tools, they managed to collect the phone numbers of Telegram users and the numbers of those who don’t even use the app — they were just on the contact lists of the registered users.
Another weakness is that the content of standard and group chats is stored in the cloud. This is convenient for users, as they can access such chats from any device, but at the same time puts data at risk. Moreover, tutorials on how to extract group and channel data can be found on the Internet — they can help admins collect relevant insights, but at the same time, they can be used by hackers. Here is where Telegram falls short security-wise:
- Encryption is not enabled by default
- Requires phone number for sign-up
- Chat data is stored on Telegram servers
- Relies on bespoke cryptography criticized by security experts
- Group chats are not end-to-end encrypted, even though 51% of Telegram users rely on group chats
- Not fully open source
Viber hasn’t made it to the top 5 of most popular global messengers; however, it has a high install penetration rate in Ukraine, Greece, Bulgaria, and Russia. The app offers a wide selection of features for instant communication: text, voice, and video messages, group chats and calls, voice and video calls, stickers and GIFs, file sharing, public groups, screen sharing (from desktop during video calls). The account can be used on multiple devices, and the supported platforms include Android, iOS, Windows, macOS, and Linux.
Data security features include default end-to-end encryption, self-destructing messages, hidden chats (access with a PIN), hidden-number chats, and notifications of screenshots for disappearing messages.
Even though Viber claims it cannot read the contents of your messages, it harvests all kinds of other user data – name, email, phone number, birth date, social media profiles, address book, connection status, length of calls, who messaged or called you, how much time you spend on Viber, your device’s unique identifier, IP address, WPS location data, etc. According to its privacy policy, Viber can also combine all this data with information from outside records – apparently for creating very detailed consumer avatars and serving you highly personalized ads.
- Collects tons of user data: everything you voluntarily input
- Shares user data with third-parties
- Unfriendly default privacy settings
- Requires phone number for sign-up
- Retains some personal data even after account deactivation
- No mentions of an independent security audit
- Closed source
Wickr Me is a messaging app primarily targeting government agencies, military structures, and large enterprises. Wickr Me also offers a free plan with limited functionality for individual users.
At first glance, the app is jam-packed with security features: end-to-end encryption, ephemeral messages, secure link previews, screenshot detection, multi-factor authentication. Another advantage is that you can create a Wickr account without providing your phone number or email. On top of that, the Wickr team provides a transparency report and offers a lavish reward for bug bounty hunters who manage to find a security flaw in their system – up to $100,000.
Everything about Wickr Me speaks of security; however, one fact makes us hesitant to list it among the best encrypted messaging apps – the people behind the company. Originally developed by security experts and privacy advocates, Wickr Me received funding from multiple investors, including the Central Intelligence Agency. The company also provisioned services to the US Custom and Border Protection.
In 2021 Wickr was acquired by Amazon, one more affiliation that prompts individual users to reconsider their attitude to Wickr as the privacy-first messenger.
Into the trash it goes. https://t.co/CZWZdqwd3M
— Edward Snowden (@Snowden) October 13, 2021
Wickr Me is lacking in the following areas:
- Funded by CIA and owned by Amazon
- Recent security audits are not publicized
- No two-factor authentication in a free plan
- Closed source; only the cryptographic protocol is open source
Best Encrypted Messaging Apps
As you see from the examples above, encryption alone is no longer a value-adding feature, rather a must-have. Nowadays, encrypted messaging apps need to go the extra mile and give users more options to protect their identities. Let’s review several decent alternatives to popular messaging apps.
Session is an end-to-end encrypted messaging app developed by Oxen Privacy Tech Foundation, a non-profit organization supporting the development of free and open-source software for secure online communication.
The Session community comprises over 300K users, and that’s without considering desktop, F-droid, or APK installations. So the total user count can be significantly higher. In terms of functionality, the app offers one-to-one chats, group chats, voice and video calls, and file transfer. The Oxen team also plans to launch Session Pro with a whole lot of fancy features, such as encrypted account backup storage, self-hosting options, multi-account registration, custom emojis and sticker sets, among others.
Platforms: iOS, Android, F-Droid, Windows, macOS, Linux
Pricing: free
- End-to-end encryption for one-to-one and group chats
- No phone number or email is required for sign-up
- Metadata collection is minimal
- Ability to strip metadata before sending files
- Onion routing
- Forward secrecy (past sessions are safe if a long-term encryption key is compromised)
- Future secrecy (in case of key compromise, the hacker loses access to future sessions after a few rounds of communication)
- PIN for encrypting local Session database
- Decentralized architecture
- Security audit is publicized
- Open source
- Backups are not yet implemented
- ID recovery phrase needs to be securely stored
Briar is an open-source messenger developed by a team of seasoned developers, security consultants, and freedom of speech activists. Briar is a go-to communication tool for journalists, human rights activists, and anyone whose job requires a high level of anonymity. Over 100K people currently use the Briar Android app, and we believe its adoption will continue to rise.
Briar offers several layers of protection against surveillance and censorship. For example, to ensure adversaries cannot intercept the user’s metadata, Briar uses the Tor network. All messages and contacts lists are end-to-end encrypted and stored on the user’s device. Another life-saving feature Briar offers is the ability to use the app even during Internet blackouts by operating over Bluetooth.
Pricing: free
- End-to-end encryption for messages and contacts list
- No phone number or email required
- Metadata is hidden via Tor network
- Fully decentralized architecture
- Forward secrecy (past sessions are safe if a long-term encryption key is compromised)
- Future secrecy (in case of key compromise, hacker loses access to future sessions after a few rounds of communication)
- Content is stored locally on the user’s device
- Contact verification through a QR code
- Screen lock
- Security audit is publicized
- Open source
- No option to recover the account in case of password loss or app uninstallment
- No voice calls or file exchanges
Threema is a Swiss-based startup founded in 2012 by three software developers concerned about their data privacy and mass surveillance. In 2020 the app was used by over 8 mln users, and its adoption rates continue to rise. Threema’s business model does not rely on user data; therefore, it is not free. Threema also offers SaaS and self-hosted solutions for small businesses and large enterprises.
Threema provides all the functions essential for a messaging app: text and voice messages, group chats, voice and video calls, polls, bots, mentions, message quoting.
Platforms: iOS, Android, Windows, macOS, Linux
Pricing: $3.99, one-time payment
- Ent-to-end encryption for messages, calls, media, and files
- Phone number or email is optional
- Contact synchronization is optional
- GDPR-compliant
- Metadata collection is minimal
- No third-party cloud or hosting services
- Messages permanently deleted from the server upon delivery
- Contact verification
- Regular security audits
- Open source
- Small user base
- Not fully decentralized
- Exposes user IP address to the operator
Signal is developed by the non-profit Signal Development Foundation and Signal Messenger LLC. The people behind these organizations are Moxie Marlinspike, a cryptographer, security researcher, and former head of the security team at Twitter, and Brian Acton, WhatsApp’s co-founder who left WhatsApp after its acquisition by Facebook. Signal relies on donations and promises an ad-free and privacy-friendly user experience.
The Signal encryption protocol has long become the industry standard as it is also borrowed by other messengers like WhatsApp, Facebook Messenger, and Skype. As of May 2021, 105 mln people downloaded the Signal app.
With Signal, one can exchange text and voice messages, photos, gifs, stickers, videos, and files; make voice and video calls; communicate in group chats, and invite others to join. The app also supports many popular features, such as chat pins, message forwards, and message reactions.
Platforms: iOS, Android, Windows, macOS, Linux
Pricing: free
- End-to-end encryption for messages, calls, and user profiles
- Business model is not based on monetizing user data
- Link previews are optional
- Contact discovery can be disabled
- Disappearing messages
- View-once media
- Screen lock
- Privacy screen hiding messages in the app switcher
- Registration lock (Signal PIN)
- Open source
- Requires phone number for sign-up
- Centralized architecture
- Exposes user IP address to the operator
- No recent security audits
Wire was developed by some of the former Skype founders with a focus on user protection against cyber attacks. Since 2017, the Wire team has put emphasis on B2B and B2G clients developing features primarily for this audience.
Nevertheless, Wire can still be considered for personal use, as it provides the standard communication functionality for free: text, voice, and video messages, group chats, voice and video calls, screen sharing, guest access, and file sharing.
The Wire user base is fairly small, compromising about 500K users as of 2021.
Platforms: iOS, Android, Windows, macOS, Linux
Pricing:
- Free for personal use / small teams
- From $7.65 for enterprises, per user monthly
- End-to-end encryption for messages, calls, media, and files
- User data is not used for third-party advertising
- Can be self-hosted
- Self-deleting messages
- GDPR / CCPA-compliant
- Provides a transparency report
- Regular security audits
- Open source
- Requires phone number or email for sign-up
- Centralized architecture
- Two-factor authentication is missing
- Small user base
Other Encrypted Messengers Comparison
The messengers listed above are not the only instant communication apps offering encryption. While we can’t review every single solution on the market, we compared some other open-source and closed-code messengers for you to have a more comprehensive choice of alternatives.
How to Choose Secure Messenger
The market of security-first instant messengers is rapidly developing, with apps fiercely competing for broad user adoption. It is easy to get overwhelmed with such an abundant choice and make a wrong decision, especially for non-technical users measuring the app’s reliability merely by its popularity.
Setting all the marketing gibberish aside, here are the essentials to consider when choosing a secure messenger.
Who owns the company?
Do you trust the company behind the messaging app of your choice? Has the said company compromised its trustworthiness in the past? Is it a commercial or not-for-profit organization?
When it comes to data privacy, open-source solutions have a leg up compared to closed-code proprietary apps. The reason is apparent: commercial companies heavily rely on user data to improve their services, so they have clear motives to collect and store massive amounts of data. On the contrary, open-source projects are guided by the developer community’s passion. They are reviewed by thousands of contributors, including security researchers and consultants, making their concepts more transparent and authentic to their mission.
What data is collected?
Another aspect to research is what data the app collects, where this data is stored, and how easily those records can be retrieved or removed. Usually, this information is provided either in the FAQ section or the app’s privacy policy.
For example, looking through Viber’s privacy policy, we see that the app collects a whole lot of data, starting with your address book, activity information, social media profiles (if used for sign-up) and ending with cookies and tracking technologies shared with advertising partners.
Where is data stored?
Where the app stores your data speaks much about its real attitude to user security and privacy. Most commercial messengers store the user data on their services, that is, in a centralized manner. The latter is not the best option from a security standpoint as servers can potentially be hacked, and all the decision-making power is aggregated by a single authority – the corporation that developed or acquired the app.
Decentralized systems, on the other hand, route the data through a number of random nodes on the network. This approach ensures better anonymity for users and makes it more difficult for hackers to gain access to the network. Even if a node is compromised, the breach will affect only a small fraction of users, whereas the breach of a centralized server can leave millions of people exposed.
For example, P2P messengers like Briar do not rely on the cloud and store all the messages on the user’s device. The ability to self-host the app should also be viewed as an advantage because you decide where and how to store your data.
When was the latest security audit?
Regular security evaluations are the backbone of security-first and data-compliant tech companies. However, it is important for the code reviews and security audits to be independent and fully impartial.
For example, CoyIM, a desktop chat client, is open about the fact that it has not undergone a comprehensive security audit; only the library ensuring end-to-end encryption was audited back in 2020 by Radically Open Security. If you have trouble finding information about the app’s latest security assessment, that’s a red flag.
Secure Messenger Trade-Offs
Switching to a more secure messenger is a sound decision for anyone caring about their data integrity and privacy online. At the same time, messengers that provide a tangible level of protection and anonymity tend to offer limited functionality, sacrificing usability, fun, and overall convenience for enhanced security. That’s probably one of the primary reasons why genuinely secure messengers are less popular than insecure ones.
Having analyzed the functionality of the best encrypted messaging apps, we singled out several trade-offs that can potentially influence your decision. Here is the price you pay for keeping your data to yourself:
Troublesome Password Reset & Account Recovery. Apps like Jami do not require your phone number or email for registration. More so, all the data is stored on the user’s device, not on a server, which means as long as your hardware is not compromised, you are super secure. Sounds awesome until you realize you forgot your password – the recovery is impossible in this case. Why? Because a Jami account is a simple file with cryptographic keys stored locally on your device. If you prematurely deleted your account and haven’t installed it on other devices or created backups, your account is gone. And it’s not only Jami; apps like Surespot and Briar also warn about the inability to recover a password.
Lack of graphical tools. Let’s be honest here. We all get easily attached to fun emojis, gifs, and stickers helping us better convey our emotions in written form. At first glance, the absence of such tools significantly worsens the chatting experience. However, image processing libraries may contain bugs and vulnerabilities that malicious actors can exploit in the future. Therefore, chat clients like CoyIM choose to bring graphical representations to a minimum. Threema seems to share the same opinion as it provides no gif platform integrations.
Longer onboarding. Those apps that require no phone number or email for the sign-up need to do things differently. For example, instead of a familiar search by number, users may need to exchange special links or meet in person and scan each other’s QR codes to proceed with chatting. So contact discovery and user verification require a couple more steps and probably looking through the user manual before engaging in confidential conversations.
Undoubtedly, security poses limitations on messengers’ functionality. Currently, no product can guarantee 100% anonymity and data security. Each individual has to decide for themselves what is more critical for them – ultimate convenience or better privacy.
It is also worth noting that it all comes down to your use cases. If a messenger for you is a tool for casual, work-unrelated convos and meme exchanges with friends, or perhaps just a storage for your grocery lists, then there’s little to worry about. Yes, corporations will use your metadata to improve their services, hopefully, in a way not directly attributable to you. Things are radically different for journalists, social activists, politicians, business owners, and other influential figures whose identities are of particular interest to surveillance agencies and fraudsters.
Final Thoughts
There are no black and white solutions in the instant messaging world. Each product has its advantages and drawbacks, and even the apps going way beyond encryption and offering several security layers cannot warrant 100% data protection. Data leakage is inevitable if the user’s device is compromised by spyware. Remember that encryption is not a panacea as hackers may gain access to encryption keys and thus decrypt the data. First, it makes sense to review our online behavior, habits, and attitude to privacy to communicate safely and decrease the chances of exposing ourselves. Read the privacy policy of your messenger, change default privacy settings, and think twice before sending sensitive info via a messenger.