A modern person uses several instant messengers every day to exchange messages, files, contacts, and location, as well as receive services, news, and solve important work tasks. We pass a huge amount of all sorts of sensitive data through these secure instant messaging systems. Which one protects personal data best? Which provides the highest level of anonymity? Let’s break it down and identify the most secure modern messengers out there.
Introduction
The transfer of information via instant messengers has long become an integral part of our everyday life. Messengers allow you to quickly and easily interact with others on a variety of issues such as work, education, entertainment, and personal contacts. The functions of modern messengers have gone beyond the usual exchange of messages, photos, and videos. We can make audio and video calls, shop, pay utility bills, get help, order food, taxis, tickets, and more.
Most popular global mobile messenger apps as of October 2021, based on the number of monthly active users (in millions)
The development of cloud technologies has also increased the influence of instant messengers on our lives, as it is really convenient when important files, correspondence, and contacts are at hand and so easy to share.
We are so used to all this that we completely fail to notice the amount of confidential information that we send through instant messengers every day. Numerous and various scandals and bugs associated with popular messengers make us wonder whether our messenger of choice is secure enough? Is our data encrypted in the cloud and who has access to this data? How to evaluate the security of a messenger in general?
Let’s try to assess the privacy of messengers marketed as safe in terms of certain key parameters and try to answer the question: which messenger currently provides the best user privacy?
Threats and Risks
The threat model will be highly personalized because we are dealing with personal data. Each user has to figure out what exactly needs to be protected. Is it correspondence, content, identity, metadata, or location? Odds are that all of the above. Who may abuse the data? Do we want to keep our data safe from advertising companies, the government, and hackers? What about family members?
Each scenario has its undercurrents, which is important to take into account. Here is some extra food for thought: a service that effectively protects your messages and metadata could be less suitable, for example, for entertainment and may be inconvenient for everyday use.
Data Leaks
Gaining unauthorized access to confidential information your messenger generates and stores (by intercepting messages in real time, accessing message logs, extracting data from the cloud, or authenticating behind your back) will lay the groundwork for a number of extremely unpleasant attacks with unpredictable consequences. This can be blackmail, impersonation of a confidant, or data collection for implementing more complex schemes using social engineering.
Location Disclosure
When the function of sharing the current location is activated, or if the messenger allows you to reveal your mobile number, an attacker can piece together your daily schedule of presence in a particular location. The malefactor can use these personal routes of movement to orchestrate an attack or sell this data to third parties.
Code Vulnerabilities and Compromised Software
Like any software, a messenger may contain vulnerabilities that facilitate access to more than just confidential information. Installing a compromised application, such as one from an untrusted source, can lead to a more serious attack. As a result, a malicious actor can gain complete control over the device and go unnoticed. It must be understood that as soon as an attacker takes over a messenger account, this does not lead to anything good. Even if the account does not contain any valuable information, it can be added to a botnet and weaponized in DoS attacks, spam campaigns, the distribution of malicious links, etc.
Criteria for the Security and Privacy of Messengers
To gauge the security of user data in a particular messenger, we need to denote the key benchmarks regarding security, privacy, and anonymity. Since modern applications run in a sandbox and leverage various behavioral controls, a lot comes down to how the logic of the application is organized in a particular platform.
End-to-End Encryption
End-to-end encryption support ensures that only you and the recipient can decrypt and read the information. E2E is considered the main attribute of any messenger that positions itself as secure. An important point to consider is whether this option is enabled by default. For example, in iMessage, until recently, encryption had to be manually activated in the settings.
It is also important to understand what cryptographic algorithms are used to perform encryption. Where is the private key generated? Is the metadata hashed? Is there a key rotation process in place?
Data and Metadata Harvesting
The metadata that each of us generates through our online activities is like a digital fingerprint. Messengers also collect metadata that can describe our personality in great detail. In fact, this is all the data besides the content of the message itself: for example, whom from our contact list we talk to, how long and how often (sender, recipient, time sent, time read). This is a kind of record of our activity. Information about the device used, IP address, and mobile number may also be harvested.
That’s nothing but the collection of data about users in its purest form. At a minimum, these are details provided during registration. In some cases, it is difficult to determine exactly what data is collected, because instant messengers are integrated into the ecosystem of the manufacturer (Google Messages, Apple iMessage). Companies may know the user ID, phone number, content of correspondence, search history, browsing history, purchase information, location, contacts, and more.
Open Source
An open-source instant messaging application allows comprehensive security auditing. Hobbyists, enthusiasts, and experts can build an application, examine its operation, and draw attention to weaknesses, vulnerabilities both in the server and client parts of the code. On the other hand, free access to the code slightly increases the risk that information about a discovered vulnerability can be used with malicious intent until it is closed or someone else from the community pays attention to the weakness. Open-source code per se cannot guarantee the security of user data, but it definitely contributes to this condition.
Sharing Data with Third Parties
Third parties may be special services, public order authorities, or government agencies. The administration of some messengers actively cooperates with such entities, while others consistently reject personal data requests. An attacker can pretend to be any person you can imagine, including a member of the special services, and as a result receive the necessary valuable information. When choosing a secure application, this must be taken into account, otherwise your confidential data may be abused, even if you are a law-abiding citizen.
Encryption of Backups in the Cloud
Not all messengers use encryption to store correspondence and files in the cloud. A successful attack by a hacker on the cloud infrastructure can lead to the leakage of confidential data. As is the case with data collection, information about whether the backup is actually encrypted is not publicly available on all messengers.
Peer-to-Peer Connection Support
Peer-to-peer connection excludes any third party involvement. Messages stream directly to the recipient’s device. There is a caveat, though: a connection like that reveals with whom and for how long it has been established, which, of course, affects anonymity and reduces the level of confidentiality. You can step up your privacy by implementing additional protection of the IP address through the use of a VPN or Tor.
Sign-up Data
Creating an account with a messenger often requires us to provide a mobile phone number, which is closely related to our identity. Data security may not be affected, but anonymity suffers badly. The more data is required during registration, the lower the anonymity. Email address might suffice, or the application may request access to contacts or incoming SMS messages for verification. To complete registration, the app may request a call to your number.
Other Security Features
Two-factor authentication (2FA) support is an important additional security element. The second layer of protection based on 2FA can effectively stop intruders in their tracks. Some applications prompt the user to activate 2FA through a notification. This typically goes bundled with the following:
- an option that allows you to set a code or a passphrase to access important security settings or sensitive chats; protect information displayed on the screen (for example, when a user tries to take a screenshot of secret messaging, the person on the other end receives a notification about this);
- automatic screen lock when the user moves away from the device;
- deleting a previously linked device from the account, etc.
So, How Secure Are the World’s Top Messengers?
Now that we have set the evaluation criteria, let’s identify the most reliable of the 13 most popular instant messengers marketed as safe: Apple iMessage, Element/Riot, Facebook Messenger, Google Messages, Microsoft Skype, Session, Signal, Wire, Telegram, Threema, WhatsApp, Viber, and Wickr Me.
Outsiders
Let’s start with outsiders. It is definitely worth paying attention to these applications and thinking about what is happening not only with our personal data, but also with privacy: Apple iMessage, Microsoft Skype, Google Messages, WhatsApp, and Facebook Messenger. This does not mean that these messengers cannot be used, because here we once again return to the formation of a personal threat model and the goals that we pursue in building security.
All outsiders, with the notable exception of WhatsApp, are built into their respective closed ecosystems through which a striking amount of our personal data flows. If we use services from Google or Apple, these corporations have already collected all the necessary data about us even without instant messengers.
Best in Terms of Security and Privacy
Session, Signal, Threema, and Wickr Me are undoubted leaders in security and privacy.
Session has been gaining popularity since 2020 due to decentralization and the use of end-to-end encryption based on the Signal protocol. The messenger features anonymous registration in one click without entering passwords. It uses a bare minimum of metadata when sending messages. The weak points are that calls are not currently supported, and in some cases, messages may be delivered with a noticeable delay.
Signal is very good in terms of security and functionality, but there is a drawback that seriously affects privacy as anonymous registration is not supported, so you will have to entrust your mobile phone number to the messenger. Among other options, Signal enables automatically blurring people’s faces on all photos sent to the chat.
Threema is a secure but paid messenger. It stores correspondence on the server, and the registration is fully anonymous.
Wickr Me supports anonymous registration as well. Your correspondence gets encrypted and stored on the server for 30 days. You will also need to wait for 24 hours until your account is deleted from the system. But otherwise, it is by far the best choice, combining proper security and privacy.
Golden Mean
The best options for everyday secure and convenient communication are Element (formerly Riot), Telegram, Viber, and Wire.
Element is a well-known secure messenger with a full range of features for daily communication. The disadvantage is the lack of two-factor authentication; in addition, some privacy features could use some enhancements. That being said, anonymous registration is available offsetting the above and other drawbacks.
Telegram does not support end-to-end encryption by default, which is one of the key drawbacks. The secret chat feature needs to be activated. Anonymous registration is not supported. The messenger has very flexible privacy settings, and its user-friendly desktop version wins it an extra audience.
If you use Viber, beware the messenger collects a lot of personal data. If that doesn’t bother you, Viber is a great choice. Desktop and mobile applications are equally good and convenient for communication. End-to-end encryption is supported by default.
Wire offers a streamlined design for the mobile app and desktop version. It’s a neat combination of security and convenience. Compared to Telegram, it has slightly fewer privacy settings but uses end-to-end encryption by default. Backups are stored on the device only.
Convenience in Exchange for Security
If you prioritize convenience when choosing a messenger and leave the security and privacy of personal data aside, consider using the following products.
Facebook Messenger is almost as popular as WhatsApp simply because it is embedded into Facebook. It’s no secret that Facebook collects a huge amount of users’ personal data for its own benefit. End-to-end encryption is not enabled by default. If you are an active user of the most popular social network in the world, this messenger will allow you to quickly and conveniently keep in touch with your Facebook friends list.
Microsoft Skype is the legendary messenger for audio and video calls. Its encryption algorithms are a far cry from being the most reliable, but users appreciate multifunctional conferences with the ability for all participants to record and quickly receive a broadcast file. It is also worth highlighting the support for both mobile and desktop versions. For many years, Skype has been one of the most popular messengers for communication across the board.
WhatsApp is minimalistic and functional. Certain shortcomings in the areas of security and privacy do not prevent it from being the most popular instant messenger in the world. The web version and desktop support also make up for many of the security concerns. The app leverages end-to-end encryption by default, which is often discussed by online communities of privacy-minded users. Backups are not encrypted.
Summary
In terms of personal data security and privacy, Signal, Threema, and Wickr Me are the top messengers. However, each service has its pros and cons. The ideal application in terms of absolute security and anonymity of secure instant messaging has yet to be created.
It is impossible to provide high anonymity without sacrificing other features. For example, the speed of message delivery in a more secure messenger is significantly reduced, there is a limit on the size of an attachment, etc. That being said, when choosing a messenger for everyday communication, an ordinary user should find a reasonable trade-off between convenience and security.
About the Author
David Balaban is a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
About TeleMessage
TeleMessage offers employees the freedom to use modern messaging applications on the mobile and desktop. Our mobile archiving products securely record content from mobile carriers and mobile devices, letting companies meet recordkeeping regulations and compliance requirements.
With multiple archiving solutions, you can always find the right tools or blend for your requirements:
- Network Archiver
- Enterprise Number Archiver
- Android Archiver
- WhatsApp Archiver
- WeChat Archiver
- Signal Archiver
- Telegram Archiver
TeleMessage offers cross-carrier and international mobile text & calls capture and archiving for corporate and BYOD phones. Visit our website at www.telemessage.com to learn more about our mobile archiving products.
