From WhatsApp to Snapchat, messaging apps provide a free and easy-to-use service to communicate with friends, family, and co-workers.
Before you search on the app stores or ask your friends about their messaging app of choice, be sure to take a step back and examine each app’s practices when it comes to protecting your privacy. One feature to look for is end-to-end encryption (E2EE).
[Get the latest on online privacy and security in our weekly blog newsletter.]
Without encryption, private messages can be read by the company behind the app, as well as third parties such as governments that collect private data on their citizens. Not even using the best VPN would help you if you’re using a messaging service that stores identifiable metadata about your conversations on its server.
Encryption makes societies freer, despite government efforts to undermine it, and thankfully several messaging apps use E2EE to prevent anyone except you and the intended recipient from reading the messages you send.
What is encrypted messaging?
End-to-end encryption (E2EE) is a method of encrypting data that only allows the sender and receiver of the message to decrypt and read messages passed between them. More importantly, encryption prevents apps from storing copies of your messages on its servers, which would put them within reach of government authorities.
Apps that don’t have E2EE for messaging by default, if at all, as of writing are:
- Snapchat (has E2EE for photos and videos)
- Kik
- Google Hangouts
- KakaoTalk
- Line (opt-in E2EE)
- Skype (opt-in E2EE)
- Facebook Messenger (opt-in E2EE)
- Telegram (opt-in E2EE)
Privacy and security review of encrypted messaging apps
With many good options available, here’s our take on some of the most widely used and secure messaging apps, in no particular order. We also want to note that while some of these apps have enterprise (paid) versions, we’ll mostly be focusing on the features they have in the free versions of these apps.
1. Messages (formerly iMessage)
Compatible operating systems: MacOS, iOS
Price: Free (on Apple devices)
Apple’s Messages is only available on Apple devices, but it packs a punch with its security features.
The good
On top of offering end-to-end encryption between users, Messages allows users to control how long the message stays up and how many times the recipient can view the message (although this feature is only available to those who have iOS 10 and above).
Regardless of which Apple device you’re using, whether it’s iOS, watchOS, or iPadOS, your messages are end-to-end encrypted and cannot be accessed without a passcode. Users of Apple’s FaceTime can also rest easy knowing that their video calls are E2EE too.
The bad
Messages is only available on Apple devices, meaning any message you send via Messages to a non-Apple device will not be encrypted. One major security loophole is the option to backup your Messages to iCloud. On the cloud, messages are encrypted by keys controlled by Apple, meaning that if your iCloud were ever hacked or subpoenaed, those messages could be revealed.
Apple’s CEO, Tim Cook, has said that Apple “believe(s) that privacy is a fundamental human right,” and at least in its Messages and Facetime it appears to take this commitment seriously. Just avoid storing your messages on web-based platforms like iCloud—toggle off messages in settings so they’re not stored on the cloud.
Would we recommend this app? Only if you know the other person is receiving the message on an Apple device. You should avoid using Messages if you’re communicating with people who do not have it on their devices.
2. Wickr
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free, or up to 25 USD/month for an enterprise account
Founded by privacy and security advocates in San Francisco in 2012, Wickr was one of the first messaging apps to adopt end-to-end encryption. Messages are encrypted by default, and the company undergoes regular security audits. As of 2017, Wickr is also open source.
There is a free version of the Wickr app, which allows up to 10 users, and three paid tiers that charge up to 25 USD/month, and allow unlimited users.
Wickr has several features that make the app secure, including screenshot detection, blocking third-party keyboards on iOS, and ensuring any deleted files are completely unrecoverable.
The good
The app’s free and paid versions both have plenty of security features, such as self-destructing messages, content shredding, and an inability to take screenshots (on Android only).
The bad
Unfortunately, Wickr doesn’t have as many users as WhatsApp, Viber, and Signal, so you might have to recruit people to talk to.
The messages are also bound to both your account and your device, and the app won’t sync your messages across devices. That could amount to multiple separate conversations with your contacts—which makes it seems like they’ve made the app secure to a fault.
Would we recommend this app? Yes, if you can find more people who also use it.
3. Viber
Compatible operating systems: Windows, MacOS, Android, iOS, HarmonyOS
Price: Free
Viber has about 260 million monthly active users and is primarily positioned as a competitor to the less-secure Skype on mobile. It’s enabled end-to-end encryption since April 2016.
The good
The app has end-to-end encryption on all its available platforms (Mac, Windows, iOS, and Android) and also color codes your chats based on how secure they are: Gray denotes encrypted communication, green means an encrypted communication with a trusted contact, and red means the authentication key has an issue. Viber also supports self-destructing messages in its secret-chats feature.
The bad
The one big limitation to Viber is that it only supports end-to-end encryption for one-on-one chats—group chats are not offered the same level of security as individual conversations. It also requires a phone number to sign up.
Would we recommend this app? Only if you’re using the app for directly messaging and individual video calls. Group chats will not be encrypted, so if you want an app that encrypts both, don’t use Viber.
4. Signal
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Née RedPhone, Signal has become the darling of the information security community since its release in 2014, and has grown in popularity among ordinary users too. It still has nowhere near the same number of active users as WhatsApp, though.
The good
By default, Signal provides end-to-end encryption for all voice calls, video calls, and instant messages with its own protocol.
This technology is 100% open source, which means its security is vetted by cybersecurity experts and its technology has been adopted by other messaging services like WhatsApp and Skype as well.
To verify that your conversation with another person is private, each Signal conversation has a unique device safety number to verify the security of your messages and calls with specific contacts. This is especially useful for preventing man-in-the-middle attacks—if a safety number changes more frequently than you’d expect for someone switching devices or reinstalling Signal, for instance, it may indicate that something is awry.
Signal also allows you to secure the app with a password so you can protect your messages if they fall into the wrong hands. There is an option to send self-destructing messages too.
The bad
You’ll need to provide a phone number to sign up, although you can opt to use a “burner” phone or SIM card. Signal’s aware of this limitation and is currently experimenting with PINs to reduce reliance on phone numbers. This Signal PIN will allow users who may have lost their devices or had them stolen to recover their data on a new device without starting from scratch, or having to use a phone number. It’s a start, but it’s not quite there yet.
Would we recommend this app? Yes—Signal is one of the best messaging apps you can use for secure communication. If you don’t want to use your phone number, you can resort to a burner phone. The company aims to reduce its reliance on phone numbers anyway, so this small irritant may also go away soon.
5. Jabber/OTR
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Jabber and OTR are different from the rest of the pack: Technically speaking, they’re not messaging apps. They are two protocols that when stacked on top of each other provide a free, secure, open-source, decentralized platform. Plenty of apps support Jabber with OTR, such as Pidgin for Windows/Linux or Adium for Mac. You can also download Tor Messenger and Chat Secure for your mobile phone, both of which support Jabber.
The good
Jabber/OTR can be set up anonymously. This means they don’t require a phone number or personally identifiable information during the sign up and registration process.
The bad
Sadly, Jabber/OTR does not function very smoothly on mobile compared to others on the list, as the protocol needs an almost continuous connection between you and your peer. The lack of supporting features, even as basic as sending attachments, can also be a frustrating limitation.
Would we recommend this app? If you need a protocol that can be trusted to keep out even the most powerful of adversaries, Jabber/OTR is the best choice.
Read more: ExpressVPN’s guide to anonymous messaging
6. Telegram
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Telegram was built by brothers Nikolai and Pavel Durov, exiled Russian-born billionaires, previously famous for the Facebook clone Vkontakte (now VK). Pavel Durov had to leave VK in 2014 over a dispute about handing over Ukrainian protesters’ user data. Consequently, the brothers left Russia for Berlin and founded Telegram.
Telegram has recently gained popularity for organizing protests largely because it allows large chat groups of up to 10,000 members. This has in turn drawn the attention of state actors.
The good
The messaging app gives you the option to encrypt your messages, which you can enable with “Secret Chats” to encrypt them. When enabled, you can set messages to self-destruct across all your devices automatically or at a set time.
The bad
If you don’t encrypt your chat, then your data is stored on Telegram’s servers, which puts the security of your messages at risk.
Telegram also does not have E2EE by default—you’ll need to use its secret chats feature to enable it.
The client-side code for Telegram is open-source, but its server-side code is not. Telegram uses its own protocol, MTProto, to encrypt your messages, and they have not yet revealed the coding behind it. The app also leaks a lot of metadata. A security researcher found a way for an attacker to know when a user is online or offline, therefore allowing them to work out who is talking to who, and when. And just this year, Telegram’s ”People Nearby” feature has been demonstrated to show precise location data to hackers, which they don’t plan to fix.
Would we recommend this app? We can’t recommend Telegram for secure messaging. Consider deleting Telegram if you’re using it for secure messaging.
7. Wire
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free, or up to 9.50 USD/month for an enterprise account
Wire is an open-source and collaborative messaging app that has both a free version and plenty of useful features: fully encrypted video calls, secure file sharing, synced messages between devices, and others. Wire also offers a paid corporate subscription plan.
The good
On top of having E2EE for text messages, Wire also offers the same level of encryption for its video calls. It is open source, and if you want the convenience, you can transfer your messages across any device that you’re signed in to. It also has self-destructing messages, session verification to make sure you’re talking to the person you want to talk to, and a password lock for your app.
The bad
While Wire has E2EE and security features, it retains some significant metadata on its servers, including timestamps and participants lists. In fact, a 2018 report from the CrySP team at the University of Waterloo found that the app “…does not attempt to hide metadata, other than the central server promising not to log very much information.” It also keeps server-side logs for up to 72 hours “for the sole purpose of facilitating troubleshooting, improving the service and preventing abuse,” but it’s not clear what specific metadata is logged.
Would we recommend this app? Not until it stops collecting personally identifiable metadata.
8. Threema
Compatible operating systems: Android, iOS
Price: Free, 2.16 USD/month for enterprise accounts
Unlike a lot of apps on this list, Threema is a paid chat service that uses E2EE to encrypt calls and texts. It is partly open source and has been audited several times.
The good
Threema generates a unique key that allows you to use the app anonymously. It’s also open source, which often means it’s more secure.
The bad
Threema says that it deletes the messages you send from its servers once delivered, but it’s not clear whether that actually happens. If you do use Threema, bear in mind that the app collects significant amounts of metadata that it will provide to government authorities if a request is made.
Would we recommend this app? No.
9. WhatsApp
Compatible operating systems: Windows, MacOS, Android, iOS, KaiOS
Price: Free
Brian Acton and Jan Koum founded WhatsApp in 2009 originally for people to publish status updates, not dissimilar to Facebook’s statuses. It was the messaging feature, however, that saw its popularity skyrocket, and Facebook bought it in 2014. WhatsApp is end-to-end encrypted, but its ownership has raised concerns about how it could be used in future.
The good
Security-wise, WhatsApp’s default E2EE enhances its privacy and security from malicious actors (which could arguably include its Facebook owners too). Security flaws have appeared in the past, but if cybercriminals breached WhatsApp today, they couldn’t decrypt your conversations. It also has a lot of what may now be considered standard features like video calling, voice messaging, and file sharing.
The bad
It’s owned by Facebook. ’Nuff said.
Would we recommend this app? Not with better alternatives in the market. Like with Telegram, if you want secure messaging, consider deleting WhatsApp.
What is the best secure messaging app?
There are a lot of messaging apps to choose from, but Signal is really your best bet, in terms of reach, security, and privacy-enabled features. WhatsApp may be used by more people, but its ties to Facebook are worrying. Jabber is certainly the most secure, but its reach and lack of features make it challenging for everyday use.
However, keep in mind that end-to-end encryption is not the catch-all security feature to protect yourself from surveillance. Even if you use a secure messaging app, an unsecured device will allow anyone access to your messages. Protect your messaging apps with a password, and practice basic mobile security to ensure no one can gain entry to your device.
Read more: