Ultimately, saying that you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.Edward Snowden in Permanent Record
An end-to-end encrypted (E2EE) messaging app encrypts all transmission be it message, voice, or video before they are sent from your device. This protects both the authenticity and confidentiality of the messages as they pass through any devices or servers.
Here are a few reasons if you need some convincing on why you should switch to a secure encrypted messenger:
- It’s about Privacy: I don’t know about you, but when i am chatting online with my friends or family, i just don’t want other people be listening to it.
- It’s about Security: Hackers from all around the world want access to your information so that they can steal your identity, break into your bank account, sell your confidential data, or blackmail you.
- Governments and Corporations want to know everything: Corporations want access to your data so that they can serve more personalized ads, data is the new oil. Governments want to know what you say, do and think so that they can manipulate, the whole.
The whole Nothing to Hide Argument just doesn’t make any sense.
Unless you have a secure messaging app, these groups may already be intercepting your messages, that’s why there’s an affinity of so-called “private” and “secure” messengers right now, but all of them fail to do the job for one reason or another. This guide will show you how to get the most secure encrypted messenger that respects your privacy.
How to Choose an Encrypted Messenger?
Choosing an encrypted messaging app can be tricky as there are a lot of messaging apps like WhatsApp, Viber, Telegram etc that claim to be secure, but they aren’t open source and / or use proprietary encryption protocols. You should not use SMS too as it is not encrypted at all.
I recommend only those encrypted messengers that support end-to-end encryption and are open source, Here are a few things you should look for before choosing an encrypted messaging app:
- End-to-end encryption: Having a messaging app that supports end-to-end encryption means all transmission be it message, voice, or video are encrypted before they are sent from your device, which protects both the authenticity and confidentiality of the messages as they pass through any other devices or servers.
- Open source: Any, and all software dealing with personal data should be open source as this lets anyone to look around the code to find bugs, backdoors, and vulnerabilities today and in the future. Check for the ones that have both the app and servers open source.
- Security Audits & Vulnerability Disclosure Programs: While open source code is great to have, you should always look for the ones that have also been independently audited, and have vulnerability disclosure programs.
- Business Model: The business model or sources of revenue of any company is an important factor. Look for the ones that don’t rely on personal data collection & monetization. The business model matters because “Money Talks”, and you should be aware of who is funding it.
- Jurisdiction: The place where a country is based and has servers on matters as many countries have laws that demand that encrypted data be able to be decrypted by the government. Look for the companies located in places that have robust privacy and security laws.
- Anonymous sign up: Signing up anonymously for a chat app may not be a priority to you, but many people have good reasons for needing to remain anonymous, and not giving away something that could be used to track them.
- Contact verification: Some messaging apps let you verify the person you are talking to via the users’ fingerprints — a representation of identity bound to the encryption keys. Check for the ones that let you verify it either by scanning a QR code, or by publishing or sending fingerprints via other medium, which will help prevent “man in the middle attacks”.
- Encryption Key Management: The encryption keys generated for end-to-end encryption must be kept on your device, and the company should not have access to your encryption keys. This will make sure that only you can decrypt the messages.
- Forward Secrecy: Forward secrecy means that each message that’s sent is protected by a unique encryption key aka session key, which gives assurance that session keys will not be compromised even if the private key of the server is compromised. This protects your past messages even if the encryption key on your device is compromised.
- Disappearing Messages: It is a very neat feature in some messaging apps that automatically deletes your messages after a certain period of time, which can come really handy when you are sending something confidential.
- Ownership & Trust: This is often overlooked, but is just as important when choosing a secure messenger. You should know who owns the company, and who does the company answer to? It is a plus if the company provides a transparency report.
Types of Messaging Apps
All messaging apps are not created equal, apart from having different feature sets, they differ in the way these messaging apps work. Here are the three main types of messaging apps:
|Centralized Messaging Apps||Decentralized / Federated Messaging Apps||Peer to Peer Messaging Apps|
|Centralized Messaging Apps have all the participants on the same server or network of servers controlled by the same organization.||Decentralized or Federated Messaging Apps have participants on multiple, independent servers that can talk to each other.||Peer to Peer Messaging Apps connect directly to each other, without requiring any third-party server in between.|
|Senders and recievers need to have the same app to send messages.||Senders and recievers can be on different apps kinda like email — a gmail can send to outlook, protonmail, etc and vice-versa.||Senders and recievers need to have the same app to send messages.|
|New Features and changes can easily be implemented as they are all connected to a central server.||New Features and changes need to be standarized and tested so that they can work with all servers on network.||New Features and changes can be implemented quickly but both peers need to have the same version.|
|Most susceptible to backdoors and restrictions as they are the most used ones, and you can only access the client, not the server.||Less susceptible to backdoors and restrictions as servers are decentralized, and you get access to your client and your server.||Least susceptible to backdoors and restrictions, but can be a bit cumbersome as both peers need to be online to communicate,|
your client may store messages locally and send it when the contact is online.
|Examples: Signal, WhatsApp, etc.||Examples: Element, Session, etc.||Examples: Briar, Jami, Silence, etc.|
Centralized Messaging Apps vs Federated / Decentralized Messaging Apps vs Peer to Peer Messaging Apps.
Encrypted Messaging Apps
Lastly, The answer to which messaging app you should use lies in your threat model, which is often an ignored step that makes a lot of users limit their experience because they believe they need Edward Snowden level privacy settings. The fact of the matter is, you need to decide what your privacy goals are, and choose accordingly.
Alright, here are the most secure encrypted messaging apps in each category:
Centralized Messaging Apps
Signal is hands down the most secure messaging app, recommended by Edward Snowden, Jack Dorsey, Laura Poitras, and many other security professionals, developed by non-profit Signal Foundation.
It is free and open source, and provides instant messaging, as well as voice and video calling, and can be used as a replacement for your SMS app. All communications are E2EE unless you choose to use SMS.
The Signal protocol has been indepedently audited, and is now used in many closed source apps like WhatsApp, Skype, etc. Here’s an awesome explanation of Signal Protocol by Computerphile. Signal supports disappearing messages as well as forward secrecy, and regularly publishes Transparency Reports.
In fact, Signal is now used and recommended by The European Commission. The only downside i can see is that it requires you to give up your phone number to sign up, which can be avoided by using a secondary phone number.
Decentralized / Federated Messaging Apps
Element.io (formerly Riot) is a free and open source client for the Matrix network that lets you send messages, voice, and video securely whether you are chatting one-to-one, in small private groups, or big public ones.
Element lets you send, receive, and view files in any conversation. It is feature-rich, allowing you to use bots for several tasks. And, since Element is federated, you can easily communicate with users of other apps like Slack with bridges without ever leaving your respective apps.
You get to choose whom you trust your data with, or just running your own server. The Matrix open standard is an open-source standard for secure, decentralized, real-time communication, that has been independently audited by NCC Group.
Session Messenger is a free and open source messenger that checks pretty much all the boxes — it uses Signal protocol for end-to-end encryption, does not require you to give your phone number.
Session uses Signal protocol on top of the decentralized Loki network that greatly improves anonymity and robustness of the system, and making it decentralized. You can set up disappearing messages, and even manually reset session keys.
Although, Session messenger is in beta right now, it is fantastic, works fast, and is feature rich, they also publish transparency reports. It seems really promising, and i would be keeping an eye on its development.
Status.im is a free and open source encrypted multi-purpose instant messenger with a decentralized crypto-wallet, and Web3 browser. It uses the Waku protocol (a fork of Whisper) for peer to peer communication.
Status lets you join any number of public channels or send private one-to-one or group chats, along with the functionality to send and receive crypto payments directly. You can easily interact with peers and DApps as the Status wallet is integrated with messenger and browser.
I love the integrated private Web3 browser and cryptocurrency wallet that comes with the encrypted Status.im messenger, however it is only available for iOS and Android, right now.
Peer to Peer Messaging Apps
Briar is a peer to peer encrypted instant messenger that is free and open source, and lets you connect to contacts via Wi-Fi, Bluetooth, or Tor over the internet to sync messages.
Briar checks pretty much all the boxes when it comes to peer to peer messaging, and has been proven to be useful when Internet availability is an issue, such as in times of crisis. Check out how Briar works here.
It has been independently audited by Cure53, however it is available only for Android, and currently supports text only (sending photos is being worked on).
Silence.im is a free and open source, peer to peer encrypted messaging app that uses Signal protocol for end-to-end encryption. Your messages are always encrypted locally, but it requires your phone number.
Silence works great as an SMS app with the ability to send encrypted messages, you can also store your text SMS in an encrypted database. They also publish a signed warrant canary every two months on their website.
It is easy, works right out of the box with support for both texts and media, but is only available for Android right now.
Jami is a free and open source encrypted instant messaging and video calling app. All communications are end-to-end encrypted via TLS 1.3 and are never stored elsewhere than on user’s devices, even when TURN servers are used.
Jami is a GNU project backed by the Free Software Foundation, and is feature-rich with built-in functionalities like screen sharing, group chats, and audio, video calls.
It is not completely decentralized, but does let you self-host, has apps for all platforms, and gets the job done.
Video / Voice Calling Apps
Most of mentioned apps above do already support video/voice calling functionality via VoIP or Voice over IP. Here are some other secure apps that are primarily voice, video focussed that you can use to switch from Google Hangouts, Google Meet, Google Duo, Skype, Viber or Zoom.
Linphone is an open-source SIP client, and a free voice over IP service for audio/video calls and text messaging, available on your phone, desktop, and on the web browsers.
It supports end-to-end encryption for audio, video calls as well as for one-to-one and group messages via state of the art ZRTP protocol.
Mumble is a free and open-source, low-latency, and high quality voice chat app that was primarily intended for use while gaming. You can connect to the public server or set up your own server.
Jitsi Meet is a free and open-source multiplatform voice, video conferencing, and instant messaging app that require no sign ups to use. You can easily share desktop and presentations and with just a link can invite new members for videoconference.
Team Chat Apps
Most of the apps mentioned above support team chat, Here are some secure team chat platforms you should switch to if you are using Slack, Teams, or Discord.
Rocket.chat is a self-hostable open source communication platform for teams. You can use their server or host your own, and get lots of features like screen sharing, file sharing, LiveChat, LDAP Group Sync, two-factor authentication (2FA), E2E encryption, SSO. E2EE. You can easily enable the end-to-end encryption.
Why not SMS, iMessage, WhatsApp, Telegram?
Let’s address the elephant in the room, there are many other messaging apps like iMessage, WhatsApp, Telegram, Viber, LINE, etc that also claim to be private and secure.
I don’t recommend using popular messaging apps like WhatsApp, iMessage, Telegram, Viber, etc as most of them are closed source, don’t support encryption or even if they do, it is not turned on by default.
You should not use SMS as it is in plain-text, making it even less secure and can easily be hijacked by anyone, let alone your service provider, and the government.
- Secure Messaging Apps Comparison: A simple comparison of Secure Messaging Apps by Mark Williams
- Secure Chat Guide: A practical step-by-step application of EFF’s guide to choosing a secure messaging app
- Messaging Features Matrix: A great matrix letting you choose the secure messaging app by selecting the features you want
- Exodus Privacy Reports: The privacy audit platform for Android apps helping you know which trackers and permissions are embedded in apps installed on your device
- Wikipedia Comparison of Messaging Apps and Messaging Protocols
Encrypted Messaging Apps
Each service, no matter how secure and open source can be compromised, as at the end of the day, you’re dealing with humans who can just screenshot, copy, or forward your messages to someone you did not intend to see them.
And, it all basically depends on your threat model — don’t use Facebook Messenger, WhatsApp, Duo, etc if you want to avoid corporate tracking, and if your goal is to evade more massive state-sponsored surveillance programs, look for the ones that are open source, can be self-hosted, and let you manage your encryption keys.
It’s also important that you know who you are messaging, verifying their keys, and ensuring that you place the utmost trust in them with the content you are sending.
That’s all Folks!
I will be updating this page frequently with more private and secure messaging apps. You can check out the recommended private search engines for better privacy while searching online.