Messaging apps provide an easy-to-use way of keeping in touch with friends, family, and co-workers. However, when using them, it’s essential to be aware of online privacy and security.
The main messaging app security concern is the extent to which third parties can potentially read private messages, the companies behind the apps, or even governments that collect data on their citizens. When evaluating messaging app security, key considerations include:
1. End-to-end encryption
Does the app have end-to-end encryption (E2E)? End-to-end encryption scrambles your private chat messages, and only the sender and the receiver of the messages have the "keys" to read them.
2. Open source code
Does it use open source code? Open source code means the app is open to outside accountability and auditing by experts, which can be a useful way to bring attention to any weaknesses or vulnerabilities in the code.
3. Self-destructing messages
Self-destructing or disappearing messages disappear after a set period of time, depending on your chosen settings.
4. Use of data
While many secure messaging apps use end-to-end encryption, they can still collect data about you, called metadata. This includes information like who you talk to, for how long, on what device, your IP address, and phone number.
What are the most secure messaging apps?
There are many messaging apps available to us now. However, some have been proven to be more secure than others. We take a look at some of the most popular options out there to see — which messaging app will keep your data safe and which messaging apps have weak security.
(NOTE: the below list is not in priority or endorsement order)
What is Signal?
Signal is a cross-platform encrypted messaging service dedicated to end-to-end encrypted voice calling and encrypted texting. It is generally considered one of the most secure messaging apps on the market.
The Signal messaging app is free to use and available on both Android and iOS operating systems. There is also a desktop version for Windows, Mac, and Linux. To join, all you need is a phone number.
The user experience is similar to other popular chat apps such as WhatsApp and Facebook Messenger. Features include one-to-one messaging, group messaging, stickers, photos, file transfers, voice, and video calls.
Signal has been around since 2013 but increased rapidly in popularity in 2020 and 2021.
How secure is Signal?
- Signal is not owned by a Big Tech company – it is an open-source project supported by grants and donations. This means there are no ads, affiliates, or secret tracking.
- Conversations on Signal are end-to-end encrypted. This means only the people in the conversation can see them, and no-one else (not even the owners of Signal).
- Other messaging apps offer end-to-end encryption as an option, but on Signal it is the default.
- Signal offers self-destructing, disappearing messages – i.e., messages which are automatically removed after a set time.
- Signal tries not to collect too much data on its users. Everything in your Signal messaging app, including messages, pictures, and files, is stored locally on your phone.
- Other apps use Signal's messaging protocol for their most secure modes, including WhatsApp and Wire.
What is Telegram?
Founded by Russian entrepreneur Pavel Durov, Telegram is a multi-platform messaging service that first rolled out on iOS and Android in 2013. Telegram’s core functionality is the same as most other messaging apps: you can message other Telegram users, create group conversations, call contacts, and send files and stickers.
How secure is Telegram?
- Telegram also uses end-to-end encryption. Telegram encryption prevents anyone outside a two-way conversation — whether a company, the government, hackers, or someone else — from seeing what has been sent.
- However, Telegram only uses this encryption in calls and its "secret chats" feature, not in regular chats. Those are only encrypted client to server. By contrast, WhatsApp, which is sometimes portrayed as less secure, has used end-to-end encryption in messages, calls, and video calls since 2016.
- The reason for this is Telegram’s enhanced use of the cloud. Essentially, it stores all your messages and photos on a secure server. This means you can access them from any connected device, making Telegram more multi-platform friendly than other chat apps like WhatsApp.
- Selling your data isn’t at the core of Telegram’s business model – a plus for Telegram security.
- There is an option to self-destruct messages, files, photos, and videos in a certain amount of time after they have been sent and received. After a message is received, it remains in the chat for a set period – you can select times between one second and one week – and then it disappears.
- Telegram challenged hackers to attempt to break through their encryption and decipher messages, offering a $300,000 rewardfor anyone who could do so. The contest ended without anybody winning the bounty, but Telegram has a bug bounty program which remains open, encouraging security researchers to submit any safety issues in the Telegram apps or protocol. Submissions resulting in a change on Telegram’s end can win bounties ranging from $500 to $100,000. Contests and programs like this help ensure that any potential vulnerabilities will be found and fixed.
- After your account has been inactive for a certain amount of time (six months being the default), your account will automatically self-destruct, completely wiping your messages and media.
What is Wire?
Launched in 2014, Wire promotes itself as a secure messaging app. The company behind Wire is based in Switzerland, considered one of the best jurisdictions in the world for any kind of secure online service or secure chat app. Wire can be used on Android, iOS, macOS, Windows, and popular browsers.
How secure is Wire?
- Wire also provides end-to-end encryption. Wire’s encryption works transparently in the background and does not need to be activated because it is always on.
- Wire does not sell analytics or data usage to third parties.
- Like Signal, Wire is open source, which means its source code is available for users to inspect, verify and improve (in this case, through GitHub).
- Outside experts have publicly audited Wire, so if you don’t have time or expertise to view their source code, you can read published findings online.
- You only need to register with an email address, not a telephone number.
- The app is fully GDPR compliant.
What is WhatsApp?
With an estimated 1.5 billion users worldwide, WhatsApp probably needs no introduction. It was one of the first chat apps to enable end-to-end encryption for more secure communication. WhatsApp is owned by Facebook, an association that makes some question its privacy credentials.
How secure is WhatsApp?
- WhatsApp encryption is established, and users are explicitly warned when end-to-end encryption is not applied to a particular chat.
- WhatsApp does not store messages on its servers, so if cybercriminals were to hack into the platform, they would not be able to decrypt any of the messages.
- Additionally, WhatsApp does not have the key to see encrypted messages. By default, WhatsApp stores messages in a way that allows them to be backed up to the cloud by iOS or Android.
- WhatsApp offers two-step verification that allows you to add more security to your account by setting a PIN required to verify your phone number on any device.
- WhatsApp is owned by Facebook, which is sometimes viewed as a privacy drawback. WhatsApp receives information from, and shares information with, other Facebook companies. This means data is shared with advertisers, who use it to target consumers.
What is Threema?
Threema is an end-to-end encrypted messaging app. Unlike many others, Threema does not require you to enter an email address or phone number to open an account, which provides users with a very high level of anonymity. Features include text and voice messages, voice and video calls, groups, and distribution lists. Threema is not free – users pay for it. The company behind Threema is based in Switzerland.
How secure is Threema?
- Threema’s key principle is restraint on metadata. To ensure that no data is misused, Threema’s servers permanently delete a message after it is delivered to the recipient.
- Information usually managed on a server is managed locally on the user's device, meaning that any conversation is protected against eavesdropping.
- As a result, there is no fallback to decrypted connections, so nobody else except for the intended recipient can read a Threema message.
- Threema is open source, so users can independently verify the extent of the encryption.
- However, the app does not support two-factor authentication.
What is Wickr Me?
Wickr was founded in 2012 by a group of security experts and privacy advocates. It is one of the only secure messaging apps which can be used truly anonymously. It has different apps aimed at various user groups - Wickr Me, Wickr Pro, Wickr RAM, and Wickr Enterprise. Wickr Me is aimed at personal users.
Wickr Me does not require an email address or phone number upon registration, ensuring that user data is not collected and, therefore, the app does not have access to it. Wickr can be a collaboration tool instead of just a messaging app as there is the ability to share screens, locations, and online statuses.
How secure is Wickr Me?
- The app uses end-to-end encryption on all messages and files, including pictures and videos. This ensures that third parties cannot access the data as it transfers from one device to another.
- All communications on Wickr are encrypted locally on each device with a new key generated for each new message, meaning that only Wickr users have the keys to decipher their content. In addition to encrypting user data and conversations, Wickr strips metadata from all content transmitted through the network.
- Encryption is turned on by default, and transparency reports are available to anyone who uses Wickr.
- The application supports two-factor authentication.
- Wickr does not log IP addresses or other metadata.
- The app is open source and allows self-destructing messages.
- Wickr offers a feature that allows users to detect screenshots. This means that you will receive a notification if someone takes a screenshot of a message you send.
What is Viber?
Viber is a cross-platform voice-over IP and instant messaging software app operated by Japanese multinational company Ratuken. The app is free to download and allows users to make free calls, send texts, pictures, and video messages to other Viber users. You can use Viber to create group chats with up to 250 people and make group calls with up to 20 people at once.
How secure is Viber?
- Provided users select the correct sharing method, Viber offers encrypted voice and video chats on mobile devices and major desktop operating systems.
- Previously only one-to-one communications were protected, but now group chats are secured by end-to-end encryption.
- Within Viber, every chat is color-coded based on its level of encryption:
- Green means the chat is encrypted, and then the contact you are connected to is trusted.
- Grey means the chat is encrypted, but the contact has not been marked as trusted.
- Red means there is a problem authenticating the contact.
What is Dust?
Dust, formerly known as Cyber Dust, is a private messaging app that uses end-to-end encryption for secure communication. According to its website, “You can erase your messages off other people’s phones. No messages are permanently stored on phones or servers. Messages are heavily encrypted and not accessible to anyone, even us.”
How secure is Dust?
- You can send private messages called “Dusts” to your contacts. You can set messages to self-destruct within 24 hours or right after being read.
- You can also send “Blasts”, which are messages sent to a group of people but read privately.
- Dust is also set not to display usernames in messages and informs you if a screenshot is taken from within the app.
- In addition to the secure messenger, Dust also has a privacy-watchdog feature and a stealth search tool for maintaining privacy while searching the web.
What is iMessage?
iMessage is an instant messaging service developed by Apple and launched in 2011. iMessage functions exclusively on Apple platforms: iOS, macOS, iPadOS, and watchOS.
How secure is iMessage?
- iMessage offers end-to-end encryption between users.
- A potential security issue is the option to back up your iMessages to iCloud. Messages stored in the cloud are encrypted by keys controlled by Apple, so if your iCloud were ever hacked, those messages could be revealed.
- However, the solution is to avoid storing private messages on web-based platforms like iCloud for heightened security measures.
- iMessage allows users to control how long each photo, video, or message will appear before it’s gone. You can also choose how many times the viewer can see the message. However, the feature is only available with iOS 10 and later.
What is Line?
Line is a free, secure chat app created in the wake of the 2011 Japanese Tsunami. As a result of the disaster, many normal communication channels had broken down, and the Line app was developed by internet company Naver for its staff as a means of internet-based communication.
Naver opened the app to the public in Japan later that year, where it became incredibly popular before gaining traction across Asia.
How secure is Line?
- Line offers end-to-end encryption, provided users opt-in to this feature – the app calls it “Letter Sealing”.
- You can register to the app using either your phone number or Facebook log-in.
Ensuring you use a secure chat app to communicate with others protects you from malicious actors trying to steal your data. Different apps have different security features and functionality, so choosing which one to use will depend on which features are most important to you.
Tips on how to protect your messaging app security
Aside from the security of the apps themselves, tips for staying safe online when messaging others include:
1. Exercise caution when using via public Wi-Fi
Public Wi-Fi is invaluable but can pose security problems. Since public networks tend to be used by many people, they can be prime targets for hackers. Hackers can easily sniff data like photos, messages, passwords, usernames, and banking information sent over Wi-Fi. Using a VPN can help protect you against any security breaches.
2. Avoid sending private information on chat apps or via text message
Avoid giving out passwords, credit card information, or other private data via messaging. Be wary of disclosing any personal information to a stranger you meet via instant messaging. Even apparently innocent information like the name of your employer can be used against you by fraudsters.
3. Be careful of what links you click on when chatting
Never click on links that you receive through instant messaging from people you do not know and trust and have never met in real life to avoid falling victim to a phishing scam.
4. Protect your phone with security software
As well as securing your device with a password or PIN, make sure you are protected with security software. For example, Kaspersky Internet Security for Android blocks suspicious apps, websites, and files and stops spyware from monitoring calls, texts, and location.