Review of the 6 Top Text Messaging Apps for Security and Privacy

Text messaging apps are a necessity. Everyone I know has at least two on their phone (not including the one that comes with your phone), and some people I know have many more. Finding an app that’s popular which will allow you to send messages is easy—throw a rock and you’ll hit one—but finding a text messaging app for security and privacy is much harder.

This list is based on comparisons I have done between the top messaging apps and SKY ECC, and I’ll update this post as I review more apps. The most popular messaging apps are already included  on the list so you can see how the app you (probably) use stacks up. The apps covered (so far) are:

  1. SKY ECC
  2. Wickr
  3. Signal
  4. Threema
  5. Telegram
  6. WhatsApp

There’s a color-coded comparison table at the end which will help you understand all of this at a glance.

#1 Secure text messaging app: SKY ECC

When it comes to messaging apps, there is nothing more secure or private than SKY ECC. The app was built from the ground up with the goal of securing everything involved with messaging—even things which are already secure—so there are multiple layers of protection offered.

Some of the features which are unique to SKY ECC include:

  • Our Zero-trust model for security means that we don’t even trust systems which are known to be secure. The phones we use all have tamper-resistant chips, but we went a step further by adding separate partitions for the app as a failsafe. The zero-trust model has been followed all the way down the chain of building the app and our network.
  • 521-bit elliptic-curve cryptography on all messages. This is the highest encryption standard used by any messaging app, and would take all of the best supercomputers in the world centuries to brute-force a solution…if they all combined their computing power.
  • Our own private and secured network of servers, with the ability to connect people in over 190 countries through our data coverage. The image below shows the countries we have data coverage in.
  • Encryption on both mobile and Wi-Fi networks is a feature that many apps lack as they only encrypt Wi-Fi connections. Hacking the mobile phone network isn’t a big chore–the SS7 hack is easy, as is a fake cell tower–and it had to be secured in order for SKY ECC to meet its lofty goals.
  • Many apps ignore encrypting metadata, but not SKY ECC. We use AES 256-bit encryption to protect your metadata—higher than what some competitors use to secure their entire app—to make sure that this vital data doesn’t fall into the wrong hands or leak.

Penetration testing by BlackBerry Cybersecurity verified that SKY ECC has no vulnerabilities. None. They took three days to do what they could to break SKY ECC and found no issues. Here’s the quote from the assessment paper they sent us that you can read:

“All test cases were assessed against, and the application was found to be secure and correctly prevented unauthorised and unauthenticated access to the application, user data and the service. BlackBerry Cybersecurity Services have therefore assessed the overall risk posed to SKY GLOBAL by the ECC Android mobile application to be…”

Not everyone puts their app out like that, but SKY ECC is the best messaging app for security and privacy and that has been proven. If you’d like to learn more, see this article on why SKY ECC is the most secure messaging solution available.

We take our network as seriously as every other aspect of our phone, and think of a truly secure text messaging app as part of an ecosystem. See which devices we’re available on by clicking on the store button below:

#2 Secure text messaging app: Wickr

Wickr is the app pushed by many security experts, and it certainly has its merits, but it can’t claim to be the most secure. Aspects of it that are positive include:

  • They do not keep any data about you, or even read any of your messages. This protects you from server attacks against Wickr and gives you peace of mind knowing that they’re not like apps which actively read your messages for advertising purposes.
  • The app allows for anonymous signups, meaning you don’t have to give over your email or phone number to sign up.
  • Encryption is on by default for everyone who uses it, which is absolutely vital for a secure messaging app. Apps which leave it up to the user, such as Telegram, are making a huge mistake as a friend without it on puts you at risk.
  • Metadata is encrypted with AES 256-bit encryption.
  • Their code has been audited to be secure and is open source.

These are all positive features and are a good step in making sure that Wickr is secure, but Wickr is far from perfect. Some of the issues we found while reviewing it include:

  • They do some minor user-provided data collection. The small amount they do is better than most other apps, but not as good as how SKY ECC does no data collection. Seriously. SKY ECC user names, addresses, phone numbers, etc. are never collected.
  • There is no contact approval feature so anyone who has your phone number can message you. SKY ECC requires all contacts to be approved before any messages can be exchanged and don’t link ID to phone numbers. Get a contact request from an unknown user? Don’t approve them and they’ll never bother you. More apps need this function.
  • Revoking messages properly is an issue as they allow you to save messages outside of the app. You can delete a message from the app, as seen below, but that doesn’t delete every record of it if someone saves it outside the app.
  • A secure vault would protect important information rather than having it stored in an insecure area of the phone.

Wickr does rank as the second-best text messaging app for security, but it’s a long way off from being the best. The four missing features listed above are an issue for those who need serious privacy.

For monthly updates on secure messaging, subscribe below!

#3 Secure text messaging app: Signal

When it comes to security and privacy in a digital context, it’s tough to argue with a guy like Edward Snowden:

That tweet is a few years old now though, and I feel that Signal has fallen behind Wickr. Strong features from Signal include:

  • No data is kept which could identify you, and they can’t read messages. Their encryption is adequate.
  • There are no known surveillance capabilities built into the app.
  • Encryption is always-on for everyone who uses it.
  • Messages are only stored on your device, not on a server. This is the ideal and is what SKY ECC does as well.
  • Metadata is encrypted using their “Sealed Sender” feature.
  • There has been an independent security audit done for their app, and the code is open source.

Signal’s 10 million downloads on Android outpaces the 1 million downloads Wickr has on Android by quite a bit, but popularity doesn’t mean that an app is good. I played Angry Birds. It was terrible. Popularity is no indication of quality, and these are the points where Signal fall short:

  • They do store your phone number, which is enough data collection to make it so they are not able to do anonymous sign ups.
  • The app has not been properly secured against brute-force hacks. SKY ECC is limited to 10 failed password attempts, with the last needing a CAPTCHA, and the option for as few as three.
  • The app does not have a pre-boot check to make sure it hasn’t been compromised. The issue here is an attacker rolling your phone back to an older operating system with known vulnerabilities to exploit.
  • You can’t properly revoke a message as this function is not as complete as it should be.
  • Two-factor authentication is not a default feature.
  • Their directory service is vulnerable to man-in-the-middle attacks.

I feel that regardless of how popular they are, Signal is still not a better app than Wickr and not near the level of app security features on SKY ECC at all.

Signal is not a perfect #securemessaging app. There are no brute force password protections, no pre-boot check, message revocation is flawed, and their directory service is vulnerable. Click To Tweet

#4: Secure text messaging app: Threema

Threema is a well-known app with over 1 million downloads, but this number is for sure held back by the fact that it costs $4CAD to purchase. If it were a better app this cost could be justified, but it sits here at the number 4 spot because of it’s issues:

  • Lacks perfect forward secrecy
  • Encryption is weaker than what SKY ECC uses
  • No brute force protection for passcodes
  • Requiring contact approval is not a default feature
  • No self-destructing messages feature, likely never will

They would do better if this were a free app because it doesn’t measure up to Signal or Telegram, and those are both free. Here’s a big factor as to why it isn’t as secure as a paid app should be as this is a screenshot of me making 60 attempts to gain access to my app and failing each time:

This is such an easy fix but they have not implemented it in all the years the app has existed.

#5 Secure text messaging app: Telegram

Telegram is included on this list for its sheer popularity, but its issues must be addressed. I can hardly say that it’s a very secure platform, but it is very popular as a messaging app. Reasons why it is popular include:

  • They have no surveillance built into the app.
  • Telegram has perfect forward secrecy, which is a standard for all apps we reviewed.
  • Private keys are stored and generated on the device, another feature which is a must-have.

Those three points are really it, other than the sleek user-interface and the popularity it has brought. It isn’t a terrible app, we use it around the office for goofing around (never anything serious) as it’s popular and offers end-to-end encryption when turned on…but we’re never going to discuss anything sensitive on it.

You can see the comparison chart below for all of my issues with Telegram, but here are the ones they fail at the worst:

  • The company can read messages if you’re not using the end-to-end encrypted Secret Chats feature. This is a huge issue as no company should ever have the ability to read the messages of users at any point, and certainly not one which claims to be secure.
  • They do collect and retain information about you which could identify you to attackers, and routinely do common data collection practices.
  • Passwords are hashed using SHA-512, which isn’t what it is meant for. This can lead to accounts being vulnerable as their passwords are not protected properly. They also do not encrypt personal data (phone number, contact list) at all.
  • Self-destructing messages is an advanced feature they only offer in Secret Chats.
  • Message revocation is only possible in one-to-one chats, group chats do not support it at all.
  • Metadata is not encrypted, and they openly admit to collecting this, leaving you vulnerable to identity exposure.

The last point against Telegram is the founder/owner/funder of the app; Pavel Durov. He is a Russian on a self-imposed exile since 2014 as his home country pressured him often to open up a backdoor to Telegram. He’s also rather…different. He recently decided to give up eating to come up with new ideas for Telegram. To summarize:

The owner of Telegram is an eccentric Russian millionaire on a self-imposed exile who thinks not eating food will help him improve his app.

If you read a sentence like that and don’t at least pause for a moment on whether to use that app for secure messages or not…there’s not much I can say to convince you that it’s not the best choice.

One last shot of the CEO/founder of Telegram from his personal Instagram:

 
 
 
 
 
View this post on Instagram
 
 
 
 
 
 
 
 
 
 
 

A post shared by Pavel Durov (@durov) on

#6 Secure text messaging app: WhatsApp

It absolutely has to be said often and loudly; WhatsApp is a good messaging app, but it is not a secure messaging app. There’s no doubt that it’s popular with over 1.5 billion users and 60 billion messages sent each day–even my Mom uses WhatsApp–but this is another case of something being popular not meaning it’s quality.

There are so few positives about WhatsApp as a secure messaging platform that I will simply write everything they actually do well:

  • Their default end-to-end encryption makes it so that the company cannot read your messages.
  • Perfect forward secrecy is enforced.
  • Private keys are generated and stored on the device.

That is it. They do everything else poorly or very poorly. If this product was judged on its ability to be secure it wouldn’t have a single download, but 1.5 billion downloads later and it’s popular enough to get away with anything. Their default end-to-end encryption and popularity are literally the only thing which makes them worthy of being on this list, and if they weren’t as popular they wouldn’t be in this conversation at all.

WhatsApp makes many mistakes, as you’ll see in the comparison chart below, but these are the worst:

  • All backups stored on their servers are in plain text, and there are issues with not saying you want to store data and it still being stored. Your WhatsApp cloud is so vulnerable they might as well have not bothered with end-to-end encryption at all.
  • WhatsApp is owned by Facebook. They do an incredible amount of data tracking, keep data which can identify you, and regularly give that data away to government agencies (which could be ok in a more democratic nation, but the protesters in Hong Kong sure don’t use WhatsApp).
  • Targeted advertising will be coming to the platform in 2020. They have to be ramping up their data collection for this now, and have had plans all along. Matthew Green teaches cryptography at John Hopkins, but he didn’t need that to figure this out.
  • Metadata is not encrypted well enough to hide connections, patterns, or most personally identifiable information because it’s encrypted during transport, but stored on their servers. Anyone who wants that data enough can go get it.
  • They openly log IP addresses.

I had to pick and choose which points to include here as WhatsApp is rife with issues. Don’t get me wrong, it’s fine if you’re looking to make plans for a quick meetup with friends, but it’s not fine if you have a potential stalker with any hacking skills or could become the victim of corporate espionage. Consider deleting WhatsApp the proper way now and using any option above instead.

#WhatsApp is not as private as you think it is. Their owner (Facebook) doesn't believe in #privacy, they log IP addresses, and they store chat backups unencrypted. Target advertising is next. Click To Tweet

Reviewing the top text messaging apps for security and privacy

The difference between a truly secure and private messaging app, our own SKY ECC, and the too-popular-for-its-quality WhatsApp are about equal to the difference between MLB MVP Mike Trout and a little league tee-baller–they play basically the same game, but one is playing the game at an elite level while the other…

Here’s a visual representation of the reviews of each app above. Right click on it to open it a new tab for a larger view you can print off or save to your device:

If you need further assistance than this with choosing your next text messaging app for security and privacy, contact our support team now for prompt help:

Share this post: