Messaging applications are one of the most, if not the main apps we use
every day. Whether it’s to keep in touch with family and friends around the
world, contact colleagues or conduct business, messaging apps like
WhatsApp, iMessage, Skype and Facebook Messenger play an important role in our
We often share things like personal photos, business
secrets and legal documents on messaging apps, information we don’t want
available to the wrong people. But to what extent can we trust your messages?
apps to protect all our confidential messages and sensitive information?
Following are some guidelines that will help you assess the
security level that your favorite messaging app provides.
A few words about encryption
Of course, all messaging platforms claim that: encrypt your data† Encryption uses mathematical equations to scramble your data in transit to prevent eavesdroppers from reading your messages.
Good encryption ensures that only the sender and the
recipient of a message is aware of its content. But not all types
encryption is equalized.
The safest messaging apps are those that: end-to-end encryption (E2EE)† E2EE
apps only store decryption keys on users’ devices. E2EE not only protects your
communication against eavesdroppers, but also ensures that the company that
hosts, the application cannot read your messages. This also means that
your messages are protected from data breaches and intrusive orders by:
three letter instances.
More and more messaging applications offer
end-to-end encryption. Signal was one of the first platforms to support E2EE.
In recent years, other applications have adopted Signal’s encryption protocol
or have developed their own E2EE technology. Examples are WhatsApp, Wickr
Facebook Messenger and Telegram also support E2EE messaging,
though it’s not enabled by default, making them less secure. Skype too
recently added a “Private Conversation” option that gives you end-to-end
encryption on one call of your choice.
Google Hangouts does not support end-to-end encryption,
but the company offers Allo and Duo, SMS and video conferencing
apps that are end-to-end encrypted.
Security is more than just encrypting messages. What
if your device or the device of the person you are chatting with is hacked or
falls into the wrong hands? In that case, encryption makes little sense,
because the malicious actor will be able to store messages in their unencrypted . to see
The best way to protect your messages is to delete them
when you no longer need them. This ensures that even if your device
becomes compromised, malicious actors will not be able to access your confidential and
All messaging apps offer some form of message deletion,
but again, not all message deletion features are equally secure.
For example, Hangouts and iMessage allow you to clear your chat history. But even though messages are deleted from your device, they remain on the devices of the people you are chatting with.
Therefore, if their devices are compromised, you will still lose your sensitive data. To its credit, Hangouts has an option to disable chat history, which automatically deletes messages from all devices after each session.
In Telegram, Signal, Wickr, and Skype, you can delete messages for all parties to a conversation. This can ensure that sensitive communications are not left behind on any of the devices involved in a conversation.
WhatsApp also added a “delete for everyone” option in 2017, but you can use it to delete only the messages you’ve sent in the last 13 hours. Facebook Messenger also added an “unsend” feature very recently, although it only works for 10 minutes after you send a message.
Signal, Telegram and Wickr also provide a self-destruct
messaging feature, which deletes messages from all devices immediately after
a configured time period elapses. This feature is especially good for:
sensitive conversations and save you the hassle of manually deleting messages.
Each message comes with an amount of additional information, known as metadata, such as sender and receiver IDs, the time when a message was sent, received and read, IP addresses, phone numbers, device IDs, etc.
Messaging servers store and process that kind of information to make sure messages are delivered to the right recipients on time and to allow users to browse and organize their chat logs.
While metadata does not contain message text, in the wrong hands it can be very harmful and reveal a lot about users’ communication patterns such as their geographic location, the times they use their apps, the people they interact with, etc.
If the messaging service falls victim to a data breach, this kind of information could pave the way for cyberattacks such as phishing and other social engineering schemes.
Most messaging services collect a wealth of metadata and
unfortunately there is no sure way to know what type of information messages
services shop. But as far as we know, Signal has the best track record.
According to the company, its servers only register the phone number with which:
you created your account and the last date you logged into your account.
Any developer will tell you their messaging app is safe,
but how can you be sure? How do you know the app isn’t a . hides
government implanted backdoor? How do you know the developer has done something right?
job in testing the application?
Applications create the source code of
their application publicly available, also known as “open-source”, are more
reliable because independent security experts can investigate and confirm whether:
they are safe or not.
Signal, Wickr and Telegram are open source messaging apps,
meaning they have been peer-reviewed by independent experts. signal in
has the support of security experts such as Bruce Schneier and
WhatsApp and Facebook Messenger are closed source, but they
use the open-source signal protocol to encrypt their messages. This means that
at least you can be sure that Facebook, which owns both apps, won’t be
look at the content of your messages.
For completely closed-source applications like Apple’s
iMessage, you have to trust the developer completely to avoid disaster
To be clear: open source does not mean absolute security. But
at least you can make sure the app isn’t hiding anything nasty under the