Step-by-step guides and detailed information on secure messaging apps for Android, iOS, Windows, Mac and Linux.
Here is a list of the criteria I use to pick the best options. Each app may not have all of these characteristics, but the more that the app has of these in the list the better it will score. Testing is done on both Android and iOS when possible. See my testing setup.
Beside each application you will see 4 numbers in colored boxes. The meaning of these numbers follows:
1
This is the lowest score, which means the application does not provide any protection in this category.
2
This score means the application provides some protection in this category.
3
This score means the application provides protection for many items in this category.
4
This score means the application provides complete or almost complete protection in this category.
The 4 categories used are:
Another aspect of each messenger to consider is the legal jurisdiction each app is subject to. This is usually determined by the incorporated status and country of the organization that controls the servers and codebase for the messaging system. Physical server location is not always a factor, for example a server located anywhere in the world is still considered under the jurisdiction of the country where the controlling organization is incorporated.
There are various international intelligence sharing agreements, the most well known being the so called "5 eyes", "9 eyes" and "14 eyes" countries. If your data is protected well enough (encryption) and you are able to remain anonymous online then the country of jurisdiction may not be the primary deciding factor for everyday citizens. But if you require extra security the jurisdiction may be more important. You can read more about the "eyes" at https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/.
Welcome to your new journey into privacy. Everyone should install Signal as the first step towards a more private lifestyle.
Signal offers excellent end to end encryption between Signal users. One draw back of Signal is that everyone you connect with will know your phone number, but for people you are comfortable knowing your phone number that is fine. The encryption protocol Signal and Molly use is very robust and proven secure after many years of use. Many other secure messaging apps have even adopted Signal's protocol for exchanging messages.
Molly is a fork of Signal for Android that adds a few features. There are two flavors of the app, one with Google Firebase and Maps and one without so this provides an additional option for more privacy from Google.
Other Signal reviews:
Threema is a messenger from Switzerland that is very easy use yet is very secure and private. The enterprise version of Threema has been chosen by the Swiss government as their secure messaging platform.
Other reviews:
BlackBerry Messenger is an app which has it's primary focus on enterprise messaging but it is also available for use by individuals for a very low fee. It is a reasonable alternative to Threema if you are looking for a few specific features, such as using one account on multiple devices, using it on a desktop computer or if you need video chat with more than one other person.
SimpleX Chat is a newer messenger that has a unique design. For each contact you make you create a unique message queue just for them to send you messages to on a server. They also create a unique message queue for you to send to them. There are no user names to identify specific users of the app, all you know is the location of their messaging queue (which is only for your use). It is like a peer to peer messaging app except that there is a server with a messaging queue in the middle acting as a proxy.
This design has several advantages, including being able to send messages to someone even when they are offline. You send a message to their queue (which is always online) and they then retrieve the message right away if they are online, or they pick it up the next time the come online. This also protects the network connection details of the devices themselves, since only the server address is ever known. This is such a simple yet effective design.
The messenger also uses good proven encryption methods with the NaCL library, Diffie Hellman ECC key exchange and XSalsa20 encryption. The local database is also encrypted with SQLCipher and I have not detected any data leaks into common storage on Android. The features are limited with texts chats, image and file sending, and group chats. But if you want a really secure and private messenger this is looking very promising.
TwinMe uses proven TLS encryption to make a direct Peer to Peer connection between devices. The only server involved is a signaling server that helps devices find each other to be able to connect. Messages are sent direct from device to device without going though a server.
There is no information needed to signup, you don't have any account at all just an ID on your device that is randomly generated. Connecting with others is accomplished by sharing your device ID. This means though that if you do change devices your old ID will no longer work and any contacts you have made you will need to send the ID of your new device and reconnect with them.
Briar is a peer to peer secure messenger that uses the Tor network for connecting devices. Each Briar device has a unique onion address on the Tor network and there are no servers (besides the standard Tor infrastructure) needed to connect to other Briar users. The app has fewer features than many messengers and is only available for Android but if you need secure communications this will provide that without unnecessary frills.
Other reviews:
OnionShare is a chat server that runs over the Tor network. It is very easy to start a new chat server on any Linux, MacOS or Windows home PC. Using the Tor netowrk provides all the privacy and security features of Tor. The Tor Browser is used as a client to connect to the server. This system is great for creating a chat session to use at a specific time when all participants can be online.
Convene is built by the Guardian Project. It is a messenger that uses the Matrix protocol, but you can sign up anonymously to use it. It is very easy to send someone a link to a room that you created and have them join the room without needing to provide any identifying information. This makes it perfect for creating ad-hoc rooms to use for quick exchange of sensitive information. You can create a password for your account to use to log in again later with the same ID, or use the account once then disconnect and never use it again.
Session runs on top of the onion routing network Lokinet to provide a decentralized messaging system. It uses the Signal protocol for end to end message encryption. This is a new project so is still considered experimental and there will be bugs in the apps. However in testing the app it has been overall a great experience and I think is one of the best prospects for becoming an offical recommendation on my list.
| App | Privacy of Messages | Privacy of Identity | Integrity of the System | Resistance to Disruption | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| EM Ephemeral messages | FP Foolproof | DL No data leaks | DR Data not recoverable | PFS Perfect Forward Secrecy | Total | ID ID doesn't have personal info | EP Does not require email/phone | NT No trackers | Total | Au Audits done | CV Contact Verification | GC Good Country | KC Key Change Alerts | Total | PD P2P or Decentralized | OS Open Source | SH Self Hosted | NP Number of platforms | Total | |
| Signal | ✔ | ✔ | ✔ | ✔ | ✔ | 4 | ✔ | 2 | ✔ | ✔ | ✔ | 3 | Client | 2 | 2 | |||||
| Molly | ✔ | ✔ | ✔ | ✔ | ✔ | 4 | ✔ | 2 | ✔ | ✔ | ✔ | 3 | Client | 1 | 2 | |||||
| Threema | ✔ | ✔ | ✔ | ✔ | 3 | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | N/A | 4 | Client | 2 | 2 | |||
| BBMe | ✔ | ✔ | ✔ | 3 | ✔ | 2 | ✔ | ✔ | 3 | 4 | 1 | |||||||||
| SimpleX Chat | ✔ | ✔ | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | N/A | 4 | ✔ | ✔ | ✔ | 5 | 4 |
| TwinMe | ✔ | ✔ | ✔ | ✔ | 3 | ✔ | ✔ | ✔ | 4 | N/A | 2 | ✔ | 2 | 2 | ||||||
| Briar Project | ✔ | ✔ | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | N/A | 4 | ✔ | ✔ | ✔ | 1 | 4 |
| OnionShare | ✔ | ✔ | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | 4 | ✔ | N/A | 2 | ✔ | ✔ | ✔ | Many | 4 | ||
| Convene | ✔ | ✔ | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | 4 | ✔ | N/A | 2 | ✔ | ✔ | All (web) | 3 | |||
| Session | ✔ | ✔ | ✔ | ✔ | 3 | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | ✔ | N/A | 4 | ✔ | ✔ | 5 | 3 | ||
| Snikket (XMPP) | ✔ | 2 | ✔ | ✔ | ✔ | 4 | ✔ | ✔ | 3 | ✔ | ✔ | ✔ | All | 4 | ||||||
| Key to columns: |
|
|
|
|
||||||||||||||||
December 2018: Recently there have been some troubling laws passed and articles written in the UK and Australia (part of the 5 eyes countries) that may cause issues with trust in applications developed in those countries. Both countries now seem to be pushing for backdoor access for government surveillance to be built into secure messaging applications. Not only will this weaken or break End to End security, but apps that are not open source from those countries may no longer be trusted and may be used for a mass surveillance program. Here are some recent articles.
Principles for a More Informed Exceptional Access Debate
In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication. This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have.
We’re not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with. That’s a very different proposition to discuss and you don’t even have to touch the encryption.
-Ian Levy is the technical director of the National Cyber Security Centre, a part of GCHQ.
-Crispin Robinson is the technical director for cryptanalysis at GCHQ.
The new law, which has been pushed for since at least 2017, requires that companies provide a way to get at encrypted communications and data via a warrant process. It also imposes fines of up to A$10 million for companies that do not comply and A$50,000 for individuals who do not comply. In short, the law thwarts (or at least tries to thwart) strong encryption.
Companies who receive one of these warrants have the option of either complying with the government or waiting for a court order. However, by default, the orders are secret, so companies would not be able to tell the public that they had received one.