Header image borrowed from Open Whisper Systems

Motivation

With mobile security getting more and more important and GPG being broken, there is a high demand for secure messaging apps. What I want to achive with this post, is on the one hand providing you an idea on what to look out for when choosing your messenger, and on the other hand I want to give you my personal current (07/2015) advice on what messenger to use in which scenario.

Criteria

Availability:

Price, Supported Devices, Web-Interface

If the app is too pricey, or simply not available for your devices you can't use it. Furthermore it might be convenient, if the service offers a web service, so you can type messages with a proper keyboard on a bigger screen. (Maybe even replace email with this ?)

Security:

Algorithms, OpenSource, Audits, Contact-Verification

To me the specific implementation ( in terms of algorithms used) isn't as important as the companies attitude towards security. Of course the algorithms used should be current and solid. Always favor protocals that have been around for a while, don't trust self-made solutions that much and if the company is confident in it's crypto, it should be open source.

Features:

Contact-Sync, Login-Requirements, Groupchats, Attachments

This is mainly about convenience. Some features might be necessary in some circumstances. Attachments should be the standard, but most of the time you won't really need polls for your messaging app.

Testcandidates

I've chosen the most popular services for this post, as you'll probably have to chose between those (simply because they are more widely available).

  1. WhatsApp
  2. Telegram
  3. Threema
  4. Textsecure

Conclusion

(For a more detailed comparison, please see below)

In the following I want to highlight some key-aspects of (1) the criteria I talked about and (2) of the services themselves.

The Price of most of the services is pretty low. Some are free, some use in-app purchases, some cost a few bucks. Most of the time Availability is more of an issue, as some apps are only useable with a small set of devices.

All, but Textsecure, will run on many devices, and most offer a web-interface.

In terms of Security Threema is based on an existing Cryto-Library, Telegram uses a self-created protocal and WhatsApp and TextSecure use the same protocol. The only service, that's completely Open Source is TextSecure. Telegram has the client source available, but not the server and Threema/WhatsApp are completely proprietary.

Only TextSecure offers a completely open service. Telegram opened at least some code to the public.

The Features are not that different from client to client. For the basics every client got you covered. For anything else you could/should simply use another service ...

All but Threema require the telephone number for the account. If you're looking for anything fancy, use another app.

Public Opinion

The EFF Messaging Scoreboard ranks Telegram 4/7 (7/7), TextSecure (7/7), Threema (5/7) and WhatsApp 2/7. Look at their site to figure out what that means, but their ranking is reliable.

After many privacy and security concerns WhatsApp cooperated with Open Whisper Systems to implement their algorithm. In general they are very intransparent and got many, many incidents with privacy and security issues.

In Telegram the messages are stored in plain text on the phone and many don't trust the protocol they created. It's based on an already broken algorithm. The service ranked 7/7 on EFF, but only when sending "private messages", which is for some reason not the default. Furthermore Telegrams Hack-Challenges but it in pretty bad light.

Threema ranked pretty good overall, but is completely closed source and costs an initial 2 $. It scored 5/7 on EFF, as the code is closed and there haven't been any audits on it.

Available to the smallest amount of users is TextSecure. But it's completely Open Source and scored best on EFF. Commended by Edward Snowden and winner of many prices for their Open Source standard.

My Opinion

Based on the criteria I'd in general currently use:

1. TextSecure
2. Telegram
3. Threema
4. WhatsApp

If possible, I'd go with TextSecure. The company got the right attitude, it's easy to use and imho the safest service.

Telegram afterwards, as it's at least partly open source - so you know what you get. Wouldn't trust them in the worst case though, as their crypto might be fundamentally broken.

Threema is completely proprietary. It's a complete black box and you have to trust them. I won't.

WhatsApp is still lowest on my list. They don't seem to care about your privacy or security.

WhatsApp Logo

WhatsApp

Statistics
  • Users: More than 80 Million Active Users.
  • WhatsApp is, since 02/2014 owned by Facebook.
Availability
  • Price: 1 $ per Year.
  • Supported Devices: Almost every smartphone frome the past few years can run it.
  • Cross-Platform communication, and a full fledged web-interface.
Security
  • Protocol: Customized Version of XMPP
  • Algorithms: Open Whisper Systems Encryption Protocol
  • Source-Code: Closed Source. No one ever verified if / how the algorithms are implemented.
  • Audits: April/2015 Heise Security. Android-To-Android seems to work, but users don't get any feedback.
  • Identity-Verification: Not implemented.
Features
  • Login: Requries Telephonenumber
  • Contact-Sync: Yes.
  • Online-Status: Yes, but trackable.
  • Groupchats: Yes.
  • Attachments: Pretty much anything possible.

Telegram Logo

Telegram

Statistics
  • Users: Claims 50 Million active users.
  • Telegram is run by a German Non-Profit Organization
Availability
  • Price: free
  • Supported Devices: Pretty much every smartphone and desktop system is supported.
Security
  • Protocol: Self-created MTProto protocol.
  • Algorithms: 256-bit symmetric AES, RSA 2048, Diffie-Hellman keyexchange.
  • Source-Code: Client is Open Source, Server is Closed Source.
  • Audits: Telegram hosts "Hack-Challenges", rewarding those who find issues.
  • Identity-Verification: Not implemented.
Features
  • Login: Account is bound to phonenumber.
  • Contact-Sync: Automatically.
  • Online-Status: Yes, can be disabled.
  • Groupchats: Yes.
  • Attachments: Yes, up to 1.5GB encrypted.

Threema Logo

Threema

Statistics
  • Users: Bought 3.5 Million times.
  • Threema is owned by a company located in Switzerland.
Availability
  • Price: 2 $
  • Supported Devices: Most Android/iOS/WinPhone Smartphones from the last years.
Security
  • Protocol: Based on NaCl library.
  • Algorithms: 256Bit ECC -> 3072Bit RSA.
  • Source-Code: Closed Source.
  • Audits: The Company published a paper on how to verify their encryption is secure.
  • Identity-Verification: Yes.
Features
  • Login: Does not require a phone number.
  • Contact-Sync: Yes, Optional.
  • Online-Status: Yes, Optional.
  • Groupchats: Yes.
  • Attachments: Yes.

TextSecure Logo

TextSecure

Statistics
  • Users: About 1 Million installations on the current PlayStore version.
  • TextSecure is owned by a Non-Profit organization.
Availability
  • Price: Free.
  • Supported Devices: Android, iOS 8
Security
  • Protocol: Derivative of OTR.
  • Algorithms: Curve25519,AES-256,HMAC-SHA256,Deniability Guaranty, PFS, ECC
  • Source-Code: On Github (Open Source).
  • Audits: Several independent audits as the code is open source.
  • Identity-Verification: Yes.
Features
  • Login: Requires Phone Number.
  • Contact-Sync: Yes.
  • Online-Status: No.
  • Groupchats: Yes.
  • Attachments: Yes.