While there are a number of messaging apps from which to choose, only a dozen or so have marketplace gravitas. The best-known and most-utilized are usually the ones that come with your smartphone: the Google, Samsung, and Apple Messages apps, the Facebook Messengers, and the Whatsapps of the world. Most people don’t even think about their messaging app — they take it for granted and simply check notifications regularly.
But there are differences between them, and the most important ones involve security, because all messaging is speedy and virtually instantaneous. Is it possible for hackers to break into your connected device through a vulnerability in the messaging app? You bet it’s possible, and break-ins there are more common than you might think.
For example, we’ve probably all received phony messages purportedly from a friend containing a link to a video (“I think you’re seen in this video … check this out!”). Woe to those who fall for this ruse. So security and encryption of messages is a serious consideration when it comes to messaging, which is far and away the favored method of communicating among Millennials, Gen Z folks, and younger.
Below, we discuss only messaging apps that use (or can optionally use) end-to-end encryption (E2EE), a method of encrypting data that only allows the sender and receiver of the message to decrypt and read messages passed between them. More importantly, encryption prevents apps from storing copies of your messages on their servers.
Please know that end-to-end encryption is not a security panacea that will protect you from surveillance. Even if you use a secure messaging app, an unsecured device can enable anyone to access your messages. The best way to protect your messaging apps is with a separate password or use of biometrics (face, fingerprint, iris) on your device.
We’ve identified 10 of the most secure (and most utilized) messaging applications available.
Supports RCS by default
Compatible operating systems: Android, Windows
Price: Free (Google Messages currently comes with Android devices not made by Samsung)
Security: Knox Security (Samsung); standard device security (Google)
It’s easy to get Samsung Messages and Google Messages confused, because they populate Android phones used the world over. Samsung Messages, included only on Samsung phones, has an interface that might be a little easier to use. However, the main advantage of Google Messages is the availability of RCS (rich communication services) by default, no matter where you live or which carrier you use. You can have RCS with Samsung messages, but only if your carrier supports it. All Verizon plans, for example, will adopt Google Messages and support RCS by 2022.
RCS is a next-generation SMS (short messaging service) protocol that upgrades standard text messaging. Features include payments, high-res photo/file sharing, location sharing, video calls, and others that are delivered to a device’s default messaging app. Knox’s E2EE security protocol, with its military-grade encryption, is a major advantage for users of Samsung Messages.
Key features/attributes
- By default, both Messages provide end-to-end encryption for all voice calls, video calls, and instant messages.
- Both Messages are built from open source code, which means security is vetted regularly by cybersecurity experts. This technology has been adopted by other messaging services, including WhatsApp and Skype.
- Google Messages shows one line of text preview, while Samsung Messages shows two lines.
View Now at Google
Best all-around bet
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
Signal is probably the best all-around bet when it comes to reach, security, and privacy-enabled features. However, it lacks the usership of the Messages and Messenger apps because it is not a pre-loaded default app inside phones. Formerly called RedPhone, Signal has become a favorite of the infosec community since its release seven years ago, but it also has grown in popularity among ordinary users. It still has nowhere near the same number of active users as those noted above, however.
Key features/attributes
- By default, Signal provides E2EE for all voice calls, video calls, and instant messages; it uses its own protocol.
- This technology is 100% open source, which means its security is vetted by cybersecurity experts and its technology has been adopted by other messaging services like WhatsApp and Skype.
- To verify that your conversation with another person is private, each Signal conversation has a unique device safety number to verify the security of your messages and calls with specific contacts. This is especially useful for preventing man-in-the-middle attacks — if a safety number changes more frequently than you’d expect for someone switching devices or reinstalling Signal, for instance, it may indicate that something is awry.
- Signal also allows you to secure the app with a password so you can protect your messages if they fall into the wrong hands. There is also an option to send self-destructing messages.
View Now at Signal
Used only on Apple devices
Compatible operating systems: MacOS, iOS
Price: Free (on Apple devices)
Apple Messages is used only on Apple devices, but it is exemplary when it comes to security features. In addition to offering end-to-end encryption between users, Apple Messages allows users to control how long the message stays up and how many times the recipient can view the message (although this feature is only available to those who have iOS 10 and above).
Regardless of which Apple device you’re using, whether it’s iOS, watchOS, or iPadOS, your messages are end-to-end encrypted and cannot be accessed without a passcode. Users of Apple’s FaceTime can also rest easy knowing that their video calls are also E2EE-empowered.
Key features/attributes
- Messages is only available on Apple devices, meaning any message you send via Messages to a non-Apple device will not be encrypted. One major security loophole is the option to back up your messages to iCloud. On the cloud, messages are encrypted by keys controlled by Apple, meaning that if your iCloud were ever hacked or subpoenaed, those messages could be revealed.
- Apple CEO Tim Cook has said that Apple “believe(s) that privacy is a fundamental human right,” and at least in its Messages and Facetime apps it appears to take this commitment seriously. Just avoid storing your messages on web-based platforms such as iCloud — toggle off messages in settings so they’re not stored on the cloud.
View Now at Apple Messages
Ownership by Facebook is worrisome
Compatible operating systems: Windows, MacOS, Android, iOS, KaiOS
Price: Free
WhatsApp may be used by more people than many of the above apps, but its ownership by Facebook is worrisome. The founders of WhatsApp in 2009 originally intended it for people to publish status updates, similar to Facebook’s statuses. It was the messaging feature, however, that sold the app to Facebook, which bought it in 2014. WhatsApp is encrypted end-to-end, but its ownership continues to raise concerns about how it could be used in the future.
Key features/attributes
- Security-wise, WhatsApp’s default E2EE enhances its privacy and security from malicious actors. Security issues have cropped up in the past, but if cybercriminals breached WhatsApp today, they couldn’t decrypt your conversations.
- It also has what may now be considered standard features, such as video calling, voice messaging, and file sharing.
View Now at WhatsApp
Similar in functionality to Whatsapp
Compatible operating systems: Windows, MacOS, Android, iOS, KaiOS
Price: Free
Facebook Messenger is similar in functionality to Whatsapp, but again, with Facebook as the owner, users need to be aware of potential privacy issues. Facebook Messenger only connects with other Facebook Messenger users. Users of Facebook Messenger need to intentionally opt-in to its E2EE encryption if they want to better secure the app. Because it is automatically attached to every Facebook account, that means there are at least 2.3 billion apps out there — whether or not they’re being utilized.
Key features/attributes
- Security-wise, Facebook Messenger’s default E2EE guards message privacy from malicious actors.
- If cybercriminals try to infiltrate Facebook Messenger today, they couldn’t decrypt your conversations. It also has standard features such as video calling, voice messaging, and file sharing.
View Now at Facebook Messenger
Useful for corresponding with people in other countries
Compatible operating systems: Windows, MacOS, Android, iOS, HarmonyOS
Price: Free
Viber is especially useful for corresponding with people in other countries, since it uses the internet for calls and messages. It’s a great tool for when you’re traveling abroad, or if you make a lot of international calls. Viber is also an excellent forum for simple chatting. While it has some limitations, it is user-friendly. Viber claims to have about 260 million monthly active users and is primarily positioned as a competitor to the less-secure Skype on mobile. It has enabled end-to-end encryption since 2016, so it’s been ahead of the pack for a while.
Key features/attributes
- Viber is very user-friendly.
- The app has E2EE on all its available platforms (Mac, Windows, iOS, and Android) and also color codes chats based on how secure they are: Gray indicates encrypted communication, green denotes an encrypted communication with a trusted contact, and red means the authentication key has an issue.
- Viber also supports self-destructing messages in its secret-chats feature.
- Viber only supports E2EE for one-on-one chats — group chats are not offered the same level of security as individual conversations.
View Now at Viber
Free version of the Wickr app allows up to 10 users
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free (optional: $25/month for an enterprise account)
Started up by Silicon Valley-based privacy and security advocates in 2012, Wickr was one of the first messaging apps to adopt end-to-end encryption (E2EE). Messages are automatically encrypted, and the company undergoes regular security audits. Starting in 2017, Wickr went open source, which enables the worldwide open source community to help improve security.
The free version of the Wickr app allows up to 10 users, and there are three paid tiers that charge up to $25 per month and have no user limit. Among its security attributes are screenshot detection, blocking third-party keyboards on iOS, and ensuring that any deleted files are unrecoverable.
Key features/attributes
- Wickr’s free and paid versions have excellent security features, such as self-destructing messages, content shredding, and an inability to take screenshots (on Android only).
- Wickr doesn’t have nearly as many users as Messenger and Messages, WhatsApp, and Signal, so you can be picky with whom you converse.
- The messages are also bound to both your account and your device, and the app won’t sync your messages across devices. That could amount to multiple separate conversations with your contacts — which makes it seems like they’ve made the app secure to a fault.
View Now at Wickr
Two layers of secure encryption
Compatible operating systems: Windows, MacOS, Linux, Android, iOS
Price: Free
A key feature of Telegram is that it provides its users with two layers of secure encryption. Both private and group cloud chats support server-to-client encryption, while secret chats benefit from client-to-client encryption. In both instances, messages are encrypted. Telegram has recently gained popularity for organizing protests largely because it allows large chat groups of up to 10,000 members. This has in turn drawn the attention of state actors.
Key features/attributes
- The app gives you the option to encrypt messages, which you can enable as Secret Chats to encrypt them. When enabled, you can set messages to self-destruct across all your devices automatically or at a set time.
- If you don’t encrypt your chat, then your data is stored on Telegram’s servers, which puts the security of your messages at risk.
- Telegram also does not have E2EE by default — you’ll need to use its Secret Chats feature to enable it.
View Now at Telegram
Open-source and collaborative messaging app
Compatible OSes: Windows, MacOS, Linux, Android, iOS
Price: Free (optional: $9.50/month for an enterprise account)
Wire Personal is a secure open-source and collaborative messaging app that has both a free version and plenty of useful features: Fully encrypted video calls, secure file sharing, synced messages between devices, and others. Wire also offers a paid corporate subscription plan.
Key features/attributes
Wire uses embedded E2EE, and it offers the same level of encryption for video calls. It is open source-based, and if you want the convenience, you can transfer your messages across any device into which you’re signed. It also has self-destructing messages, session verification to make sure you’re talking to the right person, and a password lock.
View Now at Wire
What are some messaging apps that do not embed E2EE security by default?
- Snapchat (has E2EE for photos and videos)
- Google Hangouts
- Line (opt-in E2EE)
- Skype (opt-in E2EE)
- Telegram (opt-in E2EE)
Does IM content qualify as a federal record?
The statutory definition of records (44 U.S.C. 3301) includes all machine-readable materials made or received by an agency of the US Government under federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.
What are the current best practices for capturing IM content?
Nearly all IM client software has the ability to capture the content as either a plain text file or in a format native to that client. Generally, the location and maximum size of that file are determined by a configuration setting in the client. DoD 5015.2 certified applications have the ability to capture and manage records in any electronic format. Such formats include those files produced by the various IM clients.
In addition, various IM management products have the ability to address the monitoring and management of IM content, either from those clients that are part of the agency’s enterprise or the various public clients. Generally, these products operate at the server level and should be able to capture IM sessions regardless of the configuration of the individual client.
Determining which solution is appropriate for your agency involves collaboration among the program staff, the information technology (IT) staff, the records management staff, and NARA.
Source: Networking - zdnet.com
