Freedom of speech is a cornerstone of the modern world, but it's slow degradation can be tough to notice. Some have fallen back on the "If I'm doing nothing wrong, it doesn't matter" approach, but that antiquated rhetoric is quickly fading. If people don't take active measures to protect their own communication, we all know that corporations and governments will gladly vacuum our data up and utilize it for their own causes. Once people come to that realization, their logical next question "how can we actually have secure chat"? While it will be nice to live in a time where the public is familiar with concepts like "key based authentication" and "cipher suites", that's currently a large ask. Luckily a more obtainable goal is already in users hands - Simply using a secure messaging app.
Secure Chat Goals & Requirements
While defining the specific security goals are obviously technical in nature, we'll start by giving you the factors we're looking for, then we'll give you our top picks, follow with some technical detail, then finish up by giving some operational tips and ways to support the cause. It's also important to note that outside of the design elements, all our of grading factors are based off of EFF's "Secure Messaging Scorecard". For those who don't already know, the Electronic Frontier Foundation is a talented team of tech evangelists that have been defending your rights behind the scene for years. While no one group should ever be considered "definitive", the EFF is certainly the closest thing to it in matters of tech and privacy. With that in mind, the primary technical aspects we're looking for are strong end to end encryption, corespondent verification, source design and documentation, recent auditing, and forward secrecy. Secondary factors being developer history, functional add-ons, and usability. Offering the public encrypted chat is an important step in protecting our collective privacy and these are the apps we believe will help us start fighting back!
Top 8 Secure Messaging Apps
All of these offerings give users massively improved security, feature end to end encryption, and are engineered brilliantly, but don't make this a "one click decision". We'll give you a little detail on each private messaging app, then try to narrow down the best target audience for each. Since security is an ever evolving field we will work to keep our info up to date, but if you have current information you believe is not reflected, please message us on social media and we'll update selections accordingly. With all of that said - Here are our top choices.
Signal - Private Messaging App
Signal is a solid messaging application with an eye on simplicity, from the team at Open Whisper Systems. This app offers secure messaging, group messaging, voice calls, file attachments, and even video chats. The SignalProtocol (formerly known as AXOLOTL) encryption approach is a thing of beauty and provides the backbone to more then one secure messaging app on this list (detail). Signal avoids any paid options or ads due to the largely grant funded staff, with a little public development to supplement the open source code. The final product is so impressive that behemoths like Google, Facebook, & WhatsApp are tying it into offerings. Signal pulls contacts from your devices internal address book and pushes all data through their brilliantly engineered end-to-end encryption. The minimally designed interface adds a comforting level of simplicity that really belies the insane security measures baked in. Highly RecommendedVisit Signal
ChatSecure - Encrypted Chat
ChatSecure is a free open-sourced offering that allows secure text, files, photos, videos, audio, and a few unique options that deserve some acclaim. The interface is clean and minimal, but the security measures are far from it. The app currently offers "Off the Record" encryption with a Ed25519 key that passes through XMPP with accompanying TLS certificates, but there are plans to move to a OMEMO approach in the near future (that enough acronyms for ya!?). As if all those measures weren't enough, Android users can even pass their connection through TOR to anonymize a connection further. The amount of deep customizability is impressive, with a couple steps you can port your connection through a private server or run it with another XMPP application on your desktop. New users should find the basic options more then sufficient, but tinkerers will love the expandability ChatSecure allows.Visit ChatSecure
Wickr Messager - Encrypted Text App
Wickr Messager is a free encrypted text app with a professional option that has recently made notable strides on the usability side. The app offers private self-destructing messages, photos, videos, calls, and an accompanying fully flushed desktop application. The core runs industry standard end-to-end encryption with AES256, automatically strips attachment metadata, multi-salts user info with SHA256, and while not open source, is review-able and audited quarterly (detail). They've also publicly offered a $100k bug bounty for developers looking to test their chops. While leaning towards the business professional, any user will find Wickr's functionality to be surprisingly intuitive. The forensic "shredder" and expiration inclusions are both additions that make a lot of sense from a usability standpoint. All in all - A great build.Visit Wickr Me
Silent Phone - Secure Messaging
Silent Phone is a well constructed secure messaging offering from Silent Circle. It is notably the only inclusion with a monthly fee and a proprietary "ZRTP" approach. Silent allows secure messaging, group messaging, voice calls, file attachments, and video chat seamlessly through industry leading end-to-end encryption. Engineering has ticked all the EFF boxes including the addition of self-destructing messaging and file transfers. Enterprise users will especially love their own smartphone "The Blackphone" and their "Silent Manager" which allows independent management control of multiple devices. Silent Phone itself is an impressive application and should be towards the front of the list of any users considering integration into their business operations.Visit Silent Phone
WhatsApp - Secure Messaging App
WhatsApp made tons of waves when recently purchased, but deserves even more acclaim for introducing much of the general public to the concept of secure communication. After working with Open Whisper Systems in 2014, WhatsApp now offers end-to-end encryption through that impressive SignalProtocol and includes a new user verification code feature that tightens things even further (detail). While new ownership could make some users skeptical, their code remains open-source and public versions are available on iPhone, BlackBerry, Windows Phone, Android and Nokia. The market share alone makes them a contender, but their frequent updates, approach-ability, massive development team, solid UX, and recent additions, keep them towards the front of the pack.Visit WhatsApp
Telegram - Encrypted Chat
Telegram Messenger is well constructed encrypted chat app with an open API & protocol and a goal to open source everything soon. The messenger itself looks like any other local app, but the additions from this cloud based option are vast. The accompanying desktop application make this a great option for users looking to use both platforms frequently and including cloud based storage show the Telegram is looking to become more of a secure platform. While this may be a difficult task, the infrastructure is all there and baked by industry standard AES256 end-to-end encryption. Their funding from the Digital Fortress Fund allows them a little freedom from hunting profits and if Telegram Messenger swings back to improving security implementations just a touch, it will remain on top. Their offerings are impressive, their goal is to remain "free forever", and the future of the platform looks particularly bright.Visit Telegram
Threema - Secure Messaging
Threema offers mobile secure messaging and the ability to transmit any files you could possibly need. The app features end-to-end encryption, meets almost every EFF security suggestion, and offers the ability to utilize the app completely anonymously. The company sends a random ID from their home base in Switzerland and no other verification is necessary. The core runs AES256 end-to-end encryption and is very well explained in their security documentation. The app also utilizes QR codes to function as a handshake that confirms user verification. Threema allows text, photos, videos, calls, and file sharing of up to 20MB! The anonymous polling addition adds a nice touch to an overall clean and well designed app.Visit Threema
Surespot - Encrypted Messenger
Surespot Encrypted Messenger goes with the no-frills approach, but certainly doesn't skimp on security engineering. The UX may not be conducive to daily use, but the open source code proves that the 256 bit AES-GCM end-to-end encryption certainly does it's job (detail). Like the previous offering, no user information is required at all to get started. Any user needing solid security on occasion, will love adding Surespot to their lineup to handle text, image, and voice messages. If a little effort is put into improving overall usability, you'll certainly be looking at one of the top contenders in the market.Visit Surespot
Since particular needs are individual, it's important to define your needs. Most usage will exist as a grey area between needs, so we'll try to give you a couple of the best for each. Will you be using it for work or personal? Any casual user should probably consider the debate to be Signal vs ChatSecure. A business enterprise user should really check out the offerings from Silent Phone and Wickr. Folks using secure text on extremely rare occasions should probably weigh out Threema vs Surespot. Do you need the most secure messaging available? You should probably let the shopping battle be Signal vs ChatSecure vs Silent. Would you like the ability of messaging from your computer as well? If you prefer to use multiple platforms, the debate would be Wickr vs Telegram. Curious of our favorites? With all things considered and a particular eye for well designed UX, our in house favorites have got to be Signal, Wickr, and Telegram. That said - All of the above options should be considered industry leaders and extremely viable options for encrypted chat.
Crucial Security Factors Involved in a Private Messaging App
We briefly mentioned the most important functional factors that went into our selection process earlier, but a little more depth is pretty useful. While security is ever evolving, these should all be considered requirements for any application claiming to be "secure". These are all comprised of EFF mentions,but it should be noted that the EFF reporting speaks more to attempt then execution in it's current version (although there is an update dropping soon). We've reviewed white papers and press as a way to double check their progress. We'll certainly include links to more technical concepts, but these are the security factors average user's should be mindful of.
- End to End Encryption (E2EE): The most fundamental requirement for secure communication is to prevent eavesdropping or highjacking during transit. While a fair amount of real world issues take place on one end of this communication line, you simply cannot have secure communication without solid End to End Encryption during transmission. All transmission must be encrypted and ideally, the app's developer will not even have access to the key. This removes the possibility of the apps owner accessing messages, which also washes their hands of the process from a legal standpoint. If they don't have access to the encryption key after all, they really have nothing to offer any party that could be asking.
- Verification of Correspondent Identity: Once we have the communication tunnel hardened, it's time to start addressing the ends. In a general sense this means transmitting verification through the connection that both parties approve. In a technical sense this usually means comparing a hash of each other's public keys, but you can also use a quick key exchange protocol (like the beloved Diffie-Hellman) to ensure a proper bind.
- Well Designed & Documented Source Code: Transparency is a fundamental aspect of security. While this may seem contradictory, the basic idea is this - If you allow all the moving parts to be seen, you can rely on the true engine of encryption... Math. While EFF doesn't require the entire application to be accessible (only the communication tools), we find complete transparency to be an important consideration. While the complications this creates are both obvious and difficult to address (in a business sense), this step allows for truly accurate code review. In functional terms, this is the step which prevents potential "back-doors"like the one that puts current iPhone security up in the air. Many of the parties who don't want public use of encryption have largely resigned to the power of math and have instead committed to exploiting this endpoint.
- Recent Security Review & Audit: Technical white-papers are certainly a start, but allowing an independent third party to verify the code in it's entirety should be prerequisite... This is complex stuff after all. While in-house review is permitted for large companies, the ideal would obviously be a completely uninvolved team of industry experts. That point isn't exactly crucial though, because the value here is that you have a team willing to sign off on the review. Just like banks reviewing totals at the end of the day, the approval process puts the responsibility of the apps integrity on a team who knows that their reputation is at stake.
- Offers Forward Secrecy (FS): While you may believe we've walked through the entire application, there is one additional consideration. What happens to existing messages if an element of the integrated protocol later becomes compromised? Tools offering "Perfect Forward Security" utilize session keys to ensure retroactive "transport layer" security. While this addition cannot be 100% bulletproof, the resources needed to decrypt communications would likely require a quantum computer and an active investigation. If you find yourself at this point, you shouldn't be reading this... you should be running.
Operational Considerations to Ensure Secure Messaging
"I use Signal every day. #notesforFBI (Spoiler: they already know)"Edward Snowden - @Snowden
Average users may find the term "Op-Sec" intimidating, but it's really just the intersection of common sense and technology. If you hand someone your unlocked phone for example, it really undermines the value of sending encrypted texts. While I won't bother to spell out every potential operational concern, there are a few resources those concerned with security should look into. Follow all your basic manufacturer specs for iOS & Android security, make sure you're using a secure VPN if possible (especially when on the road), include a few Android specific security measures if applicable, and follow a few common sense security tips. It may go without saying, but I'd also suggest deactivating your WiFi and Bluetooth and only enabling it as needed. The default iOS setting of joining open WiFi's for example produces MANY security problems as far as I'm concerned.
Another approach was brought to my attention recently and I found the concept very interesting. Although my intro offered a much fuller picture, the basic idea is - Find out what international terrorists are doing and mimic their operational precautions. If you're looking for a test group that values secure messaging, you'd be hard pressed to find better data. This article by Wired (Security Manual Reveals the OPSEC Advice ISIS Gives Recruits) goes into great detail on the matter and includes an interesting 34-page PDF guide to ISIS operational security. We're certainly not endorsing their particularly vile brand of terrorism, but they do make for an interesting study group (and you don't even need to feel guilty for stealing their ideas).
Providing secure communication to the general public is a difficult job. Besides pushing back against the ever encroaching grasp of the government, it also involves standing against an overwhelming amount of large corporations attempting to harvest and capitalize on your data. Any business would find those systematic adversaries a large hurdle, but that's not it. On top of all of that lies a precarious dichotomy, you're trying to provide an insanely complicated (and cost intensive) product that must be adoptable by the masses. Despite that, almost all of the apps we listed are free to the public. So heres our suggestion - if you like the app, simply donate $10-20 to the creators. That's an insanely low cost for such useful functionality, but it can help massively to encourage progress in the field. If you believe in the cause as a whole support the Electronic Frontier Foundation, WikiLeaks, and / or Edward Snowden's Legal Defense Fund. These folks have jeopardized so much to inform the public and fight for our security, donating a few dollars is really the least we can all do.
Hopefully this post has helped many of you understand the fundamentals of secure messaging and some of the best encrypted chat apps to get you started. The benefits of secure communication may be difficult to grasp, but it would be very unfortunate if we all choose to learn the value by losing the option. Try these apps, share them with your friends, and give them some social love. These teams and companies are fighting a largely altruistic battle and it's a cause that clearly benefits us all. Thanks for dropping by, feel free to shoot us any pertinent info through social media, and if you've found the information at all useful - Please Share.