There is no lack of lists for the “best” secure messaging apps but we’ve noticed a few things about them: Not all apps on the lists are inherently secure.
For example, most lists include WhatsApp, Telegram and Facebook Messenger because they offer end-to-end encryption (E2EE). They do, but they are not configured by default to be encrypted. Users may not know their messages are not encrypted. So Cyber Protection Magazine decided to produce its own list of what we considered the top five secure messaging apps.
We also notice that the lists make you scroll through a lot of ads before you get to see the list by explaining why they chose these certain apps. That’s understandable. The publications making the list keep alive through advertising. So do we but we hate having our processing power eaten up by ads. So we’re going to give you then list first and then explain why.
Secure messaging apps
Other lists have several qualifiers to place an app high on the list. In most cases, none of the apps has all of the qualifiers but those that have the most go to the top. We selected just five qualifiers that we think are the most important. Those qualifiers are:
- Default E2EE
- Supported over both iOS and Android platforms.
- Open source code
- Free as a basic service
- No advertising
As a reality check, we talked with Gerry Kennedy, CEO of Observatory Holdings about our requirements. His evaluation is that they fit in well with a concept called Security as a Service. You can hear more about his views at Crucial Tech.
As we mentioned, popular apps like WhatsApp and Telegram promote their encryption features, but they don’t come automatically encrypted, which means the user has to know that in advance and do something about it. Most users don’t even know how to hard reboot their device, so not setting the app to encrypted by default is the same as promoting an unencrypted device altogether.
Apple’s iMessenger is encrypted by default on the device. But since all the messages are stored in iCloud unencrypted, that data is vulnerable if iCloud get’s hacked or a government agency gets access to it. That is highly unlikely based on Apple’s security and privacy history, but that one weakness knocked them out of our list.
iOS and Android support
This might seem to be a no-brainer but we found that several apps that made other lists are either Android only or iOS only. We are OS agnostic and texting is primarily an IoT device norm. It’s nice to have it on desktop, as well, but few users enable security settings on their main computers. So we kept desktop/laptop compatibility off the list. It isn’t a deal-breaker, though, Signal can be used on a desktop if you pair your device through the app, but we have found that is easier said than done. Signal is barely desktop compatible and from a security standpoint, we do not see that as a negative.
This might be as important EE2E. Open-source code is no more secure than proprietary code, but it is easier to see if a hacker has corrupted open-source code than the black box of proprietary code.
Plus, open-source development is much less expensive and easier to maintain for not-for-profit organizations like Signal. reducing costs makes it more likely that the organizations providing free products.
That doesn’t mean all open-source messaging apps are provided by not-for-profit organizations, Surespot and Q-municate offer paid-for versions and upgrades.
Basically free and ad free
All of our chosen apps cost nothing to the basic user and we consider that an important aspect. Texting is a preferred form of communication in the 21st century because you can have private conversations in public. We are not against companies making money but in areas with low-income and oppressive regimes, having access to secure communications is becoming a human right.
Signal is absolutely free but users can make monthly donations of as little as $5 per month. It has grown in popularity because of this and because of its slow operating costs, it can get by with that model. But large groups of users in a specific enterprise is a different story.
That’s why Wire charges enterprises and government agencies is $7.65 per user/month for annual payment or $9 per user/month for monthly payment. Enterprise customers also have the option to sign a 2-year contract with a minimum of 50 users.
Linphone is a Linux-based service and is actually less of a messaging app than VoIP phone system and there is a cost to organizations, which is not publicly available
Surespot is the product of a small company in Colorado offers voice and video calls. However, those features require a monthly fee as low as $2.99 per month.
Q-municate also has paid for versions for organizations larger than 500 people. The parent company, Quickblox, is unique on our list by being HIPPA compliant, so it can be used securely by medical institutions.
Ads negate security
Importantly, however, is that none of these apps takes advertising. Advertisers want to know what kind of people are seeing their ads and whether those people are seeing the ads. That means user data goes directly to the advertiser. We’ve seen too many instances of data leaks to trust it.
So that’s our list and why we support it. IT is not comprehensive. It’s altogether possible we’ve missed something. If you still want to use WhatsApp or Telegram because that’s what everyone else does, have at it.
(Disclosure: CPM founders use Signal, iMessenger and Facebook Messenger with every encryption control employed.)
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.