The 5 Most Secure Messaging Apps

There is no lack of lists for the “best” secure messaging apps but we’ve noticed a few things about them: Not all apps on the lists are inherently secure.

For example, most lists include WhatsApp, Telegram and Facebook Messenger because they offer end-to-end encryption (E2EE). They do, but they are not configured by default to be encrypted. Users may not know their messages are not encrypted. So Cyber Protection Magazine decided to produce its own list of what we considered the top five secure messaging apps.

We also notice that the lists make you scroll through a lot of ads before you get to see the list by explaining why they chose these certain apps. That’s understandable. The publications making the list keep alive through advertising. So do we but we hate having our processing power eaten up by ads. So we’re going to give you then list first and then explain why.

Secure messaging apps

Other lists have several qualifiers to place an app high on the list. In most cases, none of the apps has all of the qualifiers but those that have the most go to the top. We selected just five qualifiers that we think are the most important. Those qualifiers are:

  • Default E2EE
  • Supported over both iOS and Android platforms.
  • Open source code
  • Free as a basic service
  • No advertising

As a reality check, we talked with Gerry Kennedy, CEO of Observatory Holdings about our requirements. His evaluation is that they fit in well with a concept called Security as a Service. You can hear more about his views at Crucial Tech.

Default encryption

As we mentioned, popular apps like WhatsApp and Telegram promote their encryption features, but they don’t come automatically encrypted, which means the user has to know that in advance and do something about it. Most users don’t even know how to hard reboot their device, so not setting the app to encrypted by default is the same as promoting an unencrypted device altogether.

Apple’s iMessenger is encrypted by default on the device. But since all the messages are stored in iCloud unencrypted, that data is vulnerable if iCloud get’s hacked or a government agency gets access to it. That is highly unlikely based on Apple’s security and privacy history, but that one weakness knocked them out of our list.

iOS and Android support

This might seem to be a no-brainer but we found that several apps that made other lists are either Android only or iOS only. We are OS agnostic and texting is primarily an IoT device norm. It’s nice to have it on desktop, as well, but few users enable security settings on their main computers. So we kept desktop/laptop compatibility off the list. It isn’t a deal-breaker, though, Signal can be used on a desktop if you pair your device through the app, but we have found that is easier said than done. Signal is barely desktop compatible and from a security standpoint, we do not see that as a negative.

Open Source

This might be as important EE2E. Open-source code is no more secure than proprietary code, but it is easier to see if a hacker has corrupted open-source code than the black box of proprietary code.

Related:   Is biometric technology secure? Exploring two scenarios

Plus, open-source development is much less expensive and easier to maintain for not-for-profit organizations like Signal. reducing costs makes it more likely that the organizations providing free products.

That doesn’t mean all open-source messaging apps are provided by not-for-profit organizations, Surespot and Q-municate offer paid-for versions and upgrades.

Basically free and ad free

All of our chosen apps cost nothing to the basic user and we consider that an important aspect. Texting is a preferred form of communication in the 21st century because you can have private conversations in public. We are not against companies making money but in areas with low-income and oppressive regimes, having access to secure communications is becoming a human right.

Signal is absolutely free but users can make monthly donations of as little as $5 per month. It has grown in popularity because of this and because of its slow operating costs, it can get by with that model. But large groups of users in a specific enterprise is a different story.

That’s why Wire charges enterprises and government agencies is $7.65 per user/month for annual payment or $9 per user/month for monthly payment. Enterprise customers also have the option to sign a 2-year contract with a minimum of 50 users.

Linphone is a Linux-based service and is actually less of a messaging app than VoIP phone system and there is a cost to organizations, which is not publicly available

Surespot is the product of a small company in Colorado offers voice and video calls. However, those features require a monthly fee as low as $2.99 per month.

Q-municate also has paid for versions for organizations larger than 500 people. The parent company, Quickblox, is unique on our list by being HIPPA compliant, so it can be used securely by medical institutions.

Ads negate security

Importantly, however, is that none of these apps takes advertising. Advertisers want to know what kind of people are seeing their ads and whether those people are seeing the ads. That means user data goes directly to the advertiser. We’ve seen too many instances of data leaks to trust it.

So that’s our list and why we support it. IT is not comprehensive. It’s altogether possible we’ve missed something. If you still want to use WhatsApp or Telegram because that’s what everyone else does, have at it.

(Disclosure: CPM founders use Signal, iMessenger and Facebook Messenger with every encryption control employed.)

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

8 thoughts on “The 5 Most Secure Messaging Apps

  • In my opinion two services that also fill out the list are Session (slightly more private fork of Signal), and Matrix (federated messanger). Both are available on Android & IOS. Also, the app Briar, while it doesn’t meet the criteria of Android & Apple compatibility, I think it’s the holy grail of security at the cost of being a bit clunky.

    But yeah, great article, always like to see the security of messaging discussed since it’s probably overlooked by a lot of people.

    Reply
    • We considered Session and considered adding them to the list, but since it didn’t support video or voice calls we decided against inclusion. Probably a bad call since that wasn’t on our list of qualifications.
      Matrix completely slipped past our radar. Will probably be included in a revisit next year.

      Reply
  • But what about the Utopia ecosystem?! This is where no one will definitely find your data, all communication is anonymous using the new encryption, which means it is safe.

    Reply
    • Good point, but as far as I know, Utopia is not available on all devices, and these days messengers a mostly used on mobile phones.

      Reply
      • This will likely become a repeating feature in Cyber Protection Magazine and we will consider other offerings each time we visit. Utopia is a new entry into the field that has only been publicly available for a few months. We have had no chance to try it and independent third-party reviews of the service are lacking. The fact that it is primarily an avenue for trading in the Crypton coin, and that coin is currently underwater, it may turn out that Utopia may not last the year. And as Patrick pointed out, it isn’t available on mobile devices yet.

        Reply
      • Yes, we are aware of the new mobile apps and while it is very good to connect from one protonmail account to another, it still isn’t acceptable to financial institutions. Still waiting for some updates, but the marketing claims (“70 million users” and “Largest encrypted service”) are patently false. The latest official numbers are 5-7 million, which gives us pause. That doesn’t mean we will reject them, it just makes it harder to trust what they say.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *