Smartphones are still "phones," which means communicating with others is usually a primary use. Ranging from a simple "hi" to a more personal conversation and even sharing passwords, our messages should remain private so that only the intended recipient sees their content. While many apps tout end-to-end encryption, not all apps prioritize security and privacy.
When the world learned that 87 million Facebook users' data was accessible by Cambridge Analytica, we also learned that Facebook Messenger logs calls and texts from Android devices thanks in part to their lack of encryption. This type of data collection should not be accepted — certainly not with a messaging app.
While no app is truly 100% secure and private, by using the apps on our list, your communications will be better guarded against unauthorized entities, whether they are hackers or government agencies. And while you may never specifically need the veil of privacy for your communications, as the Cambridge Analytica showed us all, our data is too precious not to protect.
Our goal was to determine which secure messaging apps provide strong security and protect your privacy. Additionally, we wanted this app to be able to replace your traditional messaging app, whether you use SMS mostly or the many other messengers that exist in both mobile app stores. Based on this goal, we were able to narrow our choices using the following criteria:
- Price: Any cost associated with using the app which can range from the app download price to service costs.
- SMS Messages: The ability to manage SMS text messages within the app. While these messages are unencrypted, there is a convenience to having one app for all your messages, especially when communicating with contacts who don't use the service.
- Send & Receive Media: The app supports the sending and receiving of media such as images, videos, and audio — a must-have for any messaging app these days, encrypted or not.
- Voice Calls: The app allows you to make voice calls which are also encrypted, preventing hackers (and others) from intercepting your telecommunications.
- Voice Conference Calls: Has the ability to make encrypted voice conference calls (or group calls).
- Video Calls: The app allows you to make encrypted video calls, a nice feature when your face is involved.
- Video Conference Calls: The app includes the ability to make encrypted group video calls.
- Max Group Size: The maximum number of members supported by group chat. Unless you tend to chat with over ten people at the same time, this may not be a deciding factor for you.
- Encryption Protocol: The security protocol the service uses that controls how it handles cybersecurity and the privacy of your messages. All are very effective, but if you like one over another, you may want to go with the one you like best.
- Cryptographic Primitives: The algorithms used to derive the key, encrypted data, and conduct hashing. These algorithms are the foundations of how the messaging service protects your communications.
- Perfect Forward Secrecy: If a key is compromised, past messages are also compromised. This is accomplished by allowing each message to generate a unique session key. This new type of key encrypts that message, but can't be used to decrypt previous messages.
- Open Source: Whether or not the service allows its encryption protocol available to the public for review, allowing anyone to view the method that protects their messages. Open source improves security as more eyeballs reviewing the technology leads to faster detection of vulnerabilities and potential bugs. It also protects against unsavory practices such as false statements of security.
- Encryption On by Default: By default, all messages are encrypted. Users need not enable secure messaging in settings or be required to use a certain option.
- 2FA Support: Access to your account can be strengthened using two-factor authentication (2FA) apps. Two-factor authentication makes it so that even if someone knows your password, they won't be able to access your account unless they can also input the one-time password (OTP), which is available either via a 2FA app or sent to you via text messages or email.
- Encrypted Backups: The ability to back up your conversations securely either locally or in the cloud. This way, when you switch phones, you won't lose your messages.
- Metadata Encrypted: Metadata is all information about a message besides its contents. It can reveal a lot about the party involved such as IP address, location, and time of the message, which compromise the privacy of the communication. It's collected by the company to perform its functionality. Ideally, the company should treat it similarly to the content of the message and encrypt it.
- Self-Destructing Messages: Messages can be given a timer that starts once the message is opened by the recipient. After the timer expires, the messages are erased on all devices (both the recipient's and the sender's).
- Sign Up Anonymously: Users can create an account without the need of a real phone number or email address. Including this ability adds further protection to user privacy. Of course, for most of these apps, you could always set up a Google Voice burner number, like you can with Signal, though that doesn't mean anonymity.
- Send Messages Anonymously: The ability to send messages without the server knowing who sent the message. Recently introduced in Signal, this feature makes it so that the platform itself knows even less information about you, thus preserving your privacy.
- Manually Verify Contacts: The ability to manually verify the identity of the person you are communicating with. This can be conducted by physically scanning a QR code on each other's phone or by calling and verifying that who you're chatting with is really who they say they are, effectively connecting their account to their device.
- Alert to Contact Verification Changes: Whenever your friend or family switches devices, the app will alert you that they are using an unverified device. This way, if their device was stolen, you will be informed that communication may, in fact, not reach the intended recipient, and any communications to you may be compromised.
- Screenshot Protection: The ability to be alerted to when the party you are communicating with takes a screenshot of your conversation.
- Message Synchronization: Messages are synced across all platforms — mobile, web, desktop — allowing you quickly start a conversation on one device and finish on another.
- Supported Mobile OSes: Mobile operating systems supported by the app.
- Supported Desktop OSes: Desktop operating systems supported by the app.
- Desktop Browser Support: The app allows for web-based desktop access either via the web or browser extensions.
Our first requirement was that the app must use end-to-end encryption. End-to-end encryption is a system in which the only individuals who can access the content of the data are the sender and the intended receiver. It should be protected so that even the company hosting the software can't access the content. These systems do not contain any methods to conduct surveillance or intercept messages.
We also focused on open source messaging services with a published whitepaper, and those that are subject to an independent security audit. It's one thing for a messaging service to claim they are the "most secure messaging service," but unless we can see it, we don't know. Knowing how your messages are protected is key to a great messaging service and a requirement for our list.
While many apps include this protection, not all enable it by default. For example, the popular app Telegram only encrypts messages that originate in "Secret Chat." Forcing encryption to be "turned on" will be lost on some users, who will believe their messages are protected, when in fact they aren't.
Encrypted messages also require both parties use the same app which means high availability is important for you to make the switch. Therefore, we are only looking at apps which are available on both major mobile operating systems. This, unfortunately, eliminates iMessage, which is limited to just Apple devices.
Since these messages travel the web, it is possible to continue conversations on the desktop. For more privacy-conscious individuals, the desktop (whether Windows, macOS, or Linux) can be a much more secure platform as more security tools are available. Therefore, we added a requirement for desktop support.
Another requirement is that the app has to support locking and PIN or biometric authentication to unlock the app for use. This is helpful if you share devices with someone or let someone borrow your phone for a bit, making sure they cannot gain physical access to your conversations.
Also, you may have noticed that we didn't include one of the most popular messaging apps available, WhatsApp. The messaging app with over 1.2 billion global users has so far met all our criteria. However, its failure to make our list is the result of one major issue: it collects a lot of information about its users.
Additionally, with WhatsApp being a part of the Facebook community (Facebook purchased the app in 2014), we felt in light of Cambridge Analytica and the many others scandals involving users' data by Facebook, to not include it or Facebook Messenger on our list.
Is this really a surprise? The popular messaging app received an enormous boost in customer awareness and growth after the whistleblower, Edward Snowden, praised the app for its ability to deliver secure and private messages. Few apps are better than Signal which conducts secure communications while collecting a minimal amount of metadata.
Signal's placement on our list arises from its ability to deliver secure messaging and much more. Features such as secure voice and video calling are a welcome addition and a rarity among similar apps. Additionally, its ability to truly replace the default SMS messenger app on Android adds to its convenience as it is the only app on our list able to handle unencrypted SMS messages.
The Signal Protocol is one of the best in the world at protecting users' communication. It is completely open-source, allowing all users access to its operation. The security of Signal Protocol is so good that many of your favorite apps use it to implement end-to-end encryption such as WhatsApp, Facebook Messenger, and Google Allo.
Signal recently implemented self-destructing messages which bolster the privacy of the sender. Messages can be given an expiration date that can be as short as five seconds. Once the duration is read, the message will be deleted from all devices.
Signal offers the ability to verify contacts by manually scanning a QR code generated on a saved contacts' device, though the numerical code can also be shared. Once verified, you can ensure that all communication is sent and received from that device. You even receive notice when their device changes, allowing you to decide whether or not to continue the conversation.
Signal also lets you send messages anonymously. Because they believe in retaining as little data as possible on their users, they created Sealed Sender, a feature which encrypts who a message is from. As it travels, Signal's servers do not know the sender, thus minimizing the information they have access to in the case of a hack or government subpoena. They are the only messaging service on our list which includes a feature like this.
However, what easily propel Signal to the number spot on our list is its minimal collection of metadata. While metadata doesn't reveal the contents of the message, it does compromise the privacy of the communication's parties as it can contain information such as users' location and IP addresses.
Signal captures one of the lowest amount of metadata and encrypts this data. Therefore, if Signal was to ever be hacked, you can be ensured the impact to you will be minimal as Signal collects very little about you. Unfortunately, Signal does collect phone numbers for registration, so truly anonymous sign up isn't possible.
Aside from Android and iPhone versions, you an use Signal on Windows, macOS, and Debian-based Linux. You can even use Signal from the web on Google Chrome from any computer using its Chrome extension.
Thanks to Signal's minimal metadata collections, expansive feature set, and secure encryption protocol, it easily tops our list for the best secure messaging app, and we strongly recommend all our users to start taking advantage of it.
Wickr Me is the free version of Wickr, a secure messaging app that's built from the ground up for protection. It's designed for all communication to be secure and safe, ensuring your privacy and security. It's because of this it makes sense that it doesn't allow SMS messages as it wants its users to only send and received secure messages.
Wickr Me is the only one on our list to require a password, by default, to access your messages, adding another layer of protection. For convenience, this can be switched to the fingerprint or face scanner.
Unlike Signal, Wickr allows you to sign up anonymously by not requiring the use of your phone number or email address for registration. However, adding this information does have a benefit as it helps you (and your friends) find each other automatically by scanning the information found in your contacts list on your device. Otherwise, they will need to know your Wickr screen name to add you.
Wickr is also one of the few apps to include screenshot detection. This feature will alert users if a mobile user is taking a screenshot of the messages. These alerts cannot be turned off or removed from the conversation. While it doesn't prevent it, screen capture is disabled on Android by default (this isn't possible for iOS users), so without heading to Settings, they won't be able to take a screenshot anyway.
Additionally, "Screen Overlays" is disabled by default for Android users. Overlays are apps that run continuously, creating new functionality within apps such as blue light filters and chat bubbles. Some malicious ones are known to capture data on your display so Wickr blocks their activation by default to shield your messages.
There is no web-based version of Wickr Me available, meaning that you're stuck using the official apps for Android, iOS, Windows, macOS, and Ubuntu, so if you planned on chatting from a public computer, this might be a downside (though we don't consider it one, not at all).
Overall, Wickr Me is a viable option for those looking for an alternative to Signal. While it lacks Signal's video calling feature and offer the lowest maximum size for group messages, its dedication to protecting your privacy is evident and is a great option for those looking for secure messaging.
Backed by Skype's co-founder, Janus Friis, and developed by many former Skype employees, Wire borrows some of Skype's design cue to provide a simple and clean user interface. The messaging app tries in some ways to replace Skype by offering high-quality audio and video while keeping the entire process secure with end-to-end encryption.
While the app didn't initially offer end-to-end encryption, after the public's support for Apple during its battle with the FBI, it viewed security as an opportunity. And to help further differentiate itself, around the same time, it added secure video calling, a feature only one other app has on our list.
Since the last time we reviewed Wire, the app has gotten a ton of features, making it an even stronger contender. For one, Wire not only supports encrypted voice and video calls, but conference calls as well. You can make a secure voice or video call to a group of people with the same protection as a normal 1:1 phone call.
Wire also introduced Guest rooms. Because we don't always communicate with members of the same security service, Guest Rooms provides temporary protection. In these rooms, which non-Wire members can access via their browser, your conversation can enjoy the same end-to-encryption as a Wire conversation without the need to download an app or sign up for a service.
Group messaging is also available, with the second largest group size (300users). While most of us will never create and use group messaging anywhere near this max, it's nice to know it has some flexibility for those rare occasions.
Encryption is accomplished using the Proteus Protocol, a precursor to the Signal protocol. It is open-sourced and independently audited with its most recent review in March 2018 of its iOS, Android, and web applications. Forward and backward secrecy is established, offering protection against a compromised key. Wire is working with Cisco, Mozilla (the company behind Firefox), and others to complete a new protocol, Messaging Layer Security (or MLS), which they believe is the future of end-to-end encryption.
Wire is also one of only two messengers on our list which syncs messages across devices. Not only does this make setting up a new device easier but allows the user the flexibility to communicate on the most convenient platforms available, which can change throughout the day.
Unfortunately, Wire does have one glaring issue with metadata: According to their latest whitepaper, Wire retains a list of every user you ever communicated within a plaintext file (according to Motherboard). The impact of this decision depends on where you created your account.
If you register on your smartphone, your phone number is required for registration. However, by using a computer or tablet, email can be used instead, which you can then use to log into the mobile app. While both methods can be used to identify, having a list containing phone numbers is much impactable in regards to your privacy.
While this collection is alarming, it isn't as much as others (such as WhatsApp), which allowed it to remain on our list. While we believe Signal and Wickr Me are better options, this is a great app that offers many of same features of Signal with the benefit of using an email address (instead of your phone number) to register for better privacy protection.
Wire also is available on a lot of devices aside from Android and iPhones — Windows, macOS, Linux (Ubuntu, AppImage, Debian), and the web — which is always a good thing.
Threema is the only paid app on our list. While we did look for a free app alternative, its combination of features and security forced its position on our list.
Threema's servers are located in Switzerland, which has much stricter privacy laws than most countries including the US. Threema is in compliance with Switzerland's laws providing the user the comfort of knowing their privacy is protected. Threema is also in compliance with European General Data Protection Regulation, the new regulation which improves the handling of citizens' data by international businesses.
Similar to Wickr, you can sign up without an email address or phone number for ultimate privacy, but unlike the other messaging service, your messages won't sync. However, you can back up your files so messages can travel with you.
Unlike Wickr Me, Threema prevents parties from taking screenshots of conversations on their device for Android users. However, one glaring omission is the inclusion of self-destructing messages. It is the only app on our list that doesn't include the feature, which is one of the few reasons for its position on our list.
This is the only app on our list to support Windows Phone as well. Despite the platform being all but dead, there are still a number of users who won't let go of the mobile OS. And if the rumored Surface Phone is true, the platform may see a revitalization. However, there are no desktop versions of Threema, though, you can use it on a computer from a web browser (as long as you are an Android user).
While not better than the other free offerings on our list, Threema is a great choice for users for its complete screenshot protection, anonymous sign-up process, and compliance with the new EU regulation. It is a great app that offers great protection and is a much better option than those which didn't make our list.
Each of these apps is light years better than using SMS messaging when it comes to security, and they offer the benefit of providing free messaging no matter what texting messaging limit you may have on your wireless plan. Additionally, as long as you have access to data, you can use these apps as a way to circumvent roaming charges for texting individuals in other countries.
While we stand with you using any of these apps, after our testing, we concluded that for the best balance of security, privacy, and features, Signal Private Messenger is the way to go. Its prioritization of security and privacy has led little compromise, designing all aspect of the app with this in mind. Its major flaw is the requirement of a phone number for registration but using our guide (see link below), you can improve your privacy by using a "burner" phone number instead.
What do you think of our list? Is there any app you use that didn't make our list? Let us know in the comments below.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.