How Secure is Your Chat App?
Chat apps are the #1 way to communicate using your smartphone. The offer is broad and wide, and the potential for companies or governments snooping on your conversation is plentiful.
Before we compare the different chat apps out there, let’s talk a bit about encryption. Encryption essentially scrambles the content of your chats so that if someone between you and the recipient of your message were to capture what you send, they won’t be able to make any sense from it. This works because the origin and the destination of a message share a secret key that allows them to decode it. If a message is not encrypted, or if it’s not encrypted throughout the entire transmission process, then there’s potential for someone else who’s not your counterpart to read it.
With that out of the way, let’s dive in!
SMS, aka ‘Texts’
The regular old texts on your phone (called SMS) are one of the most convenient and universal chat platforms—they work between any phone!—, but they’re also the least secure.
SMS are not encrypted at all, so if anyone were to intercept your phone’s connection to a cell tower, they could read them. If your carrier (or your recipient’s carrier) wanted to, they could read them, store them indefinitely (which they do), parse their contents to profile you, anything. And if the government wanted to take a look at them, they would only need a warrant if they wanted to see the ones sent in the last 180 days—for older ones, they only need a subpoena.
RCS (Android Chat)
RCS is the new standard for multimedia messaging on mobile phone networks, and is meant to replace SMS. The next generation of Android will support it by default through a revamp of the default messaging app called Android Chat. It allows you to send photos, videos, files, locations, audio messages, have group chats, and more. Basically, it’s a response to other modern chat apps.
But, at its core, it’s just like SMS: completely insecure, and mediated in all sorts of unencrypted ways by carriers. If you want your private conversations to stay private, you shouldn’t use SMS, or RCS in the future.
iMessage
iMessage is Apple’s messaging service. It’s meant to replace SMS when messaging between Apple devices—blue bubbles in the Messages app means that you’re using iMessage, while green bubbles means the conversation is over plain old SMS.
Though they may look similar to SMS in everything except bubble color, they are worlds apart. iMessage is encrypted from end to end, which means that messages leave your phone already encrypted, and are not decrypted until they arrive at their destination. Not even Apple can read your iMessages while they’re in transit, and once they arrive, they are not stored in the cloud. There is one loophole, though: if your iMessages are part of your iCloud backup, well, the backup is unencrypted, which means that the potential for snooping is there, particularly if authorities compel Apple to turn them over. But that’s about to change with the next version of iOS.
Starting on iOS 11.4, iMessages will be synced between devices through iCloud, and while Apple has assured that messages are still very much encrypted and that they won’t be able to read them, they haven’t given specifics about the implementation. But there already is an iCloud service that works in a similar way. iCloud Keychain stores passwords and other highly sensitive data using a “zero knowledge” approach, where the keys to decrypt the content only live on your devices and can never be accessed by Apple or anyone without access. If iMessage on iCloud is implemented using this approach, then the promise of privacy and convenience would be completely fulfilled.
Not to burst your America-centric bubble, but even though you may have barely heard of it, WhatsApp is the most popular chat app in the world. Because everywhere in this planet (beyond the US) people are charged for each text sent, WhatsApp installed itself as the de-facto leader in free messaging when it started in 2009. Today, 1.5 billion people use it each month. That’s over 4.5 times the population of the United States.
But how safe is it? Well, starting on 2016, WhatsApp is fully end-to-end encrypted. Even backups to iCloud (iPhone) or Google Drive (Android) are encrypted using a key that’s only stored within the app (though it could be obtained from an Android device).
Pretty great, isn’t it? Well, almost. Since 2014, WhatsApp is owned by Facebook, and since 2016, it does share some data with its parent company, as enabled by updated Terms of Service. We don’t know exactly what data they share, but even though they can’t read your messages, they can read what is called “metadata”: who you’re messaging with, how much you’re interacting with them, how data-heavy is the exchange (so as to tell if you’re sending photos, videos, audio messages, or just text), and maybe more. They also do associate your phone number with your Facebook identity if they can, and they will upload your address book to Facebook for features like People You May Know. Definitely better than SMS, though.
Facebook Messenger
If you didn’t like Facebook snooping on your WhatsApp metadata, you’re gonna hate what they do with Facebook Messenger. First of all, Messenger is completely unencrypted (unless you’re one of the 10 people using the “secret chat” feature), and your conversations are stored forever on Facebook’s servers, which means that Facebook (or whoever gets their hands on them) could read them without any trouble—which brings me to my second point. Facebook bots actively scrape your Messenger chats to provide “useful” feature suggestions, and though I couldn’t find any direct confirmation, it is very likely that they also use your chat data (and maybe even some other data) to better profile your personality in order to serve you ads.
Telegram
When Telegram launched in 2013, it was presented as a cloud-based, secure alternative to WhatsApp. Being cloud-based means that the service works across your devices, and even on the web, something that WhatsApp can’t claim. And back in 2013, Telegram was actually more secure than then-unencrypted WhatsApp, but that is no longer the case.
Telegram’s encryption model is not great: instead of being end-to-end encrypted, it’s only client-server encrypted, which means that messages leave your phone encrypted, arrive at Telegram servers where they are decrypted, then re-encrypted, and sent to your counterpart. In other words, messages can’t be intercepted in transit, but we have no idea what is be going on in Telegram’s servers, so if they get hacked, they go rogue, or they get a warrant, your data may be vulnerable. (Telegram is registered in the UK, so they are protected by strong data protection laws.) There is access to end-to-end encryption through “secret chats”, but these are not synced across devices.
Another common critique to Telegram’s security model is that they chose to “roll their own crypto”—in other words, they invented their own kind of encryption, which in the software security world, is a big no-no. Rolling your own crypto means that you’re pushing aside well-tested and industry-standard ways of securing data in favor of new and untested mechanisms, and that usually leads to failure. WhatsApp, iMessage, Signal, and even Facebook Messenger’s “secret chats”, all use standard methods of cryptography, which ensures their security. With Telegram, we just don’t know yet.
Nevertheless, Telegram has been blocked in Russia and Iran because their government’s can’t get into it to spy on their detractors.
Signal
Signal is a fully end-to-end encrypted messaging app that includes voice and video calling, and it is endorsed by Edward Snowden and the US Senate as a very secure way to communicate. Need I say more?
So, What Should I Use?
If you’re looking for the most secure alternative, Signal is the way to go. If you don’t mind feeding data into Facebook (or if, as in my case, you can’t run away from it), WhatsApp is actually fairly decent in terms of security. iMessage is a great way to chat with your iPhone friends, just make sure the bubbles stay blue. I personally use Telegram every day, and though researching this article made me realize that it’s not as secure as I thought, the cloud-based convenience with relative security (at least compared to Messenger) is unmatched by any other service.
Messenger, SMS, and the newfangled RCS are the clear losers here, so if you have anything sensitive to share, do yourself a favor and go through some other service.
This post is part of a series on phone security. Also check out: How Secure Is Your Phone’s Software? and How Secure Is Your Phone’s Lock?
