Secure Messaging Scorecard: a thorough review of top trending apps

for safeguarding privacy and business critical data

This year mass surveillance and hacker attacks have become an even more serious threat for privacy than in 2016.

The most large-scale hacker attack of the year so far — the notorious WCry/WannaCry ransomware — came as yet another alarm for medical institutions, broadcasting corporations, business, government and literally for all internet citizens. Hackers hit nearly a hundred countries worldwide including the UK, Russia, India and China. The malicious software they exploited was reportedly stolen from the National Security Agency.

If you are worried over illicit surveillance and the possible data exposure to hacker attacks, you should consider using encrypted communication apps developed specially for the privacy conscious. We have made an overview of encrypted messengers that highlights when each of them is most useful.

While some fit perfectly for personal use, you might find advanced features in other solutions. These are not the so-called “secure” messengers that in fact collect your personal data and store your history unencrypted. The services we are observing promise security and keep their promise.

The threats of all kinds have facilitated the rise in encrypted messaging apps focused on safeguarding private content. Users worried about privacy would be wise to check out the six secure messengers: Signal, Threema, Wickr, Confide, VIPole and Symphony. The complexity of the communication system matters as well as the customizations you can use to enhance the default privacy offered by the service.

Choosing the privacy app for your special needs

All the encrypted messages that we’ve named offer encrypted texting and secure group chats along with sharing files. Bear in mind that in some services the number of group chat participants may be limited.

Many of these apps started as services for private messaging, and later they added other features necessary for rich-featured interactions, including sharing images and documents, encrypted calls and video calls in most cases and group calls in a few solutions.

Security by design and advanced features

All the encrypted apps we’re speaking about provide encrypted messaging secure group chats and file transmissions, but the features for managing your content differ. VIPole, Wickr and Confide store the data encrypted on devices, while Signal and Wickr don’t store the data at all to ensure that no one would get access even to encrypted files. Most messages, including Signal, Threema, Confide and VIPole offer various settings that allow users to additionally protect their data and privacy. You can also get advantage of managing active sessions in VIPole in Symphony, by the way, Telegram has this feature as well.

In some messengers, the features for deleting the content you’ve sent are limited and you cannot delete your history — of course, when it is not stored — you have no need to delete it. Remember that in Confide you can delete your messages only before they are read by recipients. And if you need the self-destructing mde, then Confide will fit together with VIPole, Signal and Wickr.

Team security management and bulk operations

While the scale of attacks and critical business data leaks is growing yearly, protecting the workflows of the companies of all sizes is essential. Not all the encrypted messengers we’ve named have specifically addressed the enterprise needs. Wickr for business has expanded its capabilities in the version for business, adding calls, video calls and secure file transfers up to 5 GB. However, there are limited options for centralized control.

Symphony and VIPole have developed special extensions in the enterprise versions — Symphony’s Admin Portal and VIPole Administrator Dashboard — allowing the administrators to monitor active sessions, configure data retention policies, assign entitlements and manage the way team members communicate and collaborate. Both services provide a comprehensive set of features for security management and promoting productivity. Other encrypted messengers didn’t make a focus on unified communications control for teams.

We’ve named just a few main features, to discover them all you should give these communication platforms a try and see how they work for you. If you’re looking for a messenger to protect your privacy — then any of the named encrypted messengers is trustworthy.

How to make encrypted messengers work for you

Following the large-scale data breaches, privacy violation scandals and the initatives of the governments willing to control what people share online, the demand for secure communication solutions today is higher than ever. There are multiple messengers and services designed for protecting most sensitive data with end-to-end encryption. However, encryption only cannot guarantee complete safety, and the features of secure messaging apps differ. This overview will give you an idea of what you get in each case.

VIPole

VIPole encrypted messenger provides instant messaging, chats, file sharing and managing, secure calls, group calls and screen sharing. It is a privacy app and also a platform that powers business. As the service was designed for uniting teams and safeguarding the connections of business users, it includes a number of productivity features, a calendar with a simple task manager, encrypted notes and a password manager.

It has numerous options for those who need the maximum confidentiality, including IP hiding, auto burning messages, auto lock and auto logout. Here you can share files of any type, the limit is 150 MB per file. In the Enterprise VIPole version, there are no limitations for file size. The number of participants in group chats in unlimited. Conferences allow to bring together up to 256 users.

The security of communications is ensured by end-to-end encryption for chats, shared media, calls and conferences. To protect user data, 256-bit symmetric AES encryption and 3072-bit RSA encryption are applied. Transport Layer Security safeguards all data transmission channels. Only the users themselves own their keys, and due to Diffie-Hellman secure key exchange the risk of interception is excluded. If a user forgets the secret phrase that protects the keys — there is no way to recover them unless the user remembers the phrase.

There is a key management tab in the app that allows to see the keys that are used to encrypt the data now and the previously used keys. While the data is encrypted end-to-end, it is also stored securely on the VIPole server or on the own company server in the on-premise verson, and secure synchronization allows users to have permanent access to all their conversations and media on all mobile devices and computers.

Signal

The famous application for privacy enthusiasts widely adopted by the people who value their personal life, especially in the countries with the excessive governmental control. Here you can send encrypted instant messages, images and files, hold voice calls and create secure group chats. In the settings, you can select the types of data you share over Wi-Fi and mobile data. Other messaging apps usually require all parties to have it installed to be able to communicate. Signal is more powerful in this respect, as it can work with SMS and MMS. Even if your friends of business partners are not in Signal — you can still stay in touch. It should be mentioned, that Signal is not always the fastest messenger. However, Edward Snowden recommends it, so Signal security is trusted.

In Signal, all types of conversations are protected end-to-end. Security in the app is based on the OTR protocol, AES-256, Curve25519, and HMAC-SHA256. Metadata in Signal, including the phone numbers of your contacts and the time the messages were sent, is not recoded. Which means that if you back up your device — you will no longer get access to your messages. Signal is handy and simple, and it fits best for real-time secure conversations, after which you won’t necessarily need your messages to be stored. Unlike Wickr, Signal does not save your password on the server. Additional features for managing privacy include self-destructing messages and the ability to delete full history on the device. Deleting an account is also easy — there is a big red button in the main menu for it.

Wickr

Wickr is available for Android, iOS and provides desktop applications as well. You can configure the self-destruction mode for messages, and after the period of time you need they expire. You can erase any message anytime, and your contacts won’t see it anymore. The number of users in group chats is limited to 10, and 30 in the Professional version. The recently released Professional edition also includes calls and video chats.

Like other messengers from the list, Wickr provides end-to-end encryption, and in addition in this app you can remove metadata from chats, including the timestamp and geolocation. You can be sure that your history on the devices of your contacts will stay hidden from third parties. It is recommended to Android users to encrypt their devices, as there is no information whether Wickr data is stored encrypted on devices. Self-destructing messages allow you to hide the traces of all your conversations, and you can completely wipe all your messages stored on the device. In February this year, Wickr has opened its code for public review, and you can audit the service yourself.

Threema

Threema is a secure messaging service especially popular in the German-speaking countries. It is a mobile app for iOS, Android and Windows Phone, there are no desktop versions. It is deservedly named among the most secure options for protecting privacy, as conversations in it are unreachable for corporations, governments and hackers. The features include messages and group chats for up to 50 users. Other handy features include polls for quickly getting the opinions of group chat members, and sharing files of most common types (up to 20MB). The messaging provider deleted all data from the server after the messages are delivered. The contacts and groups are stored locally on the devices of the users. Threema does not provide voice and video calls now, so you will need to use another app for this.

Threema is an encrypted mobile app that employs the NaCl cryptography library to safequard the chats. Both one-to-one and group chats are encrypted end-to-end, the media files you share and your statuses are also encrypted. After your messages are delivered to recipients, they are deleted from the server. When users first sign up, a unique Threema ID encryption key is generated, ensuring the anonymity of your communications. To verify the contacts, you can use a scannable QR code when you meet them in person.

Symphony

A probably less known, but a more secure platform for corporate communications than Slack, HipChat and Microsoft Teams. The system was developed for and supported by banks, as its goal was «to enable richer workflow and collaboration throughout the financial industry and other sectors». The system allows to organize communications within teams and externally, share encrypted documents, organize conferences with screen sharing. The product is business-oriented and provides the instruments to control the communication flows within companies. However, the options for managing the content that are available to Symphony users are limited in comparison with other messengers, including even the much less secure popular applications that have deleting and editing for shared contentment that users are used to.

Symphony ensures security while data is sent, transmitted, received and decrypted on the devices of authorized recipients. The data is stored encrypted in the cloud in order to meet the compliance regulations of the companies that use it. The customers own their encryption keys, and their access is protected during internal and external communications. However, as Symphony was developed mostly for financial companies, the New York Department of Financial Services raised suspicions that banks might use encryption to avoid the eyes of regulators. As a result, Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon agreed to hand the copies of their encryption keys to an independent custodian. Which means that a regulator will be able to review the messages sent within the service, decrypting them upon request. This security compromise weakens the security of the service: the data is safe only until the time the regulator decides to have a look at it.

Symphony has raised a fresh round of funding recently. The platform is planning to integrate with other systems, expanding as a collaboration tool, which is likely to make it more handy but at the same time more vulnerable for violations.

Confide

Confide is an app for encrypted one-to-one and group messaging, sharing photos, documents and voice messages. The swipe-to-reveal scheme in Confide prevents screenshots, thus ensuring that your secure conversations won’t be passed to third parties. You can retract un-send the unread messages, however, many messengers today offer this feature for all messages you’ve ever sent, or at least have a 48-hour limit like Telegram does. With the self-destructing mode for messages that disappear once they are read, here you can take yourself off the record, just make sure that you’ll never need them again. This is great for most sensitive conversations but that is not necessarily what you would use for collaboration where you may need the files you share today a month later. Messages in Confide cannot be saved or forwarded unlike in other messengers. To read the messages, you need to move your finger, line after line, feeling a bit like a spy. Only the last sent message can be shown for you to recollect what you’ve been speaking about.

Confde was reported as being used by White House staffers, however, IOActive security researchers have discovered multiple critical vulnerabilities in the service after auditing it. Confide does not notify users when a new encryption key is generated for their account which makes the man-in-the-middle attack possible. Confide co-founder and president Jon Brod said that the revelations of the security researchers did not show that the system is exposed to violations actually.

No service can be universally perfect for everyone, and while you may be using some of the named messengers only for very special conversations that should leave no traces online, others can be easily employed as a handy service for protecting business communications. When you install an app, check the security settings it offers, whether it is collecting your data or not, check the special options you may use to stay completely private. Test everything before trusting.

If you have anything to add to the review, or you prefer other encrypted apps, or there are other features of privacy apps that should be mentioned here — please share your opinion in the comments section! We appreciate your involvement.

VIPole offers end-to-end encrypted messaging and collaboration solutions for teams and enterprises dealing with commercially or personally sensitive information, and individuals wishing to protect themselves from hackers, identity thieves and malware. More at www.vipole.com