I was searching for a new secure instant messaging app, and I previously described my requirements in Secure Instant Messaging App Requirements. My search has finished, and I have a winner :) Let me explain how I got to this point :)
There are lots of messaging apps available that claim to be secure. Indeed, they may well be depending on what is meant by secure. My requirements were very clear, so it was relatively easy to reduce the field to an initial short list of four (in alphabetical order):
All of these apps are covered in the Secure Messaging Scorecard by the Electronic Frontier Foundation. I found that was a very useful resource.
Surespot was the first to be eliminated. This was an easy decision, because there are rumours that it has been compromised. I am not sure that I believe all of these rumours, but they are enough to scare me away! See any of the following:
Telegram was next to be eliminated. It has several good and bad features, and the main ones of interest to me are summarised in the table below.
Good |
Bad |
Available for desktops |
Founded by, and run by, Russians |
Provides end-to-end encryption, but only for secret chats |
Group chats do not use end-to-end encryption |
Scored 4/7 in normal use, and 7/7 for secret chats |
Uses phone numbers |
Available for both Android and iOS |
There are some concerns over its use of a very custom protocol |
It was fairly to easy to eliminate Telegram, because I do not like the way that it only provides end-to-end encryption in the secure chat mode. It would be too difficult for me to educate my target audience in the differences between the various types of chats.
This left Open Whisper Systems and Threema, and I spent the most time studying both of these. Obviously I looked at their respective web sites, and I also found the following two resources very useful:
The main good and bad features of Open Whisper Systems in my opinion are summarised in the table below.
Good |
Bad |
Open source |
Based in the US |
Includes voice support |
Funded by the US government |
Great endorsements (Bruce Schneier, Edward Snowden) |
Previous links with Twitter, and current vague links with Whatsapp/Facebook |
Scored 7/7 |
Linked to the device’s SIM |
Provides end-to-end encryption (using elliptic curves) |
Integrates with the native messaging app |
Provides end-to-end forward secrecy |
|
Includes identity verification |
|
Available for both Android and iOS |
|
Similarly, the main good and bad features of Threema in my opinion are summarised in the table below.
Good |
Bad |
Provides end-to-end encryption (using elliptic curves) |
Does not include voice support |
Provides end-to-end encryption for group chats |
No desktop version |
Cryptography provided using a respected library (NaCl) |
Not free |
Scored 5/7 |
Does not provide end-to-end forward secrecy |
Not linked to the device’s SIM, so it can be used on devices without SIMs |
|
Hosted in Switzerland |
|
Standalone app |
|
Includes identity verification |
|
Available for both Android and iOS |
|
Of course I realise that some of my opinions are very subjective (such as the nationalities of the people behind them). I am also aware that I must have a certain amount of trust in the app provider, and that no secure app in the world can compensate for a compromised operating system!
So what app did I ultimately select? Threema :) So far I have been extremely happy with my choice!
However, I have been impressed by Open Whisper Systems, and I am considering using it for work purposes. (I like to keep my personal apps separate from my work apps.)
Tags: Facebook, Open Whisper Systems, Surespot, Telegram, Threema, WhatsApp