How secure is your messaging app?

File photo: WhatsApp and Facebook messenger icons to see on an iPhone. (REUTERS/Phil Noble)

Which messaging app you would choose for absolute certainty? Each developer will confess, that they responsibly consider the security and privacy of their users. But with so many different choices, it can be difficult to tell which e-mail platforms that you can trust.

This set of criteria can help you evaluate the security of your messaging apps, and decide how far you can trust them.


Almost any messaging app send you messages in plain text format; all platforms use a form of encryption to scramble messages and prevent unauthorized parties to read. But not all forms of encryption are equally safe.

Some apps encrypt your messages in the transition and storage, but also the possession of a copy of the encryption keys. This means that they can decrypt and read the content of your messages. Companies that use this form of encryption usually do so to mine user data for advertising purposes. Examples of this are the soon-to-be-phased-Google Hangouts, Skype and WeChat.


But if the servers of these companies become the victim of a data breach, malicious actors will have access to the keys and can decrypt your messages. The companies that these services are open on the warrants of the government organisations that want to investigate users’ personal communications.

The most secure platforms use end-to-end encryption (E2EE). These apps make use of public key cryptography to encrypt messages: For each user, the platform issues a pair of public and private keys. It stores the public keys on the servers, but the private keys are stored on devices.

Users can retrieve different public keys of servers to encrypt messages. Each message that is encrypted with a public key can only be decrypted with the corresponding private key, which is in the exclusive property of the recipient. End-to-End encryption ensures that even the company to which the application can access a message. Even if hackers break into their servers, or three-letter-agencies to force them to hand over the data of the user, they are not able to decrypt the content of the messages.

At this moment, there are more and more platforms for the adoption of end-to-end encryption. Some examples are Signal, WhatsApp, Wickr, and Apple’s iMessage.


Other messaging apps like Telegram and Facebook Messenger also support end-to-end encryption, but it is not enabled by default. You have to enable the feature manually for individual chats. Skype has also recently added a feature called Private Conversation that provides end-to-end encrypted chat, but it is also not the default configuration.

Delete Message

Although end-to-end encryption protects you against spies, it is of no use if the device or the devices of people you chat with in the wrong hands. Another security feature to look for in messaging apps is the ability to delete messages after they are sent. Deleting messages makes sure that if one of the devices is compromised, and your confidential communication will not be exposed.

Telegram, Signal, Skype will let users to delete messages for themselves and the recipients of their messages. Wickr also has a “recall message” feature, which deletes messages from the devices of anyone who is involved in a conversation. And WhatsApp added a “delete to all” option in December of last year, but you can use it to delete only the messages that you have sent in the last 13 hours.

iMessage not support the deletion of individual messages: You can delete only all chats, and if you do, you’re deleting a chat only from the device you are using; it remains on all other iOS devices that share the same Apple ID as on the devices of the person with whom you chat.


A useful addition to deleting the self-delete a message. This feature will automatically delete messages from the devices of all users after a certain amount of time has elapsed. On Signal, it is called “the disappearance of messages.” When you enable the feature, specify an expiration time after which a message is automatically removed from all devices.

Wickr self-destruct feature is called “Burn-on-read.” Telegram and Facebook Messenger also support self-destructing messages, but only for their secret chat features that are running on end-to-end encryption. WhatsApp does not support self-deleting messages.

Note: if the receiver of a message makes a screenshot of your chat and shops elsewhere, removal will be futile; delete message won’t protect you against malicious parties. It is a protection against unintentional errors.


Together with the content of the messages that you need to worry about the metadata—the information a messaging platform save on your activities. Metadata includes the sender and the receiver Ids, the time at which a message is sent, login times, IP addresses, device types, duration of calls, and other data that can be traced to your identity and habits.


In the wrong hands, metadata can be very harmful, because it can reveal a user’s communication patterns: the people who put them in contact with their geographic location, the timing of the messages, and more.

Most popular messaging applications, you will collect a wealth of information about the activities of the user. But the Signal is the best track record, because it only registers the phone number that you have created your account and the last date you logged in to your account (not including the hour, minute, and second).


Beyond the promises of developers, independent experts should be able to verify the security of a messaging application. Open-source platforms—applications that the developers have the source code available in the public are generally more reliable, because they usually undergo a thorough peer review and the cross-examination by other developers and security experts.

Signal is an open-source, and the source code of all versions of the app is available for download on GitHub. Wickr made the source code available to the public last year. Telegram also offers the source code of the apps and developers to create and publish their own versions of the client application that can hook into the application programming interface (API).

WhatsApp and Facebook Messenger are not open source, but they make use of the open-source Signal-Protocol to encrypt the sending of user messages.

Closed-source applications such as iMessage users should have a complete trust in the developer to the code for the security of errors and not installing backdoors: deliberate vulnerabilities is intended to select the parties (advertisers and agencies of the government) access to the encrypted content of the message.

Nothing is Perfect

In short, if you have an evaluation of a messaging app, ask yourself the following questions:

Makes the use of end-to-end encryption?

Allows you to delete a message, for all parties to a conversation?

How much metadata does it collect?

Is the source code open for review, and have external experts confirmed that the security?

Answering them will give you a good idea of how safe a chat app is.

But to be clear, there is no such thing as absolute safety. And even the most secure messaging platform won’t protect you against yourself.

In addition to choosing a secure messaging app for your confidential communication, you should develop the personal safety habits, such as setting a screen lock on your devices, not installing any apps from unknown developers, and not oversharing online. The best way to have a private conversation is to avoid that online platforms at all.

This article was originally published on

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular