Skip to content
Gallery
Comparison of Messaging Apps from a Security/Privacy POV
Comparison
Charts
More
Share
Explore

Messaging Apps from a Privacy Perspective

View App:
Allo
+12
Messaging Apps
Name
Score
Company jurisdiction
Infrastructure jurisdiction
Divulged Data
Built-In Spyware
Transparency Report
General Stance
Funding
Company Collects Data
App Collects Data
Default Encryption?
Cryptographic primitives
Client Open Source?
Server Open Source?
Anonymous Signup
Anonymous Contact Adding (without Server)
Can you manually verify contact's fingerprints?
Directory service, could be modified to enable a MITM attack?
Do you get notified if a contact's fingerprint changes?
Is personal information (mobile number, contact list, etc.) hashed?
generate & keep a pkey on the device itself?
Can messages be read by the company?
Does the app enforce perfect forward secrecy?
Does the app encrypt metadata?
Does the app use TLS/Noise
Does the app use certificate pinning?
Does the app encrypt data on the device? (iOS and Android only)
Does the app allow a secondary factor of authentication?
Are messages encrypted when backed up to the cloud?
Does the company log timestamps/IP addresses?
Have there been a recent code audit and an independent security analysis?
Is the design well documented?
Does the app have self-destructing messages?
1
Allo
0
USA
USA
Belgium
Finland
Ireland
the Netherlands
Chile
Taiwan
Singapore
✖️ Yes
✔️ No
✔️ Yes
✖️ Poor
Google
✖️ Yes
✖️ Yes
✖️ No
✖️ No
✖️ No
✖️ No
✖️ No
✖️ No
✖️ Yes
✖️ No
✖️ No
✖️ Yes
❓ Unknown
❓ Unknown
✔️ Yes
❓ Unknown
❓ Unknown
✖️ No
❓ Unknown
✔️ Yes
✖️ No
✔️ Yes
2
iMessage
-7
USA
USA
Ireland
Denmark
Google Cloud
✖️ Yes
✔️ No
✔️ Yes
✖️ Poor
Apple
✖️ Yes
✖️ Yes
✔️ Yes
ECDSA 256
AES 128
SHA-1
RSA 1280
✖️ No
✖️ No
✖️ No
✖️ No
✖️ No
✖️ Yes
✖️ No
✖️ No
✔️ Yes
✔️ No
✖️ No
✖️ No
✔️ Yes
✔️ Yes
✔️ Yes
✖️ No
✖️ No
✔️ Yes
❓ Somewhat
✖️ No
3
Messenger
-10
USA
USA
Sweden
Ireland
✖️ Yes
✔️ No
✔️ Yes
✖️ Poor
Facebook
✖️ Yes
✖️ Yes
✖️ No
Curve25519
AES 256
HMAC-SHA256
✖️ No
✖️ No
✖️ No
✖️ No
✔️ Yes
✖️ Yes
✖️ No
✔️ Yes
✖️ Yes
✔️ Yes
✖️ No
✔️ Yes
❓ Unknown
❓ Unknown
✖️ No
❓ Unknown
✔️ Yes
❓ Somewhat
✔️ Yes
4
Riot/Matrix
12.5
UK
UK
✔️ No
✔️ No
✖️ No
✔️ Good
New Vector Limited
✔️ No
✔️ Minimal
✖️ No
Curve25519
AES 256
HMAC-SHA256
✔️ Yes
✔️ Yes
✔️ Yes
✖️ No
✔️ Yes
✖️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✔️ No
✔️ Yes
❓ Unknown
✔️ Yes
❓ Unknown
✔️ Yes
✖️ No
❓ Unknown
❓ Unknown
❓ Somewhat
✖️ No
5
Signal
8.55
USA
USA
✔️ No
✔️ No
✔️ Yes
✔️ Good
Freedom of the Press Foundation
the Knight Foundation
the Shuttleworth Foundation
Open Technology Fund
Signal Foundation (Brian Acton)
✔️ No
✔️ Minimal
✔️ Yes
Curve25519
AES 256
HMAC-SHA256
✔️ Yes
✔️ Yes
✖️ No
✖️ No
✔️ Yes
✖️ Yes
✔️ Yes
✔️ Mostly
✔️ Yes
✔️ No
✔️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✖️ No
✖️ No
✖️ No
9/30/2014
❓ Somewhat
✔️ Yes
6
Skype
-12.5
USA
USA
the Netherlands
Australia
Brazil
China
Ireland
Hong Kong
Japan
✖️ Yes
✖️ Yes
✔️ Yes
✖️ Poor
Microsoft
✖️ Yes
✖️ Yes
✔️ Yes
AES 256
SHA-1
RSA-1536
RSA 2048
✖️ No
✖️ No
✖️ No
✖️ No
✖️ No
✖️ Yes
✖️ No
✖️ No
✖️ Yes
❓ Unknown
❓ Unknown
✔️ Yes
❓ Unknown
❓ Unknown
✖️ No
❓ Unknown
✔️ Yes
✖️ No
✖️ No
7
Telegram
-11
USA
UK
Belize
UK
Singapore
USA
Finland
✔️ No
✔️ No
✖️ No
✖️ Poor
Pavel Durov
✖️ Yes
✖️ Yes
✖️ No
RSA 2048
AES 256
SHA-256
✔️ Yes
✖️ No
✖️ No
✖️ No
✖️ No
✖️ Yes
✖️ No
✖️ No
✔️ Yes
✖️ Yes
✖️ No
✖️ No
✖️ No
❓ Unknown
❓ Unknown
✔️ Yes
❓ Unknown
✔️ Yes
10/31/2015
❓ Somewhat
✔️ Yes
8
Threema
15
Switzerland
Switzerland
✔️ No
✔️ No
✔️ Yes
✔️ Good
Crowdfunding
✔️ No
✔️ No
✔️ Yes
Curve25519 256
XSalsa20 256
Poly1305-AES 128
✖️ No
✖️ No
✔️ Yes
✔️ Yes
✔️ Yes
✖️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✔️ No
✖️ No
✔️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✖️ No
10/31/2015
❓ Somewhat
✖️ No
9
Viber
1
Japan
Luxembourg
USA
✔️ No
✔️ No
✖️ No
✖️ Poor
Rakuten
friends and family of Talmon Marco
✖️ Yes
✖️ Yes
✔️ Yes
Curve25519 256
Salsa20 128
HMAC-SHA256
✖️ No
✖️ No
✖️ No
✔️ Yes
✔️ Yes
✖️ Yes
✔️ Yes
✖️ No
✔️ Yes
✔️ No
✔️ Yes
❓ Unknown
✔️ Yes
❓ Unknown
❓ Unknown
✖️ No
❓ Unknown
✔️ Yes
❓ Somewhat
✖️ No
10
Whatsapp
-9
USA
USA
✖️ Yes
✔️ No
✔️ Yes
✖️ Poor
Facebook
✖️ Yes
✖️ Yes
✔️ Yes
Curve25519
AES 256
HMAC-SHA256
✖️ No
✖️ No
✖️ No
✖️ No
✔️ Yes
✖️ Yes
✖️ No
✖️ No
✔️ Yes
✔️ No
✔️ Yes
✖️ No
✔️ Yes
❓ Unknown
❓ Unknown
✔️ Yes
✔️ Yes
✔️ Yes
❓ Somewhat
✖️ No
11
Wickr
6
USA
USA
✔️ No
✔️ No
✔️ Yes
✔️ Good
Gilman Louie
Juniper Networks
the Knight Foundation
Breyer Capital
CME Group
Wargaming
✔️ No
✔️ No
✔️ Yes
ECDH512
AES 256
HMAC-SHA256
✖️ No
✖️ No
✔️ Yes
✖️ No
✔️ Yes
✖️ Yes
✖️ No
✔️ Yes
✔️ Yes
✔️ No
✔️ Yes
✔️ Yes
✔️ Yes
❓ Unknown
✔️ Yes
✔️ Yes
❓ Unknown
✖️ No
7/31/2014
❓ Somewhat
✔️ Yes
12
Wire
16.6
Switzerland
Germany
Ireland
✔️ No
✔️ No
✔️ Yes
✔️ Good
Janus Friis
Iconical
Zeta Holdings Luxembourg
✔️ No
✔️ Minimal
✔️ Yes
Curve25519
ChaCha20
HMAC-SHA256
✔️ Yes
✔️ Yes
✖️ No
✖️ No
✔️ Yes
✖️ Yes
✔️ Yes
✔️ Mostly
✔️ Yes
✔️ No
✔️ Yes
✔️ Mostly
✔️ Yes
✔️ Yes
✔️ Yes
✔️ Yes
✖️ No
✔️ Yes
2/28/2018
❓ Somewhat
✔️ Yes
There are no rows in this table

Top 3:

@Wire
@Threema
@Riot/Matrix

Bottom 3:

@Skype
@Telegram
@Messenger

Some Notes:

@Signal
is open source nominally, but the only version that people can use is a binary, available on the app store and on a page on signal's website. There's no way of knowing the binary is the same version as the one who's source we have access to, or wasn't tampered with (maliciously, or due to simple negligence). There is also no way to host the server in a way that communicates with the main signal server, so for all practical purposes, Signal is closed source.
@Telegram
says they'll open the server, but they still, a few years later, have not. Telegram also gets a low rating above due to the fact that it doesn't do encryption by default, though it does have the option of secret chats.
The ranking is arbitrary. You can look below to see the score attributed to different vectors. For example, I attribute -5 to Facebook or Google, others might not think they're that evil.
@Whatsapp
says they encrypt data, which is probably true as of now, but bear in mind that
Whatsapp's founder left Facebook
over a feud about user privacy. Bear also in mind that Facebook routinely commits enormous fraudulent breaches of user privacy (they get fined for it, some insignificant millions of dollars every few months).
@Whatsapp
stores by default backups on Google's servers. Said backups are not encrypted and are as such readily available for Google to plunder. Even if you turn backups off, it's useless if your correspondent hasn't turned them off too.
Funding
Funding
Score
1
Google
-5
2
Apple
0
3
Facebook
-5
4
New Vector Limited
1
5
Freedom of the Press Foundation
1
6
the Knight Foundation
1
7
the Shuttleworth Foundation
1
8
Open Technology Fund
0
9
Signal Foundation (Brian Acton)
0
10
Microsoft
-1
11
Pavel Durov
0
12
Crowdfunding
1
13
Rakuten
0
14
friends and family of Talmon Marco
0
15
Gilman Louie
0
16
Juniper Networks
0
17
Breyer Capital
0
18
CME Group
0
19
Wargaming
0
20
Janus Friis
0
21
Iconical
0
22
Zeta Holdings Luxembourg
0
There are no rows in this table
General Stance
Stance
Score
1
✖️ Poor
-1
2
✔️ Good
1
There are no rows in this table
Positive Answer Preferred
Answer
Score
1
✖️ No
-1
2
✖️ Minimal
-0.5
3
❓ Somewhat
0
4
❓ Unknown
0
5
✔️ Mostly
0.05
6
✔️ Yes
1
There are no rows in this table
Negative Answer Preferred
Answer
Score
1
✔️ No
1
2
✔️ Minimal
0.5
3
❓ Somewhat
0
4
❓ Unknown
0
5
✖️ Mostly
-0.5
6
✖️ Yes
-1
There are no rows in this table
Juridictions
Juridictions
Score
1
USA
-2
2
Belgium
0
3
Finland
0
4
Ireland
1
5
the Netherlands
0
6
Chile
0
7
Taiwan
0
8
Singapore
0
9
AWS
-1
10
Google Cloud
-1
11
Denmark
0
12
Sweden
0
13
UK
0
14
Australia
0
15
Brazil
0
16
China
0
17
Hong Kong
-1
18
Japan
1
19
Germany
1
20
Belize
0
21
Switzerland
1
22
Luxembourg
1
There are no rows in this table
Encryption Algorithms
1
Algo
Score
1
AES 128
1
2
AES 256
1
3
ChaCha20
1
4
Curve25519
1
5
Curve25519 256
1
6
ECDH512
1
7
ECDSA 256
1
8
HMAC-SHA256
1
9
Poly1305-AES 128
1
10
RSA 1280
1
11
RSA 2048
1
12
RSA-1536
1
13
Salsa20 128
1
14
SHA-1
1
15
SHA-256
1
16
XSalsa20 256
1
There are no rows in this table
source:
https://www.securemessagingapps.com
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.