Messenger

Google
Messages
Google Messages
Apple
iMessage
iMessage
Facebook
Messenger
Facebook Messenger
Element
(Matrix)
Element
Signal

Signal
Microsoft
Skype
Skype
Telegram

Telegram
Threema

Threema
Viber

Viber
Facebook
WhatsApp
WhatsApp
Amazon
Wickr Me
Wickr
Wire

Wire
Session

Session
SimpleX

SimpleX
Twitter

Twitter
Overview
Is the app recommended to secure my messages and attachments? No No No No Yes No No Yes No No No Yes Yes Yes No
Main reasons why the app isn't recommended

/

Improvements to apps that are recommended
Named as NSA partner in Snowden revelations

Makes money from personal data

Data not protected, not all data protected

No independent, recent code audit and security analysis
Named as NSA partner in Snowden revelations

Data not protected, not all data protected

No independent, recent code audit and security analysis
Named as NSA partner in Snowden revelations

Encryption not enabled by default

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis
No independent, recent code audit and security analysis Remove the mandatory requirement for users to sign up with a mobile number Named as NSA partner in Snowden revelations

Encryption not enabled by default

Makes money from personal data

Data not protected, not all data protected

Closed source
Bespoke cryptography

Encryption not enabled by default

Data not protected, not all data protected
Make APIs and server code open source

Provide more comprehensive independent assessments of security/privacy
Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source
Named as NSA partner in Snowden revelations

Messages can be read by Facebook if marked as "abusive"

Makes money from personal data

Data not protected, not all data protected

No independent & recent code audit and security analysis

Closed source
Former NSA chief Keith Alexander is on Amazon’s board of directors

Funded by the CIA

Recent security audits are not public

Has contracts with the US government

Closed source
Further limit metadata storage and logging

Provide more comprehensive independent assessments of security/privacy
Implement perfect forward secrecy at the end-to-end encryption layer

Provide more comprehensive independent assessments of security/privacy
Provide more comprehensive independent assessments of security/privacy End-to-end encryption not implemented for all users and group chats

No implementation details

No comprehensive independent assessments of security/privacy

Closed source
Details
Company jurisdiction USA USA USA UK USA USA USA / UK / Belize / UAE Switzerland Luxembourg / Japan USA USA USA / Switzerland Switzerland UK USA
Infrastructure jurisdiction Worldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions) USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud USA, Sweden (Ireland planned) UK (and potentially all jurisdictions, given it's a decentralised messaging platform) USA USA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and Japan UK, Singapore, USA, and Finland Switzerland USA USA (unsure of other locations) USA (unsure of other locations) Messages: Worldwide (uses de-centralised servers)

Attachments: Centralised server in Canada
Worldwide (uses de-centralised servers) yes USA, worldwide (unsure of other locations)
Implicated in giving customers' data to intelligence agencies? Yes Yes Yes No No Yes No No No Yes No No No No Yes
Surveillance capability built into the app? No No No No No Yes No No No No No No No No No
Does the company provide a transparency report? Yes Yes Yes No Yes Yes No Yes No No Yes Yes Yes Yes Yes
Company's general stance on customers' privacy Poor Poor Poor Good Good Poor Poor Good Poor Poor Poor Good Good Good Poor
Company collects customers' data? Poor Poor Poor Good Good Poor Poor Good Poor Poor Poor Good Good Good Poor
Funding Google Apple Facebook New Vector Limited Freedom of the Press Foundation

The Knight Foundation

The Shuttleworth Foundation

The Open Technology Fund

Signal Foundation (Brian Acton)
Microsoft Pavel Durov User pays / Afinum Management AG Rakuten

Friends and family of Talmon Marco (very unclear)
Facebook Amazon

the CIA
Janus Friis

Iconical

Zeta Holdings Luxembourg

Morpheus Ventures
LAG Foundation Ltd Venture Capital fund Village Global Twitter
App collects customers' data? Yes

(Difficult to assess given the app is integrated into Google's greater ecosystem)
Yes

(Difficult to assess given the app is integrated into Apple's greater ecosystem)
Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other data Contact info / contacts / identifiers / diagnostics / user content

(Contact info not sent when using anonymously)
Contact Info Identifiers / Contact Info / User Content / Identifiers / Usage Data / Diagnostics Contact info / contacts / identifiers Contact info / identifiers / diagnostics

(Contact info not sent when using anonymously)
Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnostics Purchases / financial info / location / contact info / contacts / user content / identifiers / usage data / diagnostics Contact info / identifiers / diagnostics

(Contact info not sent when using anonymously)
Contact info / identifiers / usage data / diagnostics No No Purchases / Location / Contact Info / Contacts / User Content / Search History / Browsing History / Identifiers / Usage Data / Diagnostics
User data and/or metadata sent to parent company and/or third parties? Yes Yes Yes No

(User data is sent to a third party if a payment is made)
Minimal

(Mandatory mobile number sent to third party for registration & recovery)
Yes Yes No

(Optional mobile number sent to third party for registration)
Yes Yes No

(Optional mobile number sent to third party for registration)
Yes No No Yes
Is encryption turned on by default? Yes Yes No Yes Yes No No Yes Yes (if device supports it) Yes (if device supports it) Yes Yes Yes Yes No
Cryptographic primitives Curve25519 / AES-256 / HMAC-SHA256 P-256 ECDH & Kyber-768/1024 / AES-256 / HMAC-SHA384 Curve25519 / AES-256 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 Curve25519 & Kyber-1024 / AES-256 / HMAC-SHA256/512 Curve25519 / AES-256 / HMAC-SHA256 RSA 2048 / AES 256 / SHA-256 Curve25519 256 / XSalsa20 256 / Poly1305-AES 128 Curve25519 256 / Salsa20 128 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 ECDH512 / AES-256 / HMAC-SHA256 Curve25519 / ChaCha20 / HMAC-SHA256 X25519 / XSalsa20 256 / Poly1305 Curve25519 & sntrup761 1158 / XSalsa20 256 / Poly1305
Are the app and server completely open source? No No No Yes (clients Element / Riot, server/API matrix.org) Yes No No (clients and API only) No (apps only) No No No Yes Yes Yes No
Are reproducible builds used to verify apps against source code? No No No No Android only No iOS and Android Android only No No No No No No No
Can you sign up to the app anonymously? No No No Yes No No No Yes No No Yes No Yes Yes No
Can you add a contact without needing to trust a directory server? N/A, Google Messages uses RCS, which doesn't use a directory service No No no No No No Yes Yes No No No Yes Yes No
Can you manually verify contacts' fingerprints? Yes Yes Yes Yes Yes No No (session only, does not provide users' fingerprint information) Yes Yes Yes Yes Yes Yes Yes Yes
Directory service could be modified to enable a MITM attack? N/A, Google Messages uses RCS, which doesn't use a directory service No No No No No No No No No No No No No No
Do you get notified if a contact's fingerprint changes? Yes Yes Yes No No (session only, does not provide users' fingerprint information) Yes Yes No (setting turned off by default) Yes If contact was previously verified N/A N/A
Is personal information (mobile number, contact list, etc.) hashed? N/A, Google Messages uses RCS, which doesn't use a directory service No No Yes Mostly No No (session only, does not provide users' fingerprint information) Yes No No (setting turned off by default) Yes Mostly N/A N/A
Does the app generate & keep a private key on the device itself? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Can messages be read by the company? No No Yes No No Yes Yes No No Yes No No No No
Does the app enforce perfect forward secrecy? Yes Yes Yes Yes Yes Yes No (session keys do change after being used 100 times) Yes Yes Yes Yes Yes No Yes
Does the app encrypt metadata? No No No Yes No No Yes No Yes Mostly Yes Yes
Does the app use TLS/Noise to encrypt network traffic? Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes
Does the app use certificate pinning? Yes (>=iOS 9.3) Yes Yes Yes Yes Yes
Does the app encrypt data on the device? (iOS and Android only) No Yes (if passphrase enabled) Yes Yes (if passphrase enabled) iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app)s iOS: Yes (if passphrase enabled); Android: Yes (unsure of function) Yes Yes Yes
Does the app allow local authentication when opening it? No No Yes No Yes No Yes Yes No Yes Yes Yes Yes
Are messages encrypted when backed up to the cloud? Yes (>= Android P) Yes Yes N/A, Signal is excluded from iCloud/iTunes & Android backups Yes iOS: Yes / Android: Yes N/A, Wickr is excluded from iCloud/iTunes & Android backups N/A, Wire is excluded from iCloud/iTunes & Android backups N/A, Session is excluded from iCloud/iTunes & Android backups
Does the company log timestamps/IP addresses? Yes Yes No Yes Yes No Yes Yes No Some No No Yes
Have there been a recent code audit and an independent security analysis? No No No No (Matrix's encryption library reviewed by an independent party) Yes (many in the last few years) No Yes (November, 2015) Yes (October, 2020) No No Yes (August, 2014) Yes (March, 2018) Yes (April, 2021) Yes (November, 2022) No
Is the design well documented? No Somewhat Somewhat Somewhat Somewhat No Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat No
Does the app have self-destructing messages? No No Yes No Yes No Yes No Yes Yes Yes Yes Yes Yes Yes
Source code: Mike Kuketz | CC BY-NC-SA 4.0 |