| Date | Change | Reason |
|---|---|---|
| 10/16 | First release of the site | |
| 10/16 | "Does the company provide a transparency report" for Signal changed from "No" to "Yes" | Open Whisper Systems have effectively published a transparency report |
| 10/16 | "Does the app have self-destructing messages" for Signal changed from "No" to "Yes" | Signal now supports self-destructing messages |
| 10/16 | Added initial assessment of Facebook Messenger | Facebook Messenger now supports encrypted messages |
| 10/16 | "Does the app have self-destructing messages" for Wire changed from "No" to "Yes" | Wire now supports self-destructing messages |
| 10/16 | Moved site to Cloudflare CDN, enabled caching | Site loaded too slowly outside of Australia/NZ |
| 11/16 | Site now has a maximum width of 1920 pixels | Main table width was restricted on widescreen monitors |
| 11/16 | Added that the messaging part of Signal is fully open source (client and server); however, the phone call part is not (client only) | Clarification |
| 11/16 | Changed "Can the messages be read by the company?" for Skype from "Very likely" to "Yes" | There's enough evidence to suggest that Microsoft can read Skype messages |
| 11/16 | Added "Does the app use certificate pinning" for Wire to "Yes" | Thanks to the Wire team for clarification |
| 11/16 | Changed "Do you get notified if a contact's fingerprint changes?" for Wire from "No" to "Sometimes" | Wire does notify users if they've previously verified the fingerprint; thanks to the Wire team for clarification |
| 11/16 | Added "Are messages encrypted when backed up to the cloud?" for Wire | Thanks to the Wire team for clarification |
| 11/16 | Changed "Does the app use TLS to encrypt network traffic?" for Telegram from "Yes" to "No" | Telegram uses its own protocol |
| 12/16 | Happy New Year! The first column is now fixed | It's easier to browse through the table when the first column (app name) is fixed |
| 12/16 | Added Viber assessment | It's long overdue |
| 12/16 | Added "Does the company log timestamps/IP addresses?" for Google Allo | It's pretty clear from Google's privacy policy that they collect this information |
| 12/16 | Added "Does the app allow a secondary factor of authentication?" for Google Allo | The app doesn't provide 2-factor authentication |
| 01/17 | Instead of the first column being fixed, the header is now fixed | It's easier to browse through the table when the first header (app name) is fixed |
| 01/17 | Added "Does the company log timestamps/IP addresses?" for Skype | It's pretty clear from Microsoft's privacy policy that they collect this information |
| 01/17 | Moved the Messenger column so that the apps are rated in alphabetical order | Readability |
| 01/17 | Added on the About page that Wire can also be used without Google Cloud Messaging | Thanks to the Wire team for clarification |
| 01/17 | Clarified in "Ratings" that although Apple encrypt iCloud backups, they have access to the encryption key and can hence read iMessages that have been backed up to iCloud | Clarification |
| 01/17 | Changed "Does the company provide a transparency report?" for Threema from "No" to "Yes" | Threema does provide a transparency report; thanks to the Threema team for clarification |
| 01/17 | Added two more investors under "Funding" for Wire | Both Janus Friis & Zeta Holdings Luxembourg, along with Iconical, fund Wire |
| 01/17 | Changed "Infrastructure jurisdiction" from "Switzerland" to "EU" for Wire | Wire is hosted in the EU (appears to be in Ireland) |
| 01/17 | Changed the rating "Does the app use TLS to encrypt network traffic?" to "Does the app use TLS/Noise to encrypt network traffic?" | Whatsapp uses Noise for transport layer authentication and encryption; Signal probably uses it, too (couldn't find any information to confirm this) |
| 01/17 | Added a FAQ to the "About" page | I've received a few emails asking similar questions |
| 02/17 | Changed "Has there been a recent code audit and security analysis?' for Wire from "No" to "Yes" | Wire has now been independently audited; thank you to the Wire team and others for letting me know |
| 02/17 | Under cryptographic primitives, I've changed any app that uses SHA-1 to red | SHA-1 has been broken by Google; they have published two files with the same SHA-1 hash |
| 02/17 | Changed "Are the app and server completely open source?" for Signal from "Yes (messaging is but phone calls is not)" to "Yes" | Open Whisper Systems have released the source code for phone calls and video calling |
| 03/17 | Changed "Does the app allow a secondary factor of authentication?" for Wire from "No" to "Yes" | Wire now supports Touch ID on iOS |
| 03/17 | Added "Does the app encrypt data on the device?" for Wire | It's clear from Wire's security whitepaper that they encrypt data on iOS and Android |
| 08/17 | Changed "Company jurisdiction" for Telegram from "Germany" to "US / UK / Belize" | Telegram isn't a registered company in Germany; it is registered in the US, the UK, and Belize through a complex structure of shell companies |
| 08/17 | Changed "Infrastructure jurisdiction" for Wire from "EU (appears to be in Ireland)" to "Germany / Ireland" | Wire's servers are hosted on AWS in Germany and Ireland |
| 08/17 | Changed "Are the app and server completely open source?" for Wire from "No (clients only) to "No (clients, protocol, and API only; server partially open source)" | Wire have begun to open source their server code |
| 08/17 | Changed "Does the app allow a secondary factor of authentication?" for Whatsapp from "No" to "Yes" | Whatsapp have rolled out two factor authentication |
| 08/17 | Changed "Are messages encrypted when backed up to the cloud?" from "No" to "iOS: Yes; Android: No" | Whatsapp iCloud backups are now encrypted; Android backups on Google's cloud remain unencrypted |
| 11/17 | Changed "Are the app and server completely open source?" for Wire from "No (clients, protocol, and API only; server partially open source)" to "Yes" | Wire have made their server code open source; thanks to the Wire team for reaching out |
| 11/17 | Changed "Company's general stance on customers' privacy" for Telegram from "Good" to "Poor" | Telegram isn't designed to protect users' data by default, does not use strong security/encryption |
| 02/18 | Added assessment of Riot | The assessment was requested 20+ times |
| 02/18 | Added "Signal Foundation (Brian Acton)" Funding for Signal | Signal have created the "Signal Foundation"; Brian Acton has given $50 million USD to the foundation and sits on its board |
| 05/18 | Changed "Have there been a recent code audit and independent security analysis?" for Wire to "March, 2018" | Wire has had another round of independent audits; thanks to the Wire team for reaching out |
| 05/18 | Changed "Are the app and server completely open source?" for Riot from "No (clients and API only;)" to "Yes" | Riot uses Matrix's home server by default |
| 05/18 | Changed "Cryptographic primitives" for Telegram from "RSA 2048 / AES 256 / SHA-1" to "RSA 2048 / AES 256 / SHA-256" | Telegram's new protocol uses SHA-256 |
| 01/21 | Added Big Tech's names to the main row | Emphasise which companies own which apps |
| 01/21 | Changed "Have there been a recent code audit and an independent security analysis?" for Threema from "Yes, (November, 2015)" to "Yes, (October, 2020)" | Threema had an independent analysis conducted in October, 2020 |
| 01/21 | Changed "Infrastructure jurisdiction" for Wire from "Germany / Ireland" to "EU" | Wire's website states that its servers are in the EU |
| 01/21 | Replaced Google Allo with Google Messages | Google retired Allo in March, 2019 |
| 01/21 | Introduced "Reproducible builds" as part of the assessment | Reproducible builds prove apps in app stores were compiled with published source code |
| 01/21 | Changed "Are the app and server completely open source?" for Threema from "No" to "No apps only" | Threema released its source code for iOS and Android apps |
| 01/21 | Changed "Funding" for Threema from "User pays" to "User pays, Afinum Management AG" | Threema introduced a new business partner |
| 01/21 | Changed "Company jurisdiction" for Telegram from "USA / UK / Belize" to "USA / UK / Belize / UAE" | Telegram developers work out of Dubai, although their complex set of shell companies is beyond my legal understanding |
| 01/21 | Changed "App collects customers' data?" to align with permissions granted from the Apple Store | Now aligned to recent articles about Whatsapp's foreseeable privacy policy change |
| 01/21 | Renamed "Riot" to "Element" | |
| 01/21 | Changed "Are messages encrypted when backed up to the cloud?" from empty to "Yes" | Element encrypts the data with a user-supplied key |
| 01/21 | Changed "Is encryption turned on by default?" for Element from "No" to "Yes" | Element enabled default end-to-end encryption last year |
| 01/21 | Changed "Does the app encrypt data on the device? (iOS and Android only)" for Element from empty to "Yes" | Thank you to Element for reaching out |
| 01/21 | Changed "Is personal information (mobile number, contact list, etc.) hashed?" for Element from empty to "No" | App permissions hint that Element does not hash this data |
| 01/21 | Changed "Does the app have self-destructing messages?" for Viber from "No" to "Yes" | Viber introduced self-destructing messages last year |
| 01/21 | Introduced "User data and/or metadata sent to parent company and/or third parties?" as part of the assessment | Whatsapp will change its privacy policy to send data to its parent company (Facebook) |
| 01/21 | Added "Merlin International / Lytical Ventures" to funding for WIckr | Thank you to Wickr for reaching out |
| 01/21 | Changed "User data and/or metadata sent to parent company and/or third parties?" for Wickr from empty to "No (optional mobile number sent to third party for registration)" |
Thank you to Wickr for reaching out |
| 01/21 | Changed "Do you get notified if a contact's fingerprint changes?" for Wickr from "No" to "Yes" | Thank you to Wickr for reaching out |
| 01/21 | Changed "Are messages encrypted when backed up to the cloud?" for Wickr from empty to "N/A, Wickr is excluded from iCloud/iTunes & Android backups" | Thank you to Wickr for reaching out |
| 01/21 | Changed "Does the app have self-destructing messages?" for Whatsapp from "No" to "Yes" | Whatsapp now has self destructing messages |
| 01/21 | Added an "Overview" and "Details" section | Attempted to make it more obvious that the first row is a recommendation |
| 01/21 | Added Session assessment | After many requests, I decided to assess Session |
| 01/21 | Changed "Does the app allow a secondary factor of authentication?" for Signal from "No" to "Yes" | Signal offers second factor authentication through the device's fingerprint authentication |
| 01/21 | Changed "Is personal information (mobile number, contact list, etc.) hashed?" for Element / Riot from "No" to "Yes" | Element / Riot hashes contact details |
| 01/21 | Changed "Have there been a recent code audit and an independent security analysis?" for Element / Riot from "No" to "No (Matrix's encryption library reviewed by an independent party)" | Element / Riot have had Matrix's encryption library reviewed; however, their apps and infrastructure have not been assessed |
| 01/21 | Added "Main reasons why the app isn't recommended?" | |
| 01/21 | Changed "Is encryption turned on by default?" for Skype from "Yes" to "No" | Skype encryption isn't enabled by default. |
| 01/21 | Changed "Does the app use certificate pinning?" for Wickr Me from "No" to "Yes" | Wickr Me does SSL pinning |
| 01/21 | Changed "Company jurisdiction" for Wire from "Switzerland" to "USA / Switzerland" | Wire has its holding company, Wire Holdings Inc, located in the US |
| 01/21 | Changed "Funding" for Wire from "Janus Friis / Iconical / Zeta Holdings Luxembourg" to "Janus Friis / Iconical / Zeta Holdings Luxembourg / Morpheus Ventures" | Wire raised $8.2 million USD from Morpheus Ventures |
| 04/21 | Completed the Session assessment | Thank you to the Session team for answering my questions |
| 06/21 | Changed "Funding" for Wickr Me to "Amazon" | Amazon acquired Wickr |
| 06/21 | Added "Former NSA chief Keith Alexander is on Amazon’s board of directors" to "Main reasons why the app isn't recommended" for Wickr Me | Amazon acquired Wickr; Amazon is deeply connected to the US government and hence cannot be trusted |
| 06/21 | Changed "Company's general stance on customers' privacy" for Wickr Me from "Good" to "Poor" | Amazon acquired Wickr, and Amazon does not have a great record at securing people's data (e.g., Ring and Alexa) |
| 06/21 | Changed "Company collects customers' data?" for Wickr Me from "No" to "Yes" | Amazon acquired Wickr, and Amazon collects users' data |
| 10/21 | Changed "Have there been a recent code audit and an independent security analysis?" for Session from "No" to "Yes (April 2021)" | Session was independently assessed |
| 10/21 | Changed "Does the app enforce perfect forward secrecy?" for Session from "Yes" to "No" | Session implements the Signal protocol with a few exceptions, including PFS |
| 10/21 | Changed "Infrastructure jurisdiction" for Session from "Attachments: Centralised server in the US" to "Attachments: Centralised server in Canada" | Session's attachment server is in Canada |
| 10/21 | Changed "Improvements to apps that are recommended" for Session to "Implement perfect forward secrecy at the end-to-end encryption layer / Provide more comprehensive independent assessments of security/privacy" | Session was independently assessed; attachments are end-to-end encrypted |
| 10/21 | Changed "Are messages encrypted when backed up to the cloud?" for Session from "No" to "N/A, Session is excluded from iCloud/iTunes & Android backups" | Session is excluded from iOS and Android backups |
| 10/21 | Changed "Funding" for Wickr Me from "Amazon" to "Amazon / CIA" | Wickr Me accepted $1.6 million USD from the CIA before being bought by Amazon |
| 10/21 | Added "Funded by the CIA" for Wickr Me to "Main reasons why the app isn't recommended" | You can't make up this nonsense; do not use Wickr Me |
| 10/21 | Changed "Are messages encrypted when backed up to the cloud?" for WhatsApp to "iOS: Yes / Android: Yes" | WhatsApp backups are now end-to-end encrypted |
| 10/21 | Changed "Can messages be read by the company?" for WhatsApp from "No" to "Yes" | "Abusive" messages can be forwarded to a moderator for review |
| 10/21 | Added "Messages can be read by Facebook if marked as "abusive" for WhatsApp to "Main reasons why the app isn't recommended" | "Abusive" messages can be forwarded to a moderator for review |
| 02/23 | Changed "Does the app enforce perfect forward secrecy?" for Threema from "No" to "Yes" | Threema have implemented PFS in their new ibex protocol: https://threema.ch/en/blog/posts/ibex |
| 03/24 | Clarified app authentication rating | It wasn't clear that I meant local authentication on the app itself, not the user's account |
| 03/24 | Added initial assessment of Simplex | |
| 03/24 | Added initial assessment of Twitter DMs | |
| 03/24 | General update to Skype | Skype uses Signal's protocol for private messages |
| 03/24 | Updated iMessage and Signal's cryptographic primitives | iMessage and Signal now use "post quantum" key exchange protocols |
| 03/24 | Many general updates | - iMessage contact verification - Signal assessments |
| 09/24 | Changed "Does the company provide a transparency report?" for Simplex from "No" to "Yes." | Simplex now has a transparency report |
| 09/24 | Changed "Does the company log timestamps/IP addresses?" for Simplex from "Yes" to "No" | Simplex implemented private IP routing |
| 09/24 | Changed "Is the app recommended to secure my messages and attachments?" for Simplex from "Needs further consideration and feedback" to "Yes" | Simplex now meets the criteria for "Yes" |
| 09/24 | Changed "Main reasons why the app isn't recommended" from "Provide a transparency report" to "Provide more comprehensive independent assessments of security/privacy" | Simplex now meets the criteria for "Yes" |
| 09/24 | Added quantum resistant cryptographic primitive for Simplex | Simplex uses sntrup761 for both key exchange and the double ratchet |