Are all encrypted chat apps equally secure?

February 13, 2019

These days, any popular instant messenger encrypts the transmitted messages; therefore, it doesn’t matter which service you use. Right? Not quite. For one thing, there are major differences regarding type and scope of the encryption, for another thing, as important as encryption is, it is only one aspect of comprehensive security.

End-to-end encryption

The term “secure instant messenger” is typically used to refer to chat services that end-to-end encrypt the transmitted messages. This is to say that only the intended recipient can decrypt and read the messages but not the service provider or any third party that might intercept the messages in transit. Not all popular chat services use this form of encryption. Even some of the services that are generally considered secure don’t use it by default or not across the board.

A secure instant messenger should not just end-to-end encrypt selected single chats; it should use a well-established method to end-to-end encrypt any kind of communication, including voice calls, media files, group chats, and status messages.

Handling metadata

The way metadata is handled is just as important for comprehensive security as message encryption. “Metadata” is any information relating to the communication except the message content itself, e.g., identity of sender and recipient, their IP addresses, time, place, and frequency of communication, contact lists, group memberships, profiles, etc. This data allows to draw insightful conclusions about the users, which is why certain companies systematically collect it and combine it with data from other sources. With the phone number as common denominator, it’s particularly easy to map user data across different sources.

A secure instant messenger should only generate data that’s absolutely necessary for message exchange. Because where there is no data, no data can be misused.

Security by design

In contrast to chat services that have introduced end-to-end encryption after the fact (and collect user data to this day), Threema was built from the ground up with security and metadata restraint in mind. For example, Threema can be used without disclosing any personal information because instead of a phone number (as with traditional messaging apps), an anonymous ID serves as unique identifier.

Besides encryption of messages and handling of metadata, the security of a chat service depends on several other factors. The independent website Secure Messaging Apps Comparison offers a detailed comparison of popular instant messengers based on a variety of such factors. Threema scores particularly well: It’s the service that ticks the most “nothing of concern” boxes.

Compare instant messengers on securemessagingapps.com