Home » Articles » A Brief Comparison of Secure Messaging Apps
Click Here To Hide Tor

A Brief Comparison of Secure Messaging Apps

We are in a period of time where personal security is of rising concern. No longer is data protection only essential to network admins in corporations and government entities, but it’s becoming something that even people who haven’t even heard of the deepweb are becoming conscious of. Because of this, companies are starting to release tools and software to make data security easier for the layman. Three of some of the most popular tools take the form of mobile apps and I’ll be discussing the pros and cons of these in this article. Two of the tools take the form of mobile messaging applications and the third doesn’t quite fall under the same category: it’s a secure email client that has mobile access.

Wickr

First we have Wickr. I’ll skip through most of the introductory information on this company/service and cut directly to the chase. The most concerning piece of the picture is that Wickr is not open source and their information documenting the security and encryption process is essentially non-existent. No company is inherently required to document their security process or be completely open with their software, but the less we know about a service should definitely make us more cautious. There is no way to verify any of their claims.

Here are some of the features they mention Wickr has:

Secure: Send and receive secure messages, documents, pictures, videos and audio files.

Anonymous: Your conversations can not be tracked, intercepted or monitored. Your Wickr ID is anonymous to us and anyone outside your Wickr network.

No Metadata: Wickr removes all records, geotags, and identifying information from your messages and metadata

Shredder: Irreversibly remove all deleted messages, images and video content from your device.

Configurable timer: Set the expiration time on all your mesaging content.

wicksig1

Without being able to have their software and process analyzed, there is literally no way to confirm whether or not their claims are even remotely truthful. The UI of the app doesn’t even encourage users to be secure. Reddit user Maqp writes a paper on Wickr wherein he points out that the fingerprint verification is very poorly implemented, as well as a few other QOL issues that raise good points about security.

Fingerprint verification is hidden behind a tap on the user avatar. Anyone who doesn’t know better won’t be using the feature. Since the lock icon is the same color as all symbols, there’s no way to immediately figure out that the security is not at adaquate level.

wicksig2

The app has several other concerning features unrelated to not knowing whether or not the app is even slightly secure and I’d recommend checking out the article I linked to. One feature that is always pointed out whenever a service offers it is the “file shredding,” so to speak. Wickr allows users to set a timer on the messages they send and have them self destruct after they’ve been read. This is sort of deceptive to the unaware user because there’s literally nothing stopping the receiving user from taking a picture of the message or saving it some other way. Back when I used Wickr, years ago, I remember there being a way to screenshot messages and I had to utilize it a handful of times to save things like addresses and .onion.top URLs that were hard to remember.

Opinion on Wickr: don’t use it.

Anyway, I think I’ve made my point and to keep this brief I will move on to ProtonMail.

ProtonMail

When I finally got an invite to join ProtonMail back when they weren’t entirely public and were conducting small-ish beta trials, I was incredibly excited as they looked very promising.

wicksig3

The service started as a web-based email program with end to end encryption. Unlike some other security services, ProtonMail didn’t come up with their own encryption algorithms or create new protocols; they used the tried and true PGP encryption. I’ll run you through a list of their claims and features as briefly as possible because it is quite an extensive list. When it comes to security, this is never a bad thing.

Since I’ll be skipping over some of the features, I’d highly recommend that you head over to the website here and take a look for yourself.

They obviously use end-to-end encryption that they claim is entirely anonymous. They claim that none of your data is logged by their servers. This one is a little fishy. In the past, anonymous mail clients that claimed not to log user traffic have been proven to be lying, even if they were doing it innocently. I would not count on this to be 100% certain.

I do believe they are far more worried about security and take greater lengths to protect user information than almost any other similar service that exists right now.

wicksig4

They claim the server never sees plain text messages. And while this may be true in practice, the risk is still there even if all encryption occurs on the user’s browser due to the encryption being reliant on the Javascript code the server sends you to encrypt the mail in the first place. They use SSL secured connections so it’s very unlikely that their Javascript would be/could be tampered with easily, but that doesn’t stop the server from having private logs.

Completely open source cryptography is used. This is reassuring.

We use only secure implementations of AES, RSA, along with OpenPGP. Furthermore, all of the cryptographic libraries we use are open source. By using open source libraries, we can guarantee that the encryption algorithms we are using do not have clandestinely built in back doors. ProtonMail’s open source software has been thoroughly vetted by security experts from around the world to ensure the highest levels of protection. Source.

They too have self-destructing messages. Pretty much a gimmick at this point.

They claim you’re are able to securely communicate with non @ProtonMail addresses, and you can. I wouldn’t make a habit of it though. They detail the process here:

We support sending encrypted communication to non-ProtonMail users via symmetric encryption. When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser, which they can decrypt using a passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email. Source.

Aside from being Swiss based, which sounds good, one of the more interesting parts of ProtonMail is the literal hardware security. It’s pretty impressive. I’m not sure how well it interprets to our daily needs and uses, but it’s intriguing.

We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland so your data never goes to the cloud. Our primary datacenter is located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack. This provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.

And

All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have. Source.

 

Overall, I am very impressed with ProtonMail. They are currently the best option for encrypted email, in my opinion. They’ve been endorsed by a few big names in the security industry and have a decent threat model. I use them daily for what they recommend you use them for.

Opinion on ProtonMail: use it how they recommend to use it and not if,  to put it in their terms: you are Edward Snowden, or the next Edward Snowden, and have a life and death situation that requires privacy, we would not recommend using ProtonMail.

On to Signal.

Signal is best considered the more modern version of Wickr. Because of Edward Snowden endorsing Signal, they have some traction in the secure messaging field. Now, I would never blindly trust anything just because someone with some clout recommended it, but Snowden is one of the biggest security related household names, and for a good reason.

wicksig5

They openly state what their app offers (there is a desktop client too, but it requires pairing with an Android phone). A major difference between Signal and Wickr is that Signal is completely open source. Anyone can fact check the claims they make. Anyone can make sure that there are no backdoors in the software that were forced there by the NSA or any spying eyes.

Unlike Wickr and ProtonMail, there is no account or password stored on a server; everything is tied to your device and phone number. The app is easy to use. The EFF gives Signal a perfect score and it is one of a few services that checks all of the boxes. Here is the scorecard for your own examination. EFF Scorecard. And here’s what they received points for.

They received points for having communications encrypted in transit, having communications encrypted with keys the providers don’t have access to (end-to-end encryption), making it possible for users to independently verify their correspondent’s identities, having past communications secure if the keys are stolen (forward secrecy), having their code open to independent review (open source), having their security designs well-documented, and having recent independent security audits. (Wikipedia)

The NSA has stated that Signal is a major headache for them:

On December 28, 2014, Der Spiegel published slides from an internal NSA presentation dating to June 2012 in which the NSA deemed RedPhone [Signal before the merging of two apps] on its own as a “major threat” to its mission, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as “catastrophic,” leading to a “near-total loss/lack of insight to target communications, presence…”

wicksig6

The mobile app is one of the best examples of how to make it easy for a user to verify the end-to-end encryption. The UI is simple and straightforward. You are made aware of any changes in the fingerprint of the person you are communicating with. Voice calls work exceedingly well.

The downside to this model is that you are required to know the phone number of the recipient. So, this works much less well for communicating with people who you want to keep your identity from. Say, for contacts from the deepweb. It’s much better for communicating with individuals you know and trust. I have virtually nothing bad to say about Signal and they have by far the most open project I have ever seen.

Opinion on Signal: use it. It has limitations though, and may not be as useful for all of your needs, depending on who you communicate with.

To conclude, I would recommend that one never put all of their trust into a service or app. There is always something that could go wrong. But there are times when manually sending, receiving, encrypting and decrypting PGP messages is not viable or even possible, and it’s useful to know your options. We aren’t ever safe, but Signal and ProtonMail currently hold the award for being two of the safest projects that are made simple enough for someone’s mother to use, in mu opinion.

8 comments

    • Except there is no secure messagingbon any mobile platform like a phone. Signal secures the content of your message, but not the factvthat you sent it or who it was sent to. If you are on a cell or have GPS on yourvlication at the time of thecmessage is sent. More than enough metadata is srnt forvsocial networking software to scope you out. On the deep dark web, the only way to use PGP with any safety is to *not* send anything on a cell ever. Cell phones arevlike shouying across a crowded room while using semiphore flags.

      • Groucho Marx

        The server cannot see what you sent since it is end to end encrypted. Someone viewing your data can only see that encrypted traffic went INTO the signal network (assuming you have no VPN or Tor on your mobile). Signal cannot SEE what you sent but if loging can see “who” (phone # hash) you sent it to. Also assuming you didn’t just break the SIM card after registration (remembering to block apps access to IMSI/IMEI from that apps setting).

      • Technologically, the Signal protocol hasn’t figured out how to hide metadata and no one else has either.

        What this practically means is that if the operators of Signal’s servers were malicious, they could log all the logs of when messages or calls were made between whom and for how long, but they would not be able to access the content because it’s end-to-end encrypted.

        However, Whisper Systems, the owners and operators of Signal, have proven themselves recently to be doing everything possible to mitigate the logging of metadata and in response to a recent government request handed over essentially useless information that contained no metadata at all, because they’re choosing not to log it.

        https://whispersystems.org/bigbrother/eastern-virginia-grand-jury/

        Because of this and the other obvious advantages talked about in the article, Signal is without a doubt the most secure technological communication platform in world history, with no exaggeration.

  1. What about Threema?

  2. My only concern with Signal is that messages don’t destruct after a set time. Yeah I know, it’s possible to screen shot messages in apps like Wickr, but that’s extra work; the real concern is people just forgetting to delete threads in most cases. I’d also be curious what others think of Threema, again, no message destruct feature, but they boast about their encryption/Swiss affiliation, and so on.

  3. You have no idea what you are talking about with Wickr shredder…

    First off Wickr’s secure shredder works to delete the keys as well as expired messages so they are forensically irrecoverable. This is HUGE that means that if someone is trying to scrape your phone and recover previous convo’s they cant. No other apps do that.

    As for the screenshots, anyone can take a pic of the phone with another phone. Wickr at least provides a screenshot notification. They disabled screenshots on Android, but iOS doesn’t let developers do that so.. Its a matter of communicating with people you trust.

    Your analysis of Wickr misses the point. Its by far the most secure option for communicating with trusted parties, and it doesn’t require you to put in your phone or email. You can be truly anonymous.

    Signal is not as secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *