Messaging applications have been around for a long time but the proliferation of mobile devices has seen this area of communication expand rapidly with literally hundreds of various messaging apps now available to download.
The EFF (Electronic Frontier Foundation) has recently completed a series of tests to ascertain which messaging apps are secure and which are not.
In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer “secure messaging” products—but are these systems actually secure? We decided to find out, in the first phase of a new EFF Campaign for Secure & Usable Crypto.
The EFF’s testing set out to answer the following questions:
- Is your communication encrypted in transit?
- Is your communication encrypted with a key the provider doesn’t have access to?
- Can you independently verify your correspondent’s identity?
- Are past communications secure if your keys are stolen?
- Is the code open to independent review?
- Is the crypto design well-documented?
- Has there been an independent security audit?
- An expanded description of the criteria and methodology is available toward the bottom of the page here: https://www.eff.org/secure-messaging-scorecard
EFF – The Majority of Messaging Apps are Insecure
The EFF tested 39 messaging apps in total and the majority failed miserably, with only 6 apps passing all 7 tests… they are:
- ChatSecure + Orbot – open source encrypted chat for iPhone and Android
- CryptoCat – available for iPhone, OS X, and popular browsers
- Signal – available for iPhone only
- Silent Phone – available for iOS and Android
- Silent Text – available for iOS and Android
- TextSecure – Android only
Some of the more popular apps fared as follows: AIM, Blackberry Messenger and Yahoo Messenger all scored 1 out of a possible 7. Facebook Chat, Google Hangouts, Skype, SnapChat, and WhatsApp all scored 2 out of 7.
Not all 7 tests conducted by the EFF will be considered of equal importance, it’s somewhat subjective, so you really should check exactly which tests were passed or not by a particular app. You can check out the results in full, maybe see how your app fared, here: https://www.eff.org/secure-messaging-scorecard