How to choose your secure messaging app

Since WhatsApp announced its acquisition, a lot of people started to switch to alternatives, trying to escape from Facebook. Some of them then discovered my article about Telegram, and a common answer was “hey, at least, it is better than WhatsApp, because it is open source, faster and it has encryption”.

This is a very bad way to decide what application you should use. If you choose a secure messaging app, it must be because you need it, not just because you want to avoid Facebook.

Those are not good enough requirements:

  • independent from Facebook
  • fast
  • multi platforms
  • open source

Yes, even open source, because it does not magically make software safe.

So, what are goods requirements? Well, I already have a list of what a secure messaging app should meet to be considered. If an app does not follow those requirements, it may not be a good idea to use it.

But it still does not mean the app will fit your use case. So you must define your use case:

  • Why do you need it?
  • With whom will you communicate?
  • Who is the adversary?
  • What will happen if some of your information is revealed to the adversary?
  • Does it need to be always available?
  • For how long will it be used?

This is part of what I mean when I insist on having a threat model: you cannot choose correctly if you do not know the risks.

Here are a few examples that you could consider.

The activist in a protest

The activist must be able to communicate quickly in the crowd. Identifying info might not be the most important part, because she can use burner phones (phones that will be abandoned after the protest). The most important feature is that it should be always available. Phone networks were often used to disrupt activist communication, so a way to send message through WiFi our bluetooth might be useful. The messages can be sent to a lot of different people, so being able to identify them might be important. If it is large enough to be infiltrated easily, then having no way to identify people is crucial.

Being able to send photos is important, because they might be the only proof of what happened in the protest. Here, I have in mind the excellent ObscuraCam app, which is able to quickly hide the faces of people in photos before sending them.

The application should not keep logs, or provide a way to quickly delete them, or encrypt them by default, because once someone is caught, the police will look through the phone.

The crypto algorithms and protocols should be safe and proven for that use case, because the adversaries will have the resources to exploit any flaw.

No need for a good update system if the devices will be destroyed after use.

The employee of a company with confidential projects

The adversaries here are other companies, or even other countries. The most important practice here is the “need to know”: reduce the number of persons knowing the confidential information. that means the persons communicating between themselves is reduced, and you can expect that they have a mean of exchanging information securely (example: to verify a public key).

Identifying who talks with whom is not really dangerous, because it is easy to track the different groups in a company. You may be confident enough that the reduced group will not be infiltrated by the adversary. The messages should be stored, and ideally be searchable. File exchange should be present.

There could be some kind of escrow system, to reveal information if you have a certain access level. Authentication is a crucial point.

The crypto may be funnier for that case, because the flexibility needed can be provided by some systems, like identity based encryption.Enterprise policies might be able to force regular uodates of the system, so that everybody has the same protocol version at the ame time, and any eventual flaw will be patched quickly.

The common user

It is you, me, anyone wanting to exchange private messages with friends or family. Here, trying to protect against the NSA is futile, because most of the contacts might not have the training needed. Trying to hide the contacts list from Facebook is futile too: even if someone protects the information, one of the contacts may not. The adversary you should consider here: crooks, pirates, anyone that could exploit the private messages for criminal ways (stealing bank info, blakcmailing, sending malware, etc).

An application fitting this use case should encrypt messages, preferably end to end, to limit problems when the exchange server is compromised. The service might not provide any expectation of anonymity. Messages should be stored, but encrypting them is a good option, in case the device is lost or stolen.

The crypto does not need to be very advanced, but it should use common, well known designs.

There should be a good update system, a way to negotiate protocol versions (and forbid some unsafe versions), because you will never be sure that everybody has performed all the needed updates.

Your use case here

Those were some common situations, for which some solutions exist, but there are a lot more possible use cases. If you are not sure about yours and need help defining your threat model, do not hesitate to ask for help, and do not jump on a solution because the marketing material says it is safe.

A good security solution will not only tell you what is protected, and how, but also what is not protected, and the security margins you have. It will also teach you the discipline you need to apply to get the most out of it.


14 thoughts on “How to choose your secure messaging app

  1. I like your article, just like the telegram analysis, that was very interesting. I was wondering, with so many alternatives, what do you think of BlackBerry Messenger? I’ve always heard governments use it internally. Of course they run it on their own BES server for added layers of protection. But just how “secure” is it?

    • Well, I do not really know how it works. The idea that most messages needed to transit unencrypted through RIM’s server was enough to put me off.

  2. Thanks for this post and the previous on Telegram, their PR/marketing is dangerously misleading and the hype in the last days isn’t helping anyone.

    I’m just a basic user and not a security pro, but even I can tell flaws in Telegram: As WhatsApp, they request access to all your contacts, something fishy, especially when they are from Russia and claim to be privacy driven. Also they can’t even get something as basic as country codes right, you can find in twitter several cases of people in X country getting messages or calls from Y country. On top of it all it’s easy to get contacted by spammers/scammers.

    Definitely an app not to be trusted.

    • I should probably write a post about TextSecure since people ask me so often about it 🙂

      I really like it and have been using it for a year now. Their new Axolotl protocol is very interesting and offers real improvements over OTR. So, yes, I recommand it.

  3. Thanks for your insightful article. One thing in the beginning, I do not fully understand. You say: Wanting to stay independent from Facebook is not enough reason to move away from Whatsapp.
    I think it can be a good reason. Pre February 19 ones opionion could be: 1 Facebook is definately an evil company (based on experiences in the past). 2 Whatsapp is, uhm “okay” for now. Post February 19 there is the acquisition by Facebook, which means anything one does with Whatsapp is at least being a part of that evil Facebook. So: Move away!
    People that were using Whatsapp, appearantly needed that way of communication. It met a need for them. Its only natural that when that need gets soiled with something against their principle, they search for alternatives.
    I know, whatsapp already was full of flaws, and telegram probably is only worse from a technical point of view. People should better look for real improvement, But my point is, why not move away from company X just because you don’t like them?

    • This is not exactly what I said. To rephrase what I said a bit bluntly: if you’re moving from WhatsApp to Telegram, then it is not because you care about your privacy or security, because if you did, you would not have used WhatsApp in the first place.

      Moreover, moving away from WhatsApp does not mean your data will be protected. Do you think they deleted the account settings, contact lists, messages statistics? All this is now in the hands of Facebook.

      I have no issue with people using WhatsApp if it fits their use case. And Telegram probably fits that use case too. But that article is about choosing a secure messaging app and that use case is different. Independance from Facebook is not a good argument, because any service could be bought like WhatsApp.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s