Sep 26 2015

Secure Instant Messaging App Selection

Category: Mobile Computing,SecurityTeknovis @ 7:23 am

I was searching for a new secure instant messaging app, and I previously described my requirements in Secure Instant Messaging App Requirements. My search has finished, and I have a winner :) Let me explain how I got to this point :)

There are lots of messaging apps available that claim to be secure. Indeed, they may well be depending on what is meant by secure. My requirements were very clear, so it was relatively easy to reduce the field to an initial short list of four (in alphabetical order):

All of these apps are covered in the Secure Messaging Scorecard by the Electronic Frontier Foundation. I found that was a very useful resource.

Surespot was the first to be eliminated. This was an easy decision, because there are rumours that it has been compromised. I am not sure that I believe all of these rumours, but they are enough to scare me away! See any of the following:

Telegram was next to be eliminated. It has several good and bad features, and the main ones of interest to me are summarised in the table below.

Good Bad
Available for desktops Founded by, and run by, Russians
Provides end-to-end encryption, but only for secret chats Group chats do not use end-to-end encryption
Scored 4/7 in normal use, and 7/7 for secret chats Uses phone numbers
Available for both Android and iOS There are some concerns over its use of a very custom protocol

It was fairly to easy to eliminate Telegram, because I do not like the way that it only provides end-to-end encryption in the secure chat mode. It would be too difficult for me to educate my target audience in the differences between the various types of chats.

This left Open Whisper Systems and Threema, and I spent the most time studying both of these. Obviously I looked at their respective web sites, and I also found the following two resources very useful:

The main good and bad features of Open Whisper Systems in my opinion are summarised in the table below.

Good Bad
Open source Based in the US
Includes voice support Funded by the US government
Great endorsements (Bruce Schneier, Edward Snowden) Previous links with Twitter, and current vague links with Whatsapp/Facebook
Scored 7/7 Linked to the device’s SIM
Provides end-to-end encryption (using elliptic curves) Integrates with the native messaging app
Provides end-to-end forward secrecy
Includes identity verification
Available for both Android and iOS

Similarly, the main good and bad features of Threema in my opinion are summarised in the table below.

Good Bad
Provides end-to-end encryption (using elliptic curves) Does not include voice support
Provides end-to-end encryption for group chats No desktop version
Cryptography provided using a respected library (NaCl) Not free
Scored 5/7 Does not provide end-to-end forward secrecy
Not linked to the device’s SIM, so it can be used on devices without SIMs
Hosted in Switzerland
Standalone app
Includes identity verification
Available for both Android and iOS

Of course I realise that some of my opinions are very subjective (such as the nationalities of the people behind them). I am also aware that I must have a certain amount of trust in the app provider, and that no secure app in the world can compensate for a compromised operating system!

So what app did I ultimately select? Threema :) So far I have been extremely happy with my choice!

However, I have been impressed by Open Whisper Systems, and I am considering using it for work purposes. (I like to keep my personal apps separate from my work apps.)

Tags: , , , , ,