As I shut down my XMPP server recently, this also ended my use of messaging applications like Conversations, Gajim and Pidgin. As I needed a replacement for secure messaging, I have been trying out three new applications on both mobile and desktop devices.
I haven’t looked at completely decentralized apps like Tox as these cause too much battery drain on mobile devices. I prefer giving my phone a single point of contact for messaging, in an ideal world that should be my own server in a federated network. I’m hoping a messaging service like that will be created in the future. However, for now, it looks like centralized is the way to go. And if they provide good encryption, it doesn’t matter that much to me.
Open Whisper Systems developed Signal for Android and iOS devices, in combination with a Chrome-app that allows you to send messages using any device that runs the Chrome browser. This is by far my favorite messaging application as it implements security in a way that doesn’t bother you and and is easy to use even for people that don’t care about encryption at all. Furthermore, the encryption scheme used by Signal is known to be very good.
On Android devices, the Signal app can replace your default SMS/MMS messaging app. This introduces several advantages over the other applications I have tried. Signal does not use the system-wide SMS/MMS database but uses its own encrypted storage. This means that other applications are no longer able to read your SMS messages, even if they have permission to access the system-wide SMS database. Signal is also able to seamlessly switch between SMS and encrypted Signal messages, similar to Google Hangouts and iMessage on iOS. This makes switching to Signal nearly effortless as it allows you to contact every single contact, regardless if they’re using Signal themselves.
The Signal client also supports disappearing messages. While it is impossible to guarantee that the other side has removed them too, I like the thought that most of my own history will be gone when someone happens to gain access to my phone.
- Encryption is on by default and does not get in the way at all.
- If you do care about security, you can easily compare fingerprints.
- Disappearing messages
- The clients are open source.
On the negative side:
- Signal suggests to invite your contacts to use Signal, and does that a single time for every contact.
- The SMS integration (which is a huge plus for me) is not available in iOS, as Apple does not allow replacing the default SMS app. This makes switching to Signal on iPhone a bit less effortless.
- People need to know your phone number if they want to contact you on Signal.
As one of the more popular messaging apps, the most obvious advantage for Whatsapp is that a large part of your contacts will be using Whatsapp already. You can start sending messages over Whatsapp right away, and don’t have to convince people to install the app first.
WhatsApp is using the Signal protocol, the same encryption scheme as used in the Signal client. Open Whisper System developers have helped with this implementation, so it should be pretty good. The problem here is that even the clients are closed source, so we can’t really be sure. We have to rely on what the company promises us. Depending on how much you trust Whatsapp (and Facebook), this makes security pretty weak.
For now, it looks like we can trust the people behind Whatsapp: The desktop clients need a connection with your phone in order to show you the messages. This tells me that Whatsapp does not store messages on their servers, as it causes a pretty big drawback. I wouldn’t trust them with my life, though.
- Messages (and calls) are encrypted by default.
- A lot of people are using Whatsapp, so it is likely that your contacts are too.
- It’s possible to check fingerprints.
On the negative side:
- Clients are closed source.
The Telegram developers created their own encryption protocol. This means that everything is shiny and new, which is not a good thing when security is deemed important. By default, only the connection between your device and the Telegram servers is encrypted. Your conversations can be viewed by anyone who has access to those servers. There’s an option to use secure messages, in which case the messages should be private. This is a bad situation, as people who don’t care about security won’t be using the private mode, including in messages sent to people who do care.
Telegram supports chatbots in a special way: You can type the name of a chatbot in any conversation to interact with them. The most popular example is the gif bot that allows you to search for gifs without leaving the application, and send them to your contact right away.
I’ve been using Telegram for way longer than Signal and Whatsapp, but I’m going to leave this network in the near future. Other applications have shown that it is now possible to implement good security without requiring any more effort from users. That means that, for me, there is no longer a place for applications that are not secure by default. The recent updates also add more bloatware instead of focusing on the one thing that these kind of applications should do best: sending messages.
- Clients are open source.
- In private mode, it’s easy to check fingerprints.
On the negative side:
- Conversations are not secure by default, requires an effort from users to chat in private.
- Telegram clients are getting more bloated with recent updates.
And the winner is…
Looks like I will keep using both Signal and Whatsapp. The latter only because most of my contacts are using Whatsapp and not Signal. In that case, an app that should provide private messaging is better than a network (SMS/MMS) that is not private at all.