While there are a number of messaging apps from which to choose, only a dozen or so have marketplace gravitas. The best-known and most-utilized are usually the ones that come with your smartphone: the Google, Samsung, and Apple Messages apps, the Facebook Messengers, and the Whatsapps of the world. Most people don’t even think about their messaging app — they take it for granted and simply check notifications regularly.

But there are differences between them, and the most important ones involve security, because all messaging is speedy and virtually instantaneous. Is it possible for hackers to break into your connected device through a vulnerability in the messaging app? You bet it’s possible, and break-ins there are more common than you might think.

For example, we’ve probably all received phony messages purportedly from a friend containing a link to a video (“I think you’re seen in this video … check this out!”). Woe to those who fall for this ruse. So security and encryption of messages is a serious consideration when it comes to messaging, which is far and away the favored method of communicating among Millennials, Gen Z folks, and younger.

Please know that end-to-end encryption is not a security panacea that will protect you from surveillance. Even if you use a secure messaging app, an unsecured device can enable anyone to access your messages. The best way to protect your messaging apps is with a separate password or use of biometrics (face, fingerprint, iris) on your device.

We’ve identified five of the most secure (and most utilized) messaging applications available. 

Signal

Best all-around bet

signal-messaging.jpg

Compatible operating systems: Windows, MacOS, Linux, Android, iOS

Price: Free

Signal is probably the best all-around bet when it comes to reach, security, and privacy-enabled features. However, it lacks the usership of the Messages and Messenger apps because it is not a pre-loaded default app inside phones. Development of Signal was started by Open Whisper Systems, creator of TextSecure, which used end-to-end encryption to secure the transmission of instant messages, group messages, attachments and media messages to other TextSecure users. In 2015, TextSecure was merged with an encrypted voice-calling application called RedPhone, and the entire company was renamed Signal. Signal has become a favorite of the infosec community since its release, but it also has grown in popularity among ordinary users. It still has nowhere near the same number of active users as those noted above, however.

Key features/attributes

  • By default, Signal provides E2EE for all voice calls, video calls, and instant messages; it uses its own protocol.
  • This technology is 100% open source, which means its security is vetted by cybersecurity experts and its technology has been adopted by other messaging services like WhatsApp and Skype.
  • Signal also allows you to secure the app with a password so you can protect your messages if they fall into the wrong hands. There is also an option to send self-destructing messages.

Pros

  • Free
  • Compatible with many operating systems 
  • Open source technology 

Cons

  • Requires a phone number to sign up

Samsung and Google Messages

Supports RCS by default

goog-messages.jpg

Compatible operating systems: Android, Windows

Price: Free (Google Messages currently comes with Android devices not made by Samsung)

Security: Knox Security (Samsung); standard device security (Google)

It’s easy to get Samsung Messages and Google Messages confused, because they populate Android phones used the world over. Samsung Messages, included only on Samsung phones, has an interface that might be a little easier to use. However, the main advantage of Google Messages is the availability of RCS (rich communication services) by default, no matter where you live or which carrier you use. You can have RCS with Samsung messages, but only if your carrier supports it. All Verizon plans, for example, now support Google Messages.

RCS is a next-generation SMS (short messaging service) protocol that upgrades standard text messaging. Features include payments, high-res photo/file sharing, location sharing, video calls, and others that are delivered to a device’s default messaging app. Knox’s E2EE security protocol, with its military-grade encryption, is a major advantage for users of Samsung Messages.

Key features/attributes

  • By default, both Messages provide end-to-end encryption for all voice calls, video calls, and instant messages.
  • Both Messages are built from open source code, which means security is vetted regularly by cybersecurity experts. This technology has been adopted by other messaging services, including WhatsApp and Skype.
  • Google Messages shows one line of text preview, while Samsung Messages shows two lines.

Pros

  • E2EE by default 
  • Voice calls, video calls, and instant messages are all encrypted 
  • Technology is vetted by cybersecurity experts 

Cons

  • Only works between Android devices

Apple Messages

Used only on Apple devices

apple-messages.jpg

Compatible operating systems: MacOS, iOS

Price: Free (on Apple devices)

Apple Messages is used only on Apple devices, but it is exemplary when it comes to security features. In addition to offering end-to-end encryption between users, Apple Messages allows users to control how long the message stays up and how many times the recipient can view the message (although this feature is only available to those who have iOS 10 and above).

Regardless of which Apple device you’re using, whether it’s iOS, watchOS, or iPadOS, your messages are end-to-end encrypted and cannot be accessed without a passcode. Users of Apple’s FaceTime can also rest easy knowing that their video calls are also E2EE-empowered.

Key features/attributes

  • Messages is only available on Apple devices, meaning any message you send via Messages to a non-Apple device will not be encrypted. One major security loophole is the option to back up your messages to iCloud. On the cloud, messages are encrypted by keys controlled by Apple, meaning that if your iCloud were ever hacked or subpoenaed, those messages could be revealed.
  • Apple CEO Tim Cook has said that Apple “believe(s) that privacy is a fundamental human right,” and at least in its Messages and FaceTime apps it appears to take this commitment seriously. Just avoid storing your messages on web-based platforms such as iCloud — toggle off messages in settings so they’re not stored on the cloud.

Pros

  • FaceTime calls are also E2EE
  • Control how long a message stays up and how many times you can view the message

Cons

  • Only works between Apple users
  • Backing up your messages to iCloud can be a security loophole

WhatsApp

Ownership by Meta is worrisome

whatsapp-screen.jpg

Compatible operating systems: Windows, MacOS, Android, iOS, KaiOS

Price: Free

WhatsApp may be used by more people than many of the above apps, but its ownership by Meta (formerly Facebook) is worrisome. The founders of WhatsApp in 2009 originally intended it for people to publish status updates, similar to Facebook’s statuses. It was the messaging feature, however, that sold the app to Meta, which bought it in 2014. WhatsApp is encrypted end-to-end, but its ownership continues to raise concerns about how it could be used in the future. 

Key features/attributes

  • Security-wise, WhatsApp’s default E2EE enhances its privacy and security from malicious actors. Security issues have cropped up in the past, but if cybercriminals breached WhatsApp today, they couldn’t decrypt your conversations.
  • It also has what may now be considered standard features, such as video calling, voice messaging, and file sharing.

Pros

  • Works across many operating systems 
  • Privacy customization tools

Cons

Telegram

Two layers of secure encryption

telegram-messaging.jpg

Compatible operating systems: Windows, MacOS, Linux, Android, iOS

Price: Free

A key feature of Telegram is that it provides its users with two layers of secure encryption. Both private and group cloud chats support server-to-client encryption, while secret chats benefit from client-to-client encryption. In both instances, messages are encrypted. Telegram has recently gained popularity for organizing protests largely because it allows large chat groups of up to 10,000 members. This has in turn drawn the attention of state actors.

Key features/attributes

  • The app gives you the option to encrypt messages, which you can enable as Secret Chats to encrypt them. When enabled, you can set messages to self-destruct across all your devices automatically or at a set time.
  • If you don’t encrypt your chat, then your data is stored on Telegram’s servers, which puts the security of your messages at risk.
  • Telegram also does not have E2EE by default — you’ll need to use its Secret Chats feature to enable it.

Pros

  • Compatible with all major operating systems 
  • Encrypts group chats up to 200,000 people

Cons

  • Does not have E2EE by default

What is the best encrypted messaging app?

Signal is our top pick for the best encrypted messaging app because of its wide range of compatible operating systems, extra protection through passwords, and open-source technology. However, if you are an Apple user, Apple Messages will provide great E2EE, and same goes for Android users with Samsung and Google Messages. 

If you want to chat across OS systems, though, Telegram and WhatsApp are also decent options that provide E2EE capabilities to keep your messages secure. 

Encrypted Messaging App

Price

Compatible OS

E2EE by default?

Signal

Free

Windows, MacOS, Linux, Android, iOS

Yes

Samsung and Google Messages

Free 

Android and Windows

Yes

Apple Messages

Free

MacOS and iOS

Yes

WhatsApp

Free

Windows, MacOS, Android, iOS, KaiOS

Yes

Telegram

Free

Windows, MacOS, Linux, Android, iOS

No

What are some messaging apps that do not embed E2EE security by default?

  • Twitter
  • Snapchat (has E2EE for photos and videos)
  • Instagram
  • Google Hangouts
  • WeChat
  • Line (opt-in E2EE)
  • Skype (opt-in E2EE)
  • Telegram (opt-in E2EE)

Does IM content qualify as a federal record?

The statutory definition of records (44 U.S.C. 3301) includes all machine-readable materials made or received by an agency of the US Government under federal law or in connection with the transaction of public business. Agencies that allow IM traffic on their networks must recognize that such content may be a federal record under that definition and must manage the records accordingly. The ephemeral nature of IM heightens the need for users to be aware that they may be creating records using this application, and to properly manage and preserve record content. Agency records management staff determine the record status of the IM content based on the overall records management policies and practices of their agency.

What are the current best practices for capturing IM content?

Nearly all IM client software has the ability to capture the content as either a plain text file or in a format native to that client. Generally, the location and maximum size of that file are determined by a configuration setting in the client. DoD 5015.2 certified applications have the ability to capture and manage records in any electronic format. Such formats include those files produced by the various IM clients.

In addition, various IM management products have the ability to address the monitoring and management of IM content, either from those clients that are part of the agency’s enterprise or the various public clients. Generally, these products operate at the server level and should be able to capture IM sessions regardless of the configuration of the individual client.

Determining which solution is appropriate for your agency involves collaboration among the program staff, the information technology (IT) staff, the records management staff, and NARA.

How did we choose these encrypted messaging apps?

We only discussed messaging apps that use (or can optionally use) end-to-end encryption (E2EE), a method of encrypting data that only allows the sender and receiver of the message to decrypt and read messages passed between them. More importantly, encryption prevents apps from storing copies of your messages on their servers.

Are there alternative encrypted messaging apps to consider?

Here are a few other options to look into: