My list of favorite secure messaging apps

Step-by-step guides and detailed information on secure messaging apps for Android, iOS, Windows, Mac and Linux.

My current top picks:


Here is a list of the criteria I use to pick the best options. Each app may not have all of these characteristics, but the more that the app has of these in the list the better it will score. Testing is done on both Android and iOS when possible. See my testing setup.

Scoring system:

Beside each application you will see 4 numbers in colored boxes. The meaning of these numbers follows:

1 This is the lowest score, which means the application does not provide any protection in this category.
2 This score means the application provides some protection in this category.
3 This score means the application provides protection for many items in this category.
4 This score means the application provides complete or almost complete protection in this category.

The 4 categories used are:

Country of Jurisdiction:

Another aspect of each messenger to consider is the legal jurisdiction each app is subject to. This is usually determined by the incorporated status and country of the organization that controls the servers and codebase for the messaging system. Physical server location is not always a factor, for example a server located anywhere in the world is still considered under the jurisdiction of the country where the controlling organization is incorporated.
There are various international intelligence sharing agreements, the most well known being the so called "5 eyes", "9 eyes" and "14 eyes" countries. If your data is protected well enough (encryption) and you are able to remain anonymous online then the country of jurisdiction may not be the primary deciding factor for everyday citizens. But if you require extra security the jurisdiction may be more important. You can read more about the "eyes" at https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/.

Level 1: Beginner

Welcome to your new journey into privacy. Everyone should install Signal as the first step towards a more private lifestyle.

Signal 3 Privacy of your messages 2 Privacy of your identity 3 Integrity of the system 2 Resistance to disruption

Country jurisdiction: USA [5 Eyes]

If you have a phone, there's almost no way to get away from SMS. So the best thing you can do is protect your SMS messages at rest with encryption. Signal also offers excellent end to end encryption between Signal users. One draw back of Signal is that everyone you connect with will know your phone number, but for people you are comfortable knowing your phone number that is fine.


Pros:
  • One of the most advanced cryptography protocols
  • Easy to use, simple replacement for your phone's default SMS app
  • All data is encrypted locally on the phone
  • Lots of features
  • Open source
  • Messages can be set to disappear up to one week
Cons:
  • A phone number is required, phone numbers are used to add other contacts
  • Optionally uses your address book to look for people you know who may use Signal
  • Messages to non-Signal users are regular non-encrypted SMS
  • Reliant on one server controlled by the Signal organisation
  • Based in the USA
Other features:
  • Send photos, videos, audio clips, files, contacts, location
  • Delivery and read receipts in individual chats
  • Contact verification through safety number comparison
  • Alert when a contact's key changes
  • Re-registration PIN lock
  • Lock app with PIN or fingerprint

Other Signal reviews:

Restore Privacy

Kuketz Blog

Install Signal

Detailed Review of Signal


Level 2: More anonymous, but centralized

Best choice:

Threema 3 Privacy of your messages 4 Privacy of your identity 4 Integrity of the system 2 Resistance to disruption

Country jurisdiction: Switzerland

Threema is a messenger from Switzerland that is very easy use yet is very secure and private. The enterprise version of Threema has been chosen by the Swiss government as their secure messaging platform.


Pros:
  • Very nice look, lots of features, easy to use
  • Communicate with text, voice or group text chat
  • Based in Switzerland (great privacy laws)
  • No personal information such as an email address or phone number is needed to create an account
Cons:
  • No Perfect Forward Secrecy or ephemeral messages
  • No option for automatic deletion of messages
  • Can only be used on one device
Other features:
  • One on one video chat available
  • Send photos, videos, audio clips, files, contacts and location
  • Create polls
  • Draw on a photo before sending it
  • Quote prior messages
  • Search for words in a chat
  • Mention other participants
  • Thumbs up/down on messages in individual chats
  • Delivery and read receipts in individual chats
  • Up to 100 participants per group chat
  • Contact verification through key fingerprint comparison

Other reviews:

Kuketz Blog

Restore Privacy

Install Threema

Detailed Review of Threema

Alternative:

BBMe 3 Privacy of your messages 2 Privacy of your identity 3 Integrity of the system 1 Resistance to disruption

Country jurisdiction: Canada [5 Eyes]

BlackBerry Messenger is an app which has it's primary focus on enterprise messaging but it is also available for use by individuals for a very low fee. It is a reasonable alternative to Threema if you are looking for a few specific features, such as using one account on multiple devices, using it on a desktop computer or if you need video chat with more than one other person.


Pros:
  • Communicate with text, audio (15 max) and video (15 max) group chat
  • ID does not contain personal information
  • Perfect forward secrecy
  • Use on multiple devices including phones and desktop computers
  • Choose whether to save photos to the mobile device gallery or not
Cons:
  • Need an email to signup
  • Based in Canada
  • Small fee of US $5 per year, paid through Google Store or iOS App Store
Other features:
  • Send photos, videos, audio clips, files, contacts and location
  • Search for words in a chat
  • Add messages to a favorites list
  • Quote and forward messages
  • Retract a message to delete it from all participants' devices
  • Clear all messages from a chat or restract the entire chat
  • Use up to 5 devices with one account
  • Contact verification by comparing session key or QR code

Install BBMe

Detailed Review of BBMe


Level 3: Peer to Peer or Decentralized

Easy to use:

TwinMe 3 Privacy of your messages 4 Privacy of your identity 2 Integrity of the system 2 Resistance to disruption

Country jurisdiction: France [9 Eyes]

TwinMe uses proven TLS encryption to make a direct Peer to Peer connection between devices. The only server involved is a signaling server that helps devices find each other to be able to connect. Messages are sent direct from device to device without going though a server.

There is no information needed to signup, you don't have any account at all just an ID on your device that is randomly generated. Connecting with others is accomplished by sharing your device ID. This means though that if you do change devices your old ID will no longer work and any contacts you have made you will need to send the ID of your new device and reconnect with them.


Pros:
  • Communicate with text, voice, video and group text chat
  • Connections are made directly between your device and your chat partner's device, no server acts as the middle man
  • No personal information such as an email address or phone number is needed to create an account
Cons:
  • No option for automatic deletion of messages
  • You can't make a backup or export your keys or messages to move to another device
  • No contact verification
Other features:
  • Create multiple profiles in the app
  • Send photos, videos, audio clips, files and streaming music
  • Manually delete a message including from all participants' devices
  • Delivery and read receipts in individual chats

Install TwinMe

Detailed Review of TwinMe

For advanced users that self-host:

Conversations 2 Privacy of your messages 4 Privacy of your identity 3 Integrity of the system 4 Resistance to disruption

Country jurisdiction: Depends on your server location

Conversations uses the OMEMO protocol to encrypt messages. There is more meta data saved on the servers than many messengers, but that can be mitigated by self hosting your own XMPP server. However that does take a lot of skill and time to manage your own server. If you do not self host, that will bring my score for privacy of your messages down to a 2.


Pros:
  • If you self host you control all the information on your own server
  • Communicate in one on one and group text chats
  • There are many servers to choose from if you don't want to host your own
  • If you self host or choose a good server you do not have to provide email or other identifying information
  • Some servers offer the ability to use Tor
  • Messages are preserved if you move to another device or use multiple devices with the same account
Cons:
  • Android only
  • OMEMO encryption is an add-on to a system not designed with privacy in mind from the beginning
  • More difficult to use than many messengers
  • More meta data is saved on the servers than many messengers (which is why self-hosting is recommended)
  • Not encrypted by default- you must actively enable OMEMO encryption
  • No ephemeral messages
Other features:
  • Use the same account on multiple devices
  • Send photos, audio, files and videos
  • Quote a message when replying
  • Edit your most recent message
  • Use multiple XMPP accounts at once on the same device
  • Delivery and read receipts in individual chats
  • Contact verification through key fingerprint comparison

Other reviews:

Kuketz Blog

Install Conversations

Detailed Review of Conversations


Level 4: Alternative Networks

Multiple Operating Systems over Tor:

Tox 3 Privacy of your messages 4 Privacy of your identity 3 Integrity of the system 4 Resistance to disruption

Country jurisdiction: None (Tor peer to peer network)

Tox is a messaging protocol that is used by many clients on several operating systems. Each Tox client is identified by a unique key fingerprint and this is your identity for sharing with other users. There are many applications written for the Tox protocol and there is an active community of developers making improvements to them regularly.


Pros:
  • Text one on one or in groups
  • Multiple platforms supported- Windows, MacOS, Linux, FreeBSD, Android
  • Peer to peer connections between clients, optionally over Tor
  • No personal information such as an email address or phone number is needed to create an account
  • Uses modern Curve25519 and XSalsa20 encryption
Cons:
  • No ephemeral messages
  • Each user profile can only be used on one device
  • May use more battery than other messaging apps on mobile devices
Other features:
  • Send photos, videos, audio clips, files
  • Delivery and read receipts in individual chats
  • Online status and typing indicators

Install Tox

Detailed Review of Tox

Android or Linux over Tor:

Briar Project 3 Privacy of your messages 4 Privacy of your identity 4 Integrity of the system 4 Resistance to disruption

Country jurisdiction: None (Tor peer to peer network)

Briar is a peer to peer secure messenger that uses the Tor network for connecting devices. Each Briar device has a unique onion address on the Tor network and there are no servers (besides the standard Tor infrastructure) needed to connect to other Briar users. The app has fewer features than many messengers and is only available for Android but if you need secure communications this will provide that without unnecessary frills.


Pros:
  • Communicate with text in one-on-one chats, private groups, forums and post on your own blog
  • Connections are made directly between your device and your chat partner's device, no server acts as the middle man
  • Uses the Tor secure network protocol
  • No personal information such as an email address or phone number is needed to run Briar. There is not even any controlling server where you need to create any account.
  • Available on F-Droid
  • Does not require Google Play Services
  • Can communicate with other Briar users over WiFi, BlueTooth and Tor
Cons:
  • Linux app is one-on-one text messaging only
  • Text only chat right now but sending photos is being worked on
  • Higher battery usage than most messengers
  • No option for automatic deletion of messages
  • You can't make a backup or export your keys or messages to move to another device
Other features:
  • Private Groups are chat rooms which are invite-only by the group creator
  • Forums are chat rooms where any members can add any of their own contacts
  • You have your own blog where you can write posts, and your contacts will see these posts in a blog feed
  • "Introductions" lets you give two people in your contact list each other's contact info so they can make their own connection in Briar
  • Online status indicator
  • Delivery and read receipts in individual chats

Other reviews:

Kuketz Blog

Install Briar Project

Detailed Review of Briar Project


Level 5: Experimental (know what you're doing)

Decentralized private network:

Session 3 Privacy of your messages 4 Privacy of your identity 4 Integrity of the system 4 Resistance to disruption

Country jurisdiction: None (Lokinet peer to peer network)

Session runs on top of the onion routing network Lokinet to provide a decentralized messaging system. It uses the Signal protocol for end to end message encryption. This is a new project so is still considered experimental and there will be bugs in the apps. However in testing the app it has been overall a great experience and I think is one of the best prospects for becoming an offical recommendation on my list.


Pros:
  • Send text, photos and files in individual or group chats
  • The Lokinet system ensures your messages are not stored on any single server while in transit
  • Set emphemeral message timeout for up to one week
  • No personal information such as an email address or phone number is needed to create an account
  • Available for iOS, Android, Linux, MacOS and Windows
  • Battery usage on mobile devices is better than some other onion routing based apps
Cons:
  • Accounts can only be used on a single device, multi-device support is planned for the future
  • Still new, bugs exists and features may change
Other features:
  • Add contacts via a QR code
  • Typing indicators and read receipts (can be turned on or off)
  • Create closed private groups or open public groups
  • Mobile app has lockout feature
  • Disable link previews in messages
  • Turn notification via Google notification servers on or off
  • Automatically delete older messages after a specific number per conversation

Install Session

Detailed Review of Session

Built on DAT:

Cabal 2 Privacy of your messages 4 Privacy of your identity 2 Integrity of the system 4 Resistance to disruption

Country jurisdiction: None (Tor peer to peer network)

Cabal is a new messenger which is built on top of the Dat protocol which uses symmetric keys to validate data and provide access to encrypted dat files. You create a Cabal which is essentially an encrypted database which is replicated with anyone you provide the public key to. This is a very early project so it is yet to be seen what the final security of the system will be, so do not use this for anything truly private.


Pros:
  • Communicate with text in any number of channels created in a single Cabal
  • Connections are made directly between your device and everyone else connected to the Cabal, no server acts as the middle man
  • Uses the Dat protocol
  • No personal information such as an email address or phone number is needed to create a Cabal or join one.
  • Available for Linux, MacOS and Windows
Cons:
  • Text only right now but sending photos is being worked on
  • If someone knows your public key they can join and get all history
  • No option for automatic deletion of messages
Other features:
  • You can be connected to multiple Cabals at once

Install Cabal

Details on scores for each app:

App Privacy of Messages Privacy of Identity Integrity of the System Resistance to Disruption
EM Ephemeral messages FP Foolproof DL No data leaks DR Data not recoverable PFS Perfect Forward Secrecy Total ID ID doesn't have personal info EP Does not require email/phone NT No trackers Total Au Audits done CV Contact Verification GC Good Country KC Key Change Alerts Total PD P2P or Decentralized OS Open Source SH Self Hosted NP Number of platforms Total
Signal 3 2 3 Client 2 2
Threema 3 4 N/A 4 Client 2 2
WickrMe 4 3 3 crypto library 5 1
BBMe 3 2 3 4 1
Wire 3 2 N/A 4 Client 6 2
TwinMe 3 4 N/A 2 2 2
Conversations 2 4 3 1 4
Tox 3 4 N/A 3 Many 4
Briar Project 3 4 N/A 4 1 4
Session 3 4 N/A 4 5 4
Cabal ? 2 4 N/A 2 3 4
Key to columns:
  • EM - Ephemeral messages
  • FP - Foolproof
  • DL - No data leaks
  • DR - Data not recoverable
  • PFS - Perfect Forward Secrecy
  • ID - ID doesn't have personal info
  • EP - Does not require email or phone
  • NT - No trackers
  • Au - Audits
  • CV - Contact Verification
  • GC - Good Country
  • KC - Key Change Alerts
    ("N/A" means the key cannot change)
  • PD - P2P or Decentralized
  • OS - Open Source
  • SH - Self Hosted
  • NP - Number of platforms

Some other apps that are worth considering:

Notes within [brackets] are potential negative attributes Use with caution:
December 2018: Recently there have been some troubling laws passed and articles written in the UK and Australia (part of the 5 eyes countries) that may cause issues with trust in applications developed in those countries. Both countries now seem to be pushing for backdoor access for government surveillance to be built into secure messaging applications. Not only will this weaken or break End to End security, but apps that are not open source from those countries may no longer be trusted and may be used for a mass surveillance program. Here are some recent articles.
Principles for a More Informed Exceptional Access Debate
In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication. This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have.

We’re not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with. That’s a very different proposition to discuss and you don’t even have to touch the encryption.
  -Ian Levy is the technical director of the National Cyber Security Centre, a part of GCHQ.
  -Crispin Robinson is the technical director for cryptanalysis at GCHQ.

Australia passes new law to thwart strong encryption
The new law, which has been pushed for since at least 2017, requires that companies provide a way to get at encrypted communications and data via a warrant process. It also imposes fines of up to A$10 million for companies that do not comply and A$50,000 for individuals who do not comply. In short, the law thwarts (or at least tries to thwart) strong encryption.

Companies who receive one of these warrants have the option of either complying with the government or waiting for a court order. However, by default, the orders are secret, so companies would not be able to tell the public that they had received one.