SecureChatGuide.org
SecureChatGuide.org

Messaging Protocols

Step-by-step guides and detailed information on secure messaging apps for Android, iOS, Windows, Mac and Linux.

Apps are listed in order of "Highly Recommended" first, then "Worth a Try", then "Not Recommended" last. Apps within the same recommendation level are ordered alphabetically.

Application Platforms Communication types
XMPP with OTR or OMEMO Android, iOS, MacOS, Windows, Linux Text, group chat, photos, files
Version tested:
Country of origin: Various
Encryption protocol: Signal
Shared Secret exchange:
Message Encryption Cipher:
Business model: Nonprofit XMPP Standards Foundation
Android app requires Google Play Services: Depends on the client
Requires a phone number: Depends on the client
Requires an email address: Depends on the client
Your ID contains personal information: Depends on the client
Data is locally encrypted: Depends on the client
Encrypted by default: No (Unless OMEMO Encyption is set to Always in some clients)
Perfect forward secrecy: OTR and OMEMO encrypted messages
Messages stored on server: Yes
Ephemeral messages: Depends on the client
Puddle test: Data recoverable Messages are saved on the server
Hammer test: Data recoverable You can leave a conversation but this does not delete it. Some clients also leak files.
Has contact verification: Depends on the client
Leaks files: Depends on the client
Android app trackers (1): Depends on the client
Websites: Getting Started
Last tested: 12/01/2018
Notes:

XMPP is a messaging protocol upon which many applications are based. XMPP uses a federated server system, in which a user creates an account on an XMPP server. Any XMPP compatible application can be used to connect and communicate through the XMPP server to other users on any other XMPP server.

XMPP was not originally designed with encryption, however encryption functionality has been added in the form of OTR and OMEMO messaging.
OTR clients
OMEMO Clients:
[Information provided by JR]

What the server sees:
- Your plaintext chats unless you use encryption such as OTR, PGP, or OMEMO.
- Your contact list is saved to the server in plaintext
- Precise time you logged in or out
- Precise time you sent any messages to a contact and what messages they send you.
- Whether you are online or not, and your status.
- Who you contacted, when, and how frequently.
- SHA-1 hash of your password. Improperly configured servers may store passwords in plaintext.

Excellent cryptographic analysis
XMPP Server Compliance Results

My verdict: A great option for a wide base of users. However beware of data leakage.

XMPP is a protocol, and clients are built on top of that so there are many options across all platforms which will help adoptability.
One drawback is the clients are all different so there is a lack of consistency in experience and features across platforms. Also you do not know which client your chat partner is using, so even if you use a secure client on your device you have no guarantees that they are using a secure client.
Tox Windows, MacOS, Linux, FreeBSD, iOS, Android Text, voice, video, screen sharing, file sharing
Version tested:
Country of origin: No centralized servers
Encryption protocol: NaCl
Shared Secret exchange:
Message Encryption Cipher:
Business model: Free open source project
Android app requires Google Play Services: Depends on the client
Requires a phone number: Depends on the client
Requires an email address: Depends on the client
Your ID contains personal information: Depends on the client
Data is locally encrypted: Depends on the client
Encrypted by default: Depends on the client
Perfect forward secrecy: Yes
Messages stored on server: Never
Ephemeral messages: Depends on the client
Puddle test: Data not recoverable Messages saved only on device
Hammer test: Data recoverable Some clients on Android leak files
Has contact verification: Depends on the client
Leaks files: Depends on the client
Android app trackers (1): Depends on the client
Websites: toxcore source
Last tested: 12/01/2018
Notes:

toxcore was forked to continue development
Several clients are available and are developed independently of the core: Clients list.

Tox uses the NaCl Box model for encryption:
  • Diffie-Hellman key exchange using Curve25519
  • These keys are hashed to derive a shared secret
  • The shared secret is combined with a unique nonce to encrypt the message
  • Poly1305 is used to create a message authentication code

Information provided by JR

What is leaked to the world:
- Your IP address and the time you are online is revealed to your contacts. When chatting to another contact, you are connecting directly to them.
- Tor activity for contact finding.
- Not sure what else? There may be more. Going to have to read the documentation.

My verdict: Try it for non secure communications!

Tox has a lot of promise, the clients need more polishing but they are available for most platforms which will help adoptability.
Unfortunately the Antox client on Android leaks data, so this is a good option to try but I would not depend on it for secure communications.
This shows the weakness of having a strong communication protocol but no control over the client apps. The protocol may be excellent, but if the apps do not handle the information properly once decrypted, that compromises security. And with multiple clients available, even if I choose a client that I know is secure, someone else I am communicating with may be using a client which is not secure so they are compromising my security.