A totally secure, encrypted messaging service is the holy grail for many, but messaging apps' assurances that they can truly achieve this level of security usually dissipate under scrutiny.
Home secretary Amber Rudd has called for technology companies to build "back doors" into their encrypted content for security services to use when they require access in the fight against terrorism. And prime minister Theresa May talked at the World Economic Forum summit in Davos, Switzerland about the need for a balance between privacy and security – in short, undermining the security of encrypted messaging apps.
Read next: Best private Android mobile browsers
Android still tends to be the default platform for secure messaging apps, but iOS versions usually become available after a short delay. The issue of platform support is more important than it might first appear.
Even if you don't personally use an iPhone, for example, the fact that your favoured contacts do will render any app that doesn't support both platforms useless if the same app is needed at both ends.
Some apps integrate with third-party applications, for instance email clients. That can be important for businesses – can the app support the preferred communications software used by an organisation and will it work across desktop as well as mobile? Some can, some can't.
Read next: The best secure browsers
It should be noted that Apple has significantly ramped up privacy and security in its devices of late. Controversially, American intelligence recently demanded that Apple undermine its own encryption as part of a terrorist shooting investigation. But Apple said that it couldn't, even if it wanted to.
At the end of the day, if you want to guarantee true privacy, you should be using a messaging service which works on a secure mobile browser or at least a trustworthy VPN combined with private mode on your phone.
But for those who want at least a surface level of safety assurance, here are the most secure messaging services for mobile out there.
Whatsapp CEO and cofounder Jan Koum grew up in communist Ukraine – where open dissent was not tolerated by the government. Leaving the country at 16 for Mountain View, California, in 1992, it wasn't until 2009 when he and Whatsapp cofounder Brian Acton created an app designed to cut the number of missed calls they were getting.
This eventually mutated into Whatsapp, and by 2014 it had over 400 million users. Today it's one of the most popular messaging apps out there. In 2016, the company revealed that it had more than one billion users.
There were three principles integral to Koum, listed in this extensive profile from Wired. The first two could be traced back to his Soviet roots, the good and the bad: one that the app should promote privacy and protect freedom of speech. The second: no adverts. The third was that it should be a gimmick-free user-friendly experience.
That said, the fact that Facebook owns Whatsapp will not be reassuring to the privacy-conscious. Facebook is notoriously aggressive about collecting user data and Facebook has signposted its intention to target users with ads based on Whatsapp data.
Where Whatsapp tends to be unavoidable at the moment is the sheer number of people on it, similarly to Facebook Messenger. While there are more secure messaging apps on the market, its popularity does sell it – and at least it does tout a degree of privacy (even if it's Facebook that owns the data).
Here's the technical stuff.
Whatsapp started using the TextSecure platform (now called Signal – see below) from the Open Whisper Systems in 2015, which improves security by using true end-to-end encryption with perfect forward secrecy (PFS). This means the keys used to scramble communication can't be captured through a server and no single key gives access to past messages.
In April 2016, the Signal protocol was rolled out as a mandatory upgrade to all WhatsApp users across all mobile platforms, an important moment for a technology that had spent years on the fringes. At a stroke it also made Open Whisper Systems the most widely used encryption platform on earth.
In February 2017 WhatsApp incrementally introduced two-factor authentication to all of its users as an optional added layer of security.
Two-factor authentication essentially means verifying your identity twice – and in this case users will choose to access their account through a six-digit number. WhatsApp users will need to enable the feature through their settings and once switched on, the passcode will remain on the associated account, no matter which device it's being accessed through.
Earlier this year, a Guardian report claimed that a security vulnerability in WhatsApp meant Facebook – WhatsApp's parent company – could read encrypted messages sent through the service. Security researcher Tobias Boelter told the paper that WhatsApp is able to create new encryption keys for offline users, unknown to the sender or recipient, meaning that the company could generate new keys if it's ordered to.
And although Facebook insists that it couldn't read your WhatsApp messages even if it wanted to, critics have been suspicious since the buy – since Facebook's entire platform depends on data and advertising, and its own Messenger service is infamously intrusive.
In terms of security, it's important to distinguish pure secure messaging apps from apps that happen to have some security. Many use encryption but operate using insecure channels in which the keys are stored centrally and hide behind proprietary technologies that mask software weaknesses.
But it was presumably the sort of innovation Whatsapp brought to the table that so upset then-British prime minister David Cameron when in early 2015 he started making thinly veiled references to the difficulty security services were having in getting round message encryption used by intelligence targets. Current PM Theresa May has ramped up this rhetoric and focused on Telegram in particular. (Again – see below).
It's fair to say that police and intelligence services are now worried about the improved security on offer from these apps, which risks making them favoured software for terrorists and criminals. That said, they are not impregnable. Using competent encryption secures the communication channel but does not necessarily secure the device itself. There are other ways to sniff communications than breaking encryption.
Most recent apps will, in addition to messaging, usually any combination of video, voice, IM, file exchange, and sometimes (though with a lot more difficulty because mobile networks work differently) SMS and MMS messaging. An interesting theme is the way that apps in this feature often share underlying open source technologies although this doesn't mean that the apps are identical to one another. The user interface and additional security features will still vary.
Signal (formerly TextSecure Private Messenger) is arguably the pioneering secure mobile messaging platform that kick-started the whole sector.
Originally created by Moxie Marlinspike and Trevor Perrin's Whisper Systems, the firm was sold to Twitter in 2011, at which point things looked uncertain. In 2013, however, TextSecure re-emerged as an open source project under the auspices of a new company, Open Whisper Systems, and since it has gained endorsements from figures such as Bruce Schneier and Edward Snowden.
We call it a platform because Signal is more than an app, which is simply the piece that sits on the Android or iOS device and which holds encryption keys.
The app itself can be used to send and receive secure instant messages and attachments, set up voice calls, and has a convenient group messaging function. It is also possible to use Signal as the default SMS app but this no longer uses encryption for a host of practical and security reasons. https://signal.org/blog/goodbye-encrypted-sms/
Signal was designed as an independent end-to-end platform that transports messages across its own data infrastructure rather than, as in the past, Google's Google Cloud Messaging (GCM) network.
The Axolotl protocol underlying the platform's security is also used by G Data as well as Whatsapp, which isn't to say that Facebook's implementation won't have other vulnerabilities – as ever use with care.
Using the app is pretty straightforward. Installation begins with the phone number verification after which the software will function standalone or as the default SMS messaging app after offering to import existing texts. The most secure way to use it is probably as the default messaging app, so that an insecure message doesn't get sent by accident.
Signal is based on the OTR protocol, uses AES-256, Curve25519 and HMAC-SHA256; voice security (formerly RedPhone app) and is based on ZRTP.
Interestingly, Signal added encrypted video calls to its feature roster in 2017, stepping up its current level of encryption. The app previously supported voice call end-to-end encryption but this update ensures video capabilities hold the same level of security as its chat functionality.
Additional security features include an app password and with a blocker that stops screen scraping. It is also possible to control what types of data are exchanged over Wi-Fi and mobile data. Obviously both sender and receiver need to have the app installed, which worked simply by entering the phone number of any other registered user.
Developed by Wire Swiss, Wire is a private messaging app that boasts that it's in line with all European Union data laws, and is available on iOS, Android, Linux, Windows, macOS, and also operates web client options that work on browsers such as Firefox, Chrome, Safari and Opera. Even better, it's free and open source – meaning that if you are worried about what's in the code you can take a look at it yourself.
When the app first launched encryption was limited between client and the company server but end-to-end encryption was quickly added, along with a video calling feature. Messages are encrypted by Proteus, a protocol developed independently by Wire Swiss but based on Signal.
It is consumer-facing too. Private messaging clients can be a tough sell to users but Wire is integrated with various content platforms including Youtube and Spotify.
But – there is a trade-off. Motherboard security reporter Joseph Cox points out that Wire does store a record of people you've contacted through the app, and in plain text. Wire Swiss says that this is to make cross-device synchronisation easier. Wire confirmed to Motherboard that connections, emails, phone numbers and usernames are stored while an account is active, but are nixed when the account is deleted.
Launched by two Germany-based brothers in 2013 Telegram's distinctiveness is its multi-platform support, including not only Android and iPhone but Windows Phone as well as Windows OS X and even Linux.
Telegram uses the MTProto protocol, 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie–Hellman secure key exchange.
With the ability to handle a wide range of attachments, it looks more like a cloud messaging system replacing email as well as secure messaging for groups up to 200 users with unlimited broadcasting.
There are some important differences between Telegram and the other apps covered here, starting with the fact that users are discoverable by user name and not only number. This means that contacts don't ever have to know a phone number when using Telegram, a mode of communication closer to a social network.
The sign-up asks for an optional user name in addition to the account mobile number, and requires the user verify the number by receiving and entering an SMS code. The app is polite enough to ask for access to the user's phone book and other data, which can be refused, and handily notices which contacts within that list already have signed up for the app.
Given it's impressive security credentials, the platform has attracted less than desirable forms of communication. It's reputedly used extensively by drug dealers and reportedly by jihadists for propaganda purposes. This is not the fault of the developer but does bring home how such apps can be misused in ways that are difficult to control. British prime minister Theresa May has since specifically singled out Telegram as a threat.
Wickr first launched for iOS and Android, touting an encrypted way for ‘teams and enterprises' to communicate with one another. It received millions in funding, including from big name financiers including Thor Halvorssen of the Human Rights Foundation and In-Q-Tel, the CIA's venture capital wing, reports Vice.
Privacy and security advocates the Electronic Frontier Foundation audited the app and gave it a score of five out of seven – not bad considering the encryption was closed off at that time. To soothe those fears Wickr published a paper that provided some details on its end-to-end encryption protocol. But in August 2017 Wickr made its cryptographic protocol open source, and so, possible to review.
The app creators even offer a 'bug bounty' - up to $100,000 promised to anyone who can identify a potential security vulnerability in the communication service.
It also offers software called Wickr Pro – a sort of Slack-like collaboration program but with end-to-end encryption.
Pryvate was established in 2013 by Cryptique, a secure communications provider based in the Channel Islands. Pryvate encompasses secure email, voice calls, conference calls, video calls and instant messenger, web browsing and even financial transactions.
The service comes with RSA 4096-bit encryption that is not reliant upon servers or middlemen. Like Snapchat, you can send messages that automatically self-destruct and receive a notification if they've been screenshotted.
It has primarily business users in mind but also offers some solid features for consumers in its free version.
Notably, in 2018 the company also launched a blockchain powered secure communications platform, Pryvate Coin, which you can register for today.