Top 5 messengers for paranoiac people for 2021

19 July 2022 1

Title image for Top 5 Secure Messengers for 2021

A Kingdom Prince might not hack yours, but a colleague or stranger can!

Even Jeff Bezos' WhatsApp is not secure, as reported by the newspaper "The Guardian".

Not only that, Facebook paid the price, so you don't have to!

Facebook had to pay a record penalty of $5 Billion for secretly leaking user data in the name of metadata, as FTC claimed that Facebook deceived users by making them believe that their privacy is safeguarded.

These incidents provoked security personnel to eliminate privacy issues in messengers, and some of them came up with apps safe for messaging while being completely anonymous.

I would argue about the end-to-end encryption of most of the commonly used messengers since you can receive messages and the history of messages when logging into another device.

Sean Wright, an InfoSec Researcher

Hell, lots of risks are present with the use of Facebook Messenger, Twitter, or WhatsApp.

Let's find some app that conforms to all standards together.

Table of Contents

What Makes Messenger vulnerable to threats?
Top 5 most secure messengers 2021?
- Threema
- Amazon Wickr Me
- Signal
- Session
- Element
Conclusion

Disclaimer: This blog is not funded in any way, and the content here is just for the educational drive, and we don't want to deprecate any of the messengers. We want to encourage the concept of shielding your data and picking a secure messenger.

While all the messengers mentioned in this article are secure and offer most of the security features we need to protect our privacy, choosing one can be a headache; therefore, we present a table comparing all the features in detail.

Messenger/ Feature	Threema	Wickr Me	Signal	Session	Element/Riot
Phone number or email address requirement	No	Yes	Yes	No	Yes
End to end encryption of transmitted messages	Yes	Yes	Yes	Yes	Yes
Data Backup to Cloud	No	No	No	No	No
Advertisements	No	No	No	No	No
Access to Contacts	No	Yes	Yes	No	No
Copy of chats on the server	No	No	No	No	No
Open Source or not	Yes	Yes	Yes	Yes	Yes
Latest Security Audit	2020	2014	2014	No	No (Matrix's encryption library reviewed by an independent party)
Cryptographic primitives	Curve25519 256 / XSalsa20 256 / Poly1305-AES 128	ECDH512 / AES-256 / HMAC-SHA256	Curve25519 / AES-256 / HMAC-SHA256	X25519 / XSalsa20 256 / Poly1305	Curve25519 / AES-256 / HMAC-SHA256
Can the Company read messages?	No	No	No	No	No
Metadata encryption?	Yes	Yes	Yes	Yes	Depends on your joined matrix server.
Self-destructing messages?	No	Yes	Yes	Yes	No
Free or Paid?	Paid	Paid	Free	Free	Paid

For everyone who still uses Facebook Messenger and WhatsApp, which one do you choose: a vulnerable messenger or a secure platform?

Non Encrypted messengers are a cakewalk for attackers and especially when left vulnerable. Once exploits are located, we must start to educate people about the risks and start transitioning to privacy apps.

Monthly Active Messenger users in millions August 2021

Image source – statista.com

What makes Messengers vulnerable to threats?

When messengers consume a pile of information from users, it is usually done on the name of data collection, more commonly termed as metadata collection.

This data includes:

Purchase history
Location
Contact information
Name
Gameplay Content
Search History
Browsing History,
User ID
Device ID
Product interaction
Crash Data
Performance Data
Health data
Customer Support Data
Messages
Call logs

This intrusive collection of metadata forced FTC to take action against Facebook.

If the vast database is even slightly exposed due to any reason, it can result in the loss of precious data. It has happened to many services in the past, and the internal factors involved were:

Weak Passwords
Insider threats (from employees)

Even a secure messaging app is only as safe as the device it is installed in.

Many of us believed that all the private data we shared over our commonly used messenger apps like Facebook Messenger, Skype, Instagram, Snapchat, or Twitter was safe, but all of it was an illusion.

It shattered as soon as vulnerabilities started to arise.

But there is light as the end of the tunnel, and that is those messengers made for security.

I compiled a list of the top 5 Most Secure Messengers of 2021 to contribute to your struggle in keeping your data safe.

Threema

Threema was developed by a Switzerland-based software company, "Threema GmbH," known very best to develop their Most Secure Messenger.

To maximize the anonymity, this does not require any phone number or critical registration details of the user.

Image source – threema.ch

Threema Messenger User Interface

Image source – behance.net

Moreover, Threema makes sure that your message is read by the intended recipient, which is made possible through Threema's High-level encryption.

Threema also made it clear that they delete the messages once they're delivered.

This feature helps to maintain privacy.

Another great feature offered by Threema is QR code and Fingerprint verification, which helps prevent MITM (man-in-the-middle-attack)

Security features
End-to-end encryption in iOS A private key is stored in iOS keychain 16/31 Threema Cryptography White paper
End-to-end encryption in Android Local Data in SQLite Database, which SQLCipher protects with AES-256 Encryption key derived from device's UID key and user's passcode)
Openly accessible source code and external security audits
Optional Contact Synchronization
Ephemeral messages
Private chat option
New temporary keys are generated every time the app starts. Also, the temporary keys are volatile and are not saved in memory
HTTPS is used as a transport protocol.
Strong TLS cipher(Forward secrecy)ECDHE/DHE and TLSv1.2 are supported
Combatting MITM attacks: Threema allows the verification of the person who you are chatting with through an ID Even if a trusted CA store is tampered with or a certificate issued for Threema domain name, the app accepts only hardcoded pins by using public key pinning.

The only drawback about Threema is it costs 2,99 EUR/month, which is not a huge deal-breaker.

You have to pay a small price to protect your data and privacy and help the Company stay in business because there are no ads for funding.

Nothing like Free lunch exists if you get a service for free. Most probably, you are paying with your data.

Amazon Wickr Me

WickrMe is an America-based software company known best for its one of the world's most secure messenger services. It has its main office located in New York City.

Recent news has revealed that Wickr has joined hands with Amazon, one of the US Big Five Information Technology companies.

Image source – logos.download.com

Amazon Wickr Me Messenger User Interface

Image source – underspy.com

They offer 4 packages based on the user's necessities Basic, Silver, Gold, and Platinum.

Their free basic package supports chatting with up to 10 persons, secure voice/video call with up to 70 people, SaaS, 1Gb file transfer, Secure screen sharing, and unlimited searching.

Security Features present
Cryptography Communications are locally encrypted on the device of a user. Even Wickr doesn't possess decryption keys
Every File is encrypted with a new random key
Even if a breach happens, Wickr servers cannot share user communications; they are undodgeable during transit and get deleted on delivery
Multi-factor authentication
Account takeover protection
Device encryption at rest
Message revoke
Secure link preview
Screenshot detection
Constant bitrate VoIP
Constant time hardened Crypto implementation
Scrypt based password hashing

The Company promises a solution to this. Also, since Amazon has joined hands with Wickr, we expect drastic changes as well.

Signal

Signal Messaging app is developed by a USA-based software company identified as Signal Technology Foundation and Signal Messenger LLC.

It is not just an application but a protocol and an innovation introduced by the legendary privacy activist Moxie Marlinspike.

Image source – en.wikipedia.org

Signal Messenger User Interface

Image source – macrumors.com

This protocol is integrated into many famous messenger apps like Facebook Messenger, Facebook WhatsApp messenger, Skype, etc. But it could not be verified because they are closed source applications, unlike Signal Application.

A non-profit organization created a Signal; therefore, it is entirely free.

Security elements
Strong End to End encryption
Hide messages on your lock screen
View media once the option
In-App payments
Incognito keyboard
Signal PIN
Disappearing messages
Note to Self-chat

Session

The Session app was developed by two Australian Software Companies known as Oxen Privacy Tech Foundation (OPTF) and Loki Foundation.

The Session is considered one of the truest private messengers in the market as it does not even need a phone number to register your account.

It is a modification of Signal Messenger.

Image source – arcanelost.com

Session Messenger User Interface

Image source – getsession.org

Currently, they're making their moves to recognize Session Messenger as the best secure messaging application.

Security Features
Client-side E2E encryption Encryption is done through Session protocol, built on libsodium, which is a trusted cryptographic library
Chat Anonymously
Open Source public key based
Serverless transfer Messages are transmitted through a decentralized online routing network, much like Tor, the system used is called onion requests. It ensures that no server saves a message's origin and destination

Their privacy policy, in a nutshell, states that they never know who the user is or with whom he/she is talking or even what he is texting, speaking, listening, sharing, etc. It means they do not collect our information leave alone share it.

Element

The Element was developed by a UK-based software company "Element" formerly known as Riot and Vector.

For security-conscious to consider, they offer end-to-end encryption and allow you to set up your server to store your data.

Yes, that's where their provided free matrix account comes into play.

Image source – onetwotwo.sg

Element Messenger User Interface

Image source – element.io

You can also use element messenger to communicate with another messenger that supports matrix protocol, including Slack, SMS, Signal, Telegram, Facebook Messenger, Google Hangout, Skype, Discord, and even iMessage.

Of course, to implement cross-platform chatting, you'll have to do some homework with coding also set up a matrix server with such integration.

Security aspect
End to End encryption with cross-signed device verification is based on Olm, Megolm, and Double Ratchet standards
Open-source
Decentralized storage, so you can choose your server if you want to
Independently audited
Two-factor Authentication: Secret key to login into devices
It can be used on a Web browser

However, many users are not happy that it requires email and phone no while registering.

Also, it comes with 4 plans, same as Amazon Wickr Me, which are Nickel, Silver, Gold, and Platinum.

Conclusion

Lack of privacy features on commonly used Messenger has led to the development of new security-focused messengers.

Daily we hear about security breaches and identity thefts, so it's inevitable to become more cautious about our privacy. Ever wondered which is the most vulnerable app of 2021?

To those relying entirely on Messenger for day-to-day conversations, you have a choice now.

Keep reading this, and let me know what you think! Please, share your opinion in the comments.

Share

Post

Share

Comments

Crypto

1 year ago

Wickr should be the number one, cos Threema is vulnerable for MITM and give access to the public keys to law enforcements.

Signal has great encryption protocol but fails in authentication than is also vulnerable for MITM.

If we really want secure communication, then we need better authentication mechanisms. Signal is in a position to lead the charge. If they do, we can hold other secure messengers to the same standard: authenticated end-to-end encryption.

Forense tools can extract local data from all apps although the device is encrypted, some apps as Protonmail and Wickr can prevent these tools when well installed.