Signal, WhatsApp, and iMessage: Which Messaging App Is Most Secure?

I don’t know very much about what goes into war planning, but I assume that the communications infrastructure that supports that kind of thing is a solved problem for the government. There are secure telephone and video systems, as well as Secure Compartmented Information Facilities (SCIF) that allow the key players to review the most sensitive information about military activities. Typically, I assume, those sorts of conversations aren’t had using consumer messaging platforms on the Secretary of Defense’s iPhone. Also, I sort of assume that the people involved are smart enough and tech-savvy enough to notice that a journalist has entered the group chat. Apparently, not. There are a lot of questions raised by what is now certainly the most infamous group chat in the world, in which the Vice President, Secretaries of Defense and State, the Director of National Intelligence, CIA Director, and National Security Advisor were messaging about plans to bomb Houthi rebels in Yemen. We know about the chat because someone accidentally added Jeffrey Goldberg, the editor of The Atlantic. One question that a lot of readers might be wondering is just how secure the most popular messaging apps are. Here’s a rundown. Signal Signal, the app in question in this case, is end-to-end encrypted (E2EE). That means that messages are sent in an encrypted format and can only be read by the recipient. At the core of its encryption is the Signal Protocol, and open source protocol that allows for public inspection. That decreases the chances of hidden vulnerabilities. Signal also uses a form of encryption that ensures that even if a session key is compromised, previous messages stay encrypted. Signal also allows the most privacy since you don’t have to link a phone number to use the service (unlike other apps on this list). It also allows for contact verification so that you can ensure that the person you’re messaging is who they say they are. In general, Signal is widely considered the most secure consumer messaging app because third-parties can verify its security claims, and the company does not have access to metadata about your conversations. iMessage If you only send messages to other iPhone users, Apple’s iMessage platform is arguably the best and most secure option. Unlike Signal, Apple’s protocol is proprietary and not open for inspection by third-party security researchers. That makes it harder to verify that it is as secure as it claims, but Apple is well known for its commitment to security and privacy. One advantage is that Apple uses a 1:1 encryption model for group chats, which means that every message is encrypted individually for each member of the group. This is technically more secure than Signal’s Sender Key method, though it means that iMessage group chats are much more limited in terms of group size (due to the resources required for all of that individual encryption). Apple also says its encryption is designed for post-quantum computing. The idea is that eventually quantum computers will be able to break encryption easily enough to read protected messages, but Apple is designing its algorithm to resist those types of future capabilities. There are, however, two main drawbacks to Apple’s messaging platform. The first is that once you start messaging anyone with an Android device, it will fall back to RCS, or, worse, SMS—neither of which are encrypted within the Messages app. RCS supports E2EE, but Apple has not implemented the ability to send encrypted messages to Android devices. The other is that if you use iCloud backup for your messages, and aren’t using Advanced Data Protection, a copy of your messages is stored on Apple’s servers. While they are encrypted at rest, the company is able to turn them over if requested by law enforcement because it retains a key. WhatsApp WhatsApp uses the Signal Protocol (see above), meaning it offers a reliably secure form of protection for messages by default. One problem with WhatsApp is that, while the content of your messages may be encrypted, the metadata about the messages you send, and who you send them to, is not. That information is collected and stored by WhatsApp. Some people are also less than enthusiastic about using an app owned by Meta, which isn’t exactly known for its ability to keep its hands off of user data. It does, however, have the benefit of a massive user base, which means that there’s a good chance that the person you want to message with will be using WhatsApp. The app also has the best feature set for group messaging by far. Telegram To be clear, Telegram is not an E2EE messaging platform by default. Every regular message you send is encrypted in transit, and is encrypted as it is stored on Telegram’s servers, but that’s not the same thing as being encrypted so that only the recipient can read your message. This makes your messages vulnerable to anyone who has access to those servers. The app does allow you to create a “Secret Chat,” which is encrypted, and you can even set these to delete after a period of time. Still, if you care about protecting your text conversations, there are far better options on this list. Messenger Meta’s “other” messaging platform started rolling out E2EE last year, which should eventually put it on par with WhatsApp. The drawback here is that the rollout is happening over time, which means that not every user will immediately have it turned on by default. In addition, you might have some chats that are protected, and others that aren’t, and the average user isn’t going to know how to tell the difference. The bottom line It’s worth mentioning, however, that it does not matter how private or secure the encryption is on a messaging platform—if you include someone in a group chat and send a message to that group, they’re going to be able to read the message. Or, put another way, the problem here has nothing to do with encryption, and everything to do with human error. Most of these apps offer a secure form of E2EE for consumers, but there is no guarantee your messages will stay secret if you text them to a journalist. EXPERT OPINION BY JASON ATEN, TECH COLUMNIST @JASONATEN