TL;DR: Signal is the best messenger/calling app. Every other messenger has design flaws that affect user security and privacy. Signal is widely regarded as the most secure and private messenger currently available.
What Makes a Good Messenger
A messenger that respects user privacy and is secure by modern standards, needs to meet a few criteria:
The messenger should not collect data about it’s users beyond what is required to function.
End-to-end encryption needs to be used to ensure messages/calls can not be viewed by anyone other than intended recipients.
The cryptography used for the end-to-end encryption needs to be implemented properly using audited, reputable, and verifiable protocols.
Message/call metadata should be protected and private.
It needs to be secure and private by default.
Governments should not be able to force those running the messenger to break the encryption or backdoor the software.
It should support basic features: messaging, voice calling, video calling, and file sending.
Being open source is an additional plus.
Many messengers meet some of these criteria, but not all.
Signal Messenger
Signal is a cross-platform end-to-end encrypted messaging/calling app. It can be installed on phones and computers and supports instant messaging, voice calls, video calls, sending files, taking/sending pictures/videos snapchat style, and much more.
Signal does not track its users. The only info Signal knows about you is the phone number used to register, the account registration date, and the last time you used Signal.
Signal is open and transparent about what government requests they receive. It is open source and all of its code is freely viewable here. Signal is ran by the 501(c)(3) non-profit Signal Foundation, and is funded by donations and grants. It has been independently audited by third party companies to check for vulnerabilities and to verify trustworthiness.
Some of the features Signal has:
End-to-end encryption: Ensures message/call content can not be viewed by any unintended parties, including the Signal Foundation itself. It uses the audited and reputable Signal Protocol developed by the Signal Foundation for end-to-end encryption.
Perfect Forward Secrecy: This ensures that if the encryption key of one message is compromised, other messages can not be decrypted and viewed with that same key.
Sealed Sender: This is used to conceal metadata. Signal protects metadata better than all other messengers.
Safety Numbers: Used to verify you are communicating with who you think you are.
Private Groups: A private group chat/calling system. The Signal Foundation has no record of who is in a group chat/call, the name of the group, or the group avatar. This is in stark contrast to other messengers where all this is viewable by the service.
Signal and Phone Numbers
Signal requires a phone number for registration and use. This raises a privacy concern for some as anyone you message in Signal can see your phone number. This can be partially solved by using a burner phone or VoIP number when registering with Signal. Signal has said they are working on adding usernames that may replace phone numbers.
Enable registration lock and set a pin in Signal. This will require a pin to be entered before the same number can be registered with Signal again, helping to prevent your Signal account from getting stolen.
Due to the secure way Signal has been designed, messages are not backed up or stored on the Signal servers. This means when installing Signal on a different device, you will need to transfer messages to the new devices.
Texting/SMS
SMS/MMS (commonly referred to as “texting”), and phone calling is the most common form of communication, but it is neither secure nor private.
Your cell carrier can read your messages/phone calls due to the lack of end-to-end encryption. Some carriers encrypt part of the journey the message/call data takes, but only between the phone and cell tower. They then decrypt the data at the cell tower and are able to view its content. They store this decrypted message/phone data for varying lengths of time, up to seven years.
Every second your phone is online and connected to a cell tower your cell carrier is aware of your location to within ~100 meters. This valuable location data is sold to bounty hunters, advertising agencies, and the government.
Texting is especially susceptible to sim swapping. This is where a cybercriminal gets control of your cellphone number through social engineering. What is social engineering? Cisco defines it as:
At its core, social engineering is not a cyber attack. Instead, social engineering is all about the psychology of persuasion: It targets the mind like your old school grifter or con man. The aim is to gain the trust of targets, so they lower their guard, and then encourage them into taking unsafe actions such as divulging personal information or clicking on web links or opening attachments that may be malicious.
Sim swapping attacks can be devastating, leading to drained bank accounts, stolen tax returns, and identity theft. The FBI Internet Crime Complaint Center received complaints totaling losses of $68 million in 2021 due to sim swapping. These losses are due to many online account using sms for signing-in, multifactor, and/or password resets. Once an attacker has control of your phone number, that can use it receive password reset links for these accounts.
Unfortunately there are no good safeguards your can put up to protect from sim swapping. This is why text-based authentication and multifactor should be completely avoided. An account secured with sms MFA is hardly any better than not having any MFA.
Please, do not use text or phone based sign-in or multifactor authentication to secure any accounts of importance.
iMessage
iMessage is an instant messenger owned by Apple that supports instant messaging, voice/video calling, and file sending.
The first knock against it is that it is not cross platform, it is only available on Apple devices. It is also closed source, does not have perfect forward secrecy, does not protect metadata and shares the metadata they collect with law-enforcement.
While iMessage does have end-to-end encryption, it has been implemented poorly and is not secure. To make matters worse, if iMessage is being backed up with iCloud (which it is by default), Apple is able to see the backed-up messages. This is because iCloud backups are not end-to-end encrypted. The reason iCloud backup does not have end-to-end encryption? Because the fbi complained when Apple was going to enable it. :unamused:
Apple has tried backdooring iMessage by adding a client side scanning service to iMessage that would scan messages for “bad” material and report it. Although not currently implemented, there has been talk again about adding it.
While iMessage is convenient on apple devices, it should not be used due to its many downsides, poor encryption and lack of cross-platform support.
Whatsapp is a instant messenger owned by the data harvester/ad tech company Meta (Facebook’s new parent company). It supports instant messaging, voice/video calling, and file sending.
Although Whatsapp has end-to-end encryption and is not able to view message contents, metadata is tracked aggressively. Their privacy policy shows that Whatsapp has been incorporated into the massive data harvesting operation of their parent company, Facebook.
Here is just some of the data they say they collect from their privacy policy:
..we collect information about your activity on our Services..this includes information about your activity..log files, and diagnostic, crash, website, and performance logs and reports..when you registered to use our Services; the features you use like our messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, “about” information; whether you are online, when you last used our Services (your “last seen”); and when you last updated your “about” information..device and connection-specific information when you install, access, or use our Services. This includes information such as hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers..precise location information from your device.. [and] ..cookies..
Facebook markets Whatsapp as a privacy messenger, but after looking at their privacy policy, it clearly is not.
Further, a propublica article talks about the monitoring and censorship that Whatsapp does on messages:
WhatsApp has more than 1,000 contract workers.. [who] ..use special Facebook software to sift through millions of private messages, images and videos. They pass judgment on whatever flashes on their screen..
The workers have access to only a subset of WhatsApp messages — those flagged by users and automatically forwarded to the company as possibly abusive. The review is one element in a broader monitoring operation in which the company also reviews material that is not encrypted, including data about the sender and their account.
$19 billion is how much Facebook payed for Whatsapp in 2014. Yet, Whatsapp is free to download and does not have ads. In order to make Whatsapp profitable, Facebook collects data about its over 2 billion users and sells ads about the data it collects.
Whatsapp, marketed as a privacy focused messenger is not private in the slightest. It heavily tracks its users and is invaluable to Facebook data harvesting. Whatsapp should be avoided.
Telegram
Telegram is a cross-platform instant messenger based in Dubai, United Arab Emirates. It supports instant messaging, voice/video calling, and file sending.
Telegram does not use end-to-end encryption by default, therefore the Telegram servers, and anyone able to capture messages, are able to view the message contents. There is a feature called Secret Chats that enables end-to-end encryption, but only for the chat it was enabled for. The encryption used is their own custom un-audited protocol that has had major flaws in the past, and many cryptographers call “weird”.
Telegram collects metadata about their users according to their privacy policy:
..we may collect metadata such as your IP address, devices and Telegram apps you’ve used, history of username changes, etc. If collected, this metadata can be kept for 12 months maximum.
Like Signal, a phone number is used for registering and signing in. Unlike Signal, the server code is not open source.
Telegram is not recommended due to end-to-end encryption not being enabled by default, its metadata collection and the un-audited custom protocol they use.
Session
Session is an up and coming messenger that has many promising features, but is not yet ready for general use.
A few things currently wrong with it are that it doesn’t have perfect forward secrecy, message delivery is slow and unreliable, it is based in Australia where encryption/privacy laws are bad, and it is based on their own weird cryptocurrency/blockchain and onion network.
Conclusion
Not all messengers are created equal; Many should be avoided outright. Some more messengers to not use due to bad security and privacy are Facebook Messenger (even worse security than Whatsapp), Snapchat (bad privacy, snaps not actually deleted, lacking encryption), WeChat (Chinese have access to everything sent) and Marco Polo (lacking encryption, share personal data with third parties).
Signal is different. It has been designed from the ground up taking great care to protect user security and privacy through technological means. While not perfect, it is the current best option for a private and secure messenger.