Don’t fancy your messages being read by unwanted parties? Get a secure messaging app and worry no more. There’s a good chance you’re already using something to replace SMS – be it WhatsApp, Google Hangouts or Twitter’s direct messages – but security is a notoriously grey area for these services.
Today we’re taking a look the best choices on the App Store for reliable, secure messaging. Each of these apps has been designed with security before everything else, which should make them pretty trustworthy.
What About iMessage?
The security of Apple’s own iMessage system is often the topic of discussion among skeptics and concerned users alike. In October of last year QuarksLab posted details of two vulnerabilities it had found with Apple’s iMessage. The report claimed that the retrieval of messages is possible in a scenario where the attacker has access to both sets of encryption keys, while impersonating Apple’s servers and intercepting correspondence.
This is a highly unlikely scenario in the wild, though it is certainly possible under more controlled conditions. QuarksLab reiterated the “strong requirements” required on multiple occasions. The other attack involves Apple being able to intercept and decrypt messages, simply because it was Apple who implemented and maintains the systems that power the service.
Apple technically has all the bits it needs to put together to be able to intercept messages too, though the company has stated that the iMessage system has not been built in such a manner to facilitate this kind of attack. We’ve only got Apple’s word, but it’s fair to say that the company stands to lose more than trust (think customers and lawsuits) if they are found to be lying.
So is iMessage secure? Yes, and it’s perfectly adequate for most users’ requirements. And if you’re really worried that your plans for global domination are too sensitive for an instant message – don’t talk about it over IM.
Silent Text (Subscription-based)
Silent Text, from the security-minded Silent Circle, was one of the first services of its kind to spring up in October 2012, long before the NSA and Prism revelations of last year. The service comes as part of a secure phone and text messaging system which requires a subscription in order to use. You can get Silent Text and Silent Phone together for $9.99 per month, and for an additional fee you can even call non-Silent Phone numbers, securely.
Both apps use end-to-end encryption, the keys for which Silent Circle claims only subscribers have access to. Like many apps of this type, Silent Text has a “Burn” feature which allows you to stipulate how long your message lasts before being destroyed. The apps are also available for Android, perfect for cross-platform messaging.
Silent Circle used to offer Silent Mail, but the service was discontinued last year after US security services sought unfettered access to everyone’s personal information.
A completely free service, Confide is designed to take everyday conversations off the record by deleting them once they have happened. It’s the Snapchat approach to messaging, with a few security-conscious tweaks like end-to-end encryption (as per Silenct Circle, Confide claim they can’t read your messages either).
The app uses a slick interface but lacks one important measure at present – a passcode. Unique swiping gestures prevent messages from being captured by a screenshot in their entirety, making this a very clever little app indeed. Confide is currently only available to iPhone users.
Boasting “military-grade encryption”, Wickr offers some serious control over who can read your messages. Self-destructing messages are the order of the day here, and Wickr allows you to set the duration for which your message is available, as well as a whitelist of recipients who can see it.
Each message gets its own unique AES 256-bit encryption key, and the app doesn’t need any personal information from you – making it both privacy and security conscious. Wickr is also available for Android, a great choice for cross-platform requirements.
Threema is a secure messaging service that claims to offer “true” end-to-end encryption. The app isn’t anonymous, and instead requires an email or phone number as a form of identification. Public encryption keys are pulled from the server during setup, but Threema’s trick involves verifying who you are talking to.
It’s possible to “verify” keys by meeting in person and using Threema to scan a QR code with your associate’s ID and public key, which will upgrade that contact’s verification level. Not ideal if you’re not meeting in person any time soon, but a novel way of doing things. Also available for Android.
ChatSecure is a different kind of secure messaging program – one that doesn’t rely on its own protocol, but rather uses existing services. This means security is a bit of a mixed bag, though with a name like ChatSecure you’d expect a few padlocks here and there. These come in the form of support for non-standard root certificates for Jabber connections, SSL certificate pinning and a basic encrypted connection.
The app also uses Off-the-Record (OTR) encryption but you’ll need to make sure the person you’re speaking with is using a client that supports it. If you’re looking for a security-minded multi-protocol IM client for Jabber, Facebook, Google and more, this is it.
Finally comes Telegram, an app which again makes some pretty bold claims about its security. According to their FAQ they claim to be more secure than WhatsApp or Line, but only use end-to-end encryption on certain “secret” chats.
The service is cloud-based, so message retrieval is possible from multiple devices. Telegram also reckon that the decentralised network of servers they use makes it one of the fastest messaging apps on iOS, as users connect to a nearby server that’s local to them. The app is completely free forever, with no ads, and also available on Android.
What I said at the start of the article bears repeating: if your topic of discussion is really that sensitive, instant messages sent over the Internet might not be the best place for your chat. For most of us, iMessage provides encryption that’s “good enough” – and I don’t see why Apple would be interested in my boring chats anyway.
For everything else you should probably opt for something like Wickr for its anonymity, Confide for its clever message scrambling or ChatSecure for connecting to your own Jabber server. Let us know if you have any preferences or best practices when chatting securely from your iPhone.