The Electronic Frontier Foundation (EFF) is a lobby group dedicated to “defending civil liberties in the digital world”. At MakeUseOf we love what they do. I’ve featured their work before in my explanation of warrant canaries and many other authors have also written articles that cite them.
One of the many things they maintain is the Secure Messaging Scorecard. From the EFF:
The Secure Messaging Scorecard examines dozens of messaging technologies and rates each of them on a range of security best practices. Our campaign is focused on communication technologies — including chat clients, text messaging apps, email applications, and video calling technologies. These are the tools everyday users need to communicate with friends, family members, and colleagues, and we need secure solutions for them.
What Makes A Secure Messaging App
The Secure Messaging Scorecard scores the different communication apps on seven dimensions:
- Are your messages encrypted at all stages of the communication?
- Is the encryption end-to-end so the messaging company can’t access your communications?
- Can you verify who you are messaging?
- If your encryption keys are stolen, are you your previous communications safe?
- Can the app’s code be independently reviewed?
- Is the design and implementation of the cryptography documented and available for review?
- Has the code and implementation been independently audited in the last year?
While on their own these dimensions don’t guarantee that a messaging app is secure, they highlight the apps that are more likely to be so. Even more importantly, if an app fails any of the first four criteria it can be considered unsecure to some degree.
Popular? It’s Probably Insecure
The results of the scorecard are quite disturbing. Of the most popular communication apps — BlackBerry Messenger, Facebook Chat, iMessage, Skype, Snapchat, Viber and WhatsApp — only iMessage passed more than two of the tests.
Most worryingly, all the parent companies, except for Apple, can decrypt and read your messages. Through programs like PRISM, government agencies can potentially access every message you’ve ever sent or received.
The Secure Communication Apps You’ve Probably Never Heard Of
There are, however, some apps that are genuinely secure. ChatSecure, Silent Phone and Silent Text from Silent Circle, and Signal, RedPhone and TextSecure from WhisperSystems all scored full marks in the EFF’s scorecard.
ChatSecure is a free iOS and Android app that “uses well-known open source cryptographic libraries” such as XMPP, OTR, and Tor to ensure your messages remain private. With ChatSecure you can communicate with other app users and also anyone who uses an app that supports the same protocols.
Silent Circle offers a subscription plan that covers two of the apps that got full marks in the EFF’s scorecard: Silent Phone and Silent Text. The apps are available for both iOS and Android. Silent Phone is for making encrypted voice, video and conference calls — think of it as a secure Skype.
You can even use Silent Phone to call non-users and the call will be encrypted. Silent Text is a secure alternative to most messaging apps. It’s feature set is pretty similar to WhatsApp or Facebook Chat.
Silent Circle is aimed at travelling business people who need security on the road. The plans start from $12.99 a month and include unlimited communications between Silent Circle members through Silent Phone and Silent Text. The difference between the plans is the number of monthly minutes you have for securely calling non-members with Silent Phone.
You can sign up for a plan on the Silent Circle website.
Like Silent Circle, WhisperSystems produces a couple of different secure apps. For Android, they have Red Phone and TextSecure, and for iOS they have Signal.
RedPhone integrates with your phone’s default dialler. If you call a friend who also has RedPhone installed, you’ll get the option to make an encrypted call rather than a regular cell call. TextSecure, similarly, integrates fully with your Android phone. It replaces the default text messaging app. If you send a message to another TextSecure user the data is automatically encrypted.
Signal — the iOS app — doesn’t integrate as fully with the operating system. It works just like RedPhone but is a standalone app. You can even call RedPhone users from it. Support for TextSecure style messaging is in development.
There are countless threats to your privacy online. From hackers to the government. Even googling things related to online privacy can get you on a NSA watch list.
All the apps featured in this article make it as hard as possible for people to intercept your communications. You don’t need to be a drug dealer to want your messages to be tough to intercept and read.
Are you aware of any more secure apps, or surprised by the results from the Secure Messaging Scorecard? Share your thoughts by leaving a comment.