A Brief Comparison of Secure Messaging Apps
We are in a period of time where personal security is of rising concern. No longer is data protection only essential to network admins in corporations and government entities, but it’s becoming something that even people who haven’t even heard of the deepweb are becoming conscious of. Because of this, companies are starting to release tools and software to make data security easier for the layman. Three of some of the most popular tools take the form of mobile apps and I’ll be discussing the pros and cons of these in this article. Two of the tools take the form of mobile messaging applications and the third doesn’t quite fall under the same category: it’s a secure email client that has mobile access.
First we have Wickr. I’ll skip through most of the introductory information on this company/service and cut directly to the chase. The most concerning piece of the picture is that Wickr is not open source and their information documenting the security and encryption process is essentially non-existent. No company is inherently required to document their security process or be completely open with their software, but the less we know about a service should definitely make us more cautious. There is no way to verify any of their claims.
Here are some of the features they mention Wickr has:
Secure: Send and receive secure messages, documents, pictures, videos and audio files.
Anonymous: Your conversations can not be tracked, intercepted or monitored. Your Wickr ID is anonymous to us and anyone outside your Wickr network.
No Metadata: Wickr removes all records, geotags, and identifying information from your messages and metadata
Shredder: Irreversibly remove all deleted messages, images and video content from your device.
Configurable timer: Set the expiration time on all your mesaging content.
Without being able to have their software and process analyzed, there is literally no way to confirm whether or not their claims are even remotely truthful. The UI of the app doesn’t even encourage users to be secure. Reddit user Maqp writes a paper on Wickr wherein he points out that the fingerprint verification is very poorly implemented, as well as a few other QOL issues that raise good points about security.
Fingerprint verification is hidden behind a tap on the user avatar. Anyone who doesn’t know better won’t be using the feature. Since the lock icon is the same color as all symbols, there’s no way to immediately figure out that the security is not at adaquate level.
The app has several other concerning features unrelated to not knowing whether or not the app is even slightly secure and I’d recommend checking out the article I linked to. One feature that is always pointed out whenever a service offers it is the “file shredding,” so to speak. Wickr allows users to set a timer on the messages they send and have them self destruct after they’ve been read. This is sort of deceptive to the unaware user because there’s literally nothing stopping the receiving user from taking a picture of the message or saving it some other way. Back when I used Wickr, years ago, I remember there being a way to screenshot messages and I had to utilize it a handful of times to save things like addresses and .onion.rent URLs that were hard to remember.
Opinion on Wickr: don’t use it.
Anyway, I think I’ve made my point and to keep this brief I will move on to ProtonMail.
When I finally got an invite to join ProtonMail back when they weren’t entirely public and were conducting small-ish beta trials, I was incredibly excited as they looked very promising.
The service started as a web-based email program with end to end encryption. Unlike some other security services, ProtonMail didn’t come up with their own encryption algorithms or create new protocols; they used the tried and true PGP encryption. I’ll run you through a list of their claims and features as briefly as possible because it is quite an extensive list. When it comes to security, this is never a bad thing.
Since I’ll be skipping over some of the features, I’d highly recommend that you head over to the website here and take a look for yourself.
They obviously use end-to-end encryption that they claim is entirely anonymous. They claim that none of your data is logged by their servers. This one is a little fishy. In the past, anonymous mail clients that claimed not to log user traffic have been proven to be lying, even if they were doing it innocently. I would not count on this to be 100% certain.
I do believe they are far more worried about security and take greater lengths to protect user information than almost any other similar service that exists right now.
Completely open source cryptography is used. This is reassuring.
We use only secure implementations of AES, RSA, along with OpenPGP. Furthermore, all of the cryptographic libraries we use are open source. By using open source libraries, we can guarantee that the encryption algorithms we are using do not have clandestinely built in back doors. ProtonMail’s open source software has been thoroughly vetted by security experts from around the world to ensure the highest levels of protection. Source.
They too have self-destructing messages. Pretty much a gimmick at this point.
They claim you’re are able to securely communicate with non @ProtonMail addresses, and you can. I wouldn’t make a habit of it though. They detail the process here:
We support sending encrypted communication to non-ProtonMail users via symmetric encryption. When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser, which they can decrypt using a passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email. Source.
Aside from being Swiss based, which sounds good, one of the more interesting parts of ProtonMail is the literal hardware security. It’s pretty impressive. I’m not sure how well it interprets to our daily needs and uses, but it’s intriguing.
We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland so your data never goes to the cloud. Our primary datacenter is located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack. This provides an extra layer of protection by ensuring your encrypted emails are not easily accessible to any third parties. On a system level, our servers utilize fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized.
All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have. Source.
Overall, I am very impressed with ProtonMail. They are currently the best option for encrypted email, in my opinion. They’ve been endorsed by a few big names in the security industry and have a decent threat model. I use them daily for what they recommend you use them for.
Opinion on ProtonMail: use it how they recommend to use it and not if, to put it in their terms: you are Edward Snowden, or the next Edward Snowden, and have a life and death situation that requires privacy, we would not recommend using ProtonMail.
On to Signal.
Signal is best considered the more modern version of Wickr. Because of Edward Snowden endorsing Signal, they have some traction in the secure messaging field. Now, I would never blindly trust anything just because someone with some clout recommended it, but Snowden is one of the biggest security related household names, and for a good reason.
They openly state what their app offers (there is a desktop client too, but it requires pairing with an Android phone). A major difference between Signal and Wickr is that Signal is completely open source. Anyone can fact check the claims they make. Anyone can make sure that there are no backdoors in the software that were forced there by the NSA or any spying eyes.
Unlike Wickr and ProtonMail, there is no account or password stored on a server; everything is tied to your device and phone number. The app is easy to use. The EFF gives Signal a perfect score and it is one of a few services that checks all of the boxes. Here is the scorecard for your own examination. EFF Scorecard. And here’s what they received points for.
They received points for having communications encrypted in transit, having communications encrypted with keys the providers don’t have access to (end-to-end encryption), making it possible for users to independently verify their correspondent’s identities, having past communications secure if the keys are stolen (forward secrecy), having their code open to independent review (open source), having their security designs well-documented, and having recent independent security audits. (Wikipedia)
The NSA has stated that Signal is a major headache for them:
On December 28, 2014, Der Spiegel published slides from an internal NSA presentation dating to June 2012 in which the NSA deemed RedPhone [Signal before the merging of two apps] on its own as a “major threat” to its mission, and when used in conjunction with other privacy tools such as Cspace, Tor, Tails, and TrueCrypt was ranked as “catastrophic,” leading to a “near-total loss/lack of insight to target communications, presence…”
The mobile app is one of the best examples of how to make it easy for a user to verify the end-to-end encryption. The UI is simple and straightforward. You are made aware of any changes in the fingerprint of the person you are communicating with. Voice calls work exceedingly well.
The downside to this model is that you are required to know the phone number of the recipient. So, this works much less well for communicating with people who you want to keep your identity from. Say, for contacts from the deepweb. It’s much better for communicating with individuals you know and trust. I have virtually nothing bad to say about Signal and they have by far the most open project I have ever seen.
Opinion on Signal: use it. It has limitations though, and may not be as useful for all of your needs, depending on who you communicate with.
To conclude, I would recommend that one never put all of their trust into a service or app. There is always something that could go wrong. But there are times when manually sending, receiving, encrypting and decrypting PGP messages is not viable or even possible, and it’s useful to know your options. We aren’t ever safe, but Signal and ProtonMail currently hold the award for being two of the safest projects that are made simple enough for someone’s mother to use, in mu opinion.