Secure Messaging Apps: The Pros and Cons of Each Platform

Jul 72016

Communicating with a sensitive source has always been difficult for journalists. Sources who reach out to the media are potentially putting themselves into dangerous situations, breaking contracts, breaking laws, breaking promises and breaking trust.

Meeting in a parking garage at 4 a.m. in trench coats — while still effective in certain circumstances — works less in the era of CCTV and mobile phone tracking. When it comes to secure communication, phone calls are out, normal email is laughably awful and SMS is only worse.

Enter: secure messaging apps.

These apps, operating under the same principles as PGP email encryption, are the new front line in securing communications between journalists, sources and contacts. All of these apps offer end-to-end encryption. If the company running the servers is ever subpoenaed, the only thing they can hand over to prosecutors is essentially gibberish.

However, the problem with some of these services is that you have to trust that your data is secure, as proprietary companies usually do not open source their software.

I’m going to discuss a few of the pros and cons of several secure messaging apps and offer a few suggestions for which ones journalists should use. Please remember that there is no right answer for everyone. Depending on who you’re hiding from, some apps are more practical or useful than others.

1.) iMessage

ProsCons
  • Built into every iPhone and Mac.   
  • Completely seamless. If the text bubble is blue, it’s being sent securely.                
  • If an iMessage doesn’t send, the iPhone will send it through SMS as the fallback, potentially allowing it to be sent unencrypted. However, this can be disabled.
  • Most of your friends, colleagues and sources already use it.

 

  • Ties your personal phone number and device.

2.) Signal

ProsCons
  • Designed from the ground up to be nothing but a secure messaging platform.
  • Buggy, especially on iOS.
  • It’s not oddly hacked onto an existing platform.
  • The user interface and some of the user experience design can have some, let’s say, interesting glitches. However, none of these problems affect security.
  • Fully open source.
  • Not widely used or known.
  • Extremely familiar, intuitive interface.
  • Requires your phone number for contact discovery.
  • Allows audio chat, with verification.
  • Anyone intent on tracking your internet use can see you’re using Signal. However, they won’t be able to read your messages.

    3.) WhatsApp

    ProsCons
    • Built end-to-end by same team as Signal.
    • Not fully open source.
    • More than 1 billion users.
    • Owned by Facebook.
    • The default security settings are very good, as every message is encrypted automatically.
    • How much do you trust Facebook?
    • Users receive notifications if anything is wrong.
     
    • Everyone you’d want to talk to already uses it.
     

    4.) Tox (a Skype “replacement”)

    ProsCons
    • Completely decentralized.
    • Usernames are 77 random numbers and letters. Mine is 1EFD9FE2EC7D30065AB
      E5E5C9C93908057608622D94020C952C
      1A7A61D1D0F622E59F5DF41C0.
    • There is, for all intents and purposes, no company that can be attacked.
    • It’s slow.
    • User lists are distributed and shared across the network itself.
    • Finding a user on the network can take time since there is no central repository.
    • No personally identifiable information — phone number, email address, etc. — is needed to make an account.
    • The actual chatting and voice services are still very buggy.
    • Fully open source, so developers can take the Tox protocol and build upon it as they like.
    • Other apps that have adapted Tox’s protocol are difficult to use and ugly to look at.
      • Very few users overall.

      5.) Allo (Google’s newest messaging platform. Yes, another one)

      ProsCons
      • Created by Google, so you know the user experience will be pleasant.
      • It’s brand new.
      • The team behind Signal implemented Allo’s end-to-end encryption.
      • Closed source.
      • Extremely accessible on many devices.
      • For now, none of your messages are encrypted by default in Allo’s security settings.

      The takeaway

      If you’re reporting on the big boys (U.S., Russia, Israel, China), then even these services may not help you. The encryption protecting your messages probably won’t be broken, but the possibilities of malware on your device — or a very sophisticated man-in-the-middle attack — are much higher. In this case, there are many other internet security issues to be considered as well.

      However, if you’re only worried about securing your standard day-to-day communication, I’d recommend Signal. Broadly speaking, if you’re a step below international espionage, iMessage, WhatsApp or Signal all fit the bill.

      The biggest key to successfully using any of these tools is normalizing their use. If your team is using Signal, use it for everything. As the adage goes, those on the offensive only have to be lucky once; defenders have to be lucky all the time.

      This post was also published on IJNet, which is produced by ICFJ.