Photo

It’s officially a post-Snowden and post-WhatsApp world, and my inbox is filled with pitches from companies promoting their secure messaging apps. But can you trust them?

As the messaging wars heat up, security seems to be the big differentiator —the levels of security range from “military grade” to lightweight, depending on the app. But all of them have one thing in common, said the cryptographer and security expert Bruce Schneier: You shouldn’t use them if your life is on the line.

Mr. Schneier said when it comes to evaluating the security of a secure messaging app, the real question lies in why you need it.

“Secure means what?” he said. “If I say my house is secure, it’s not secure against bombs. Most people’s threat model are their friends in high school. If they’re Chinese dissidents trying to stay alive, I wouldn’t trust it. But if there’s a high school kid trying to navigate the bullies, it’s probably good enough.”

As you determine your threat model, know that some secure apps promise much more than others.

On the heavyweight side are apps like TextSecure, which I wrote about in February as a text messaging substitute. TextSecure recently relaunched as a private messaging app that sidesteps SMS (Short Message Service) completely, WhatsApp-style, with encryption built in by default.

Video

There’s Gliph, a communications app that includes encrypted messaging and email services and private web chat, and that further differentiates itself with Bitcoin wallet features built in.

And Telegram is a hugely popular Russian messaging app whose creators were so confident in its ability to secure your messages that they offered a $200,000 bug bounty to anyone who could decrypt its intercepted traffic. In the first contest, which ended March 1, no one managed to crack the encryption.

Wickr has been around for a while, and boasts not only of “military grade” message encryption of text, pictures and video, but also the ability to control how long a recipient can view a message before it’s deleted.

There’s Heml.is, currently in development, whose site complains that “private communication has more or less turned into an open stream for companies and governments to listen into.” Redact says it “sends heavily encrypted messages from one phone to another without passing through any central servers.”

And then there are ephemeral messaging services — light on things like encryption, but promising that your messages will disappear before they can be used against you. Snapchat kicked it off for photos, of course, but now there’s also Confide, Frankly, Ansa and the new Mark Cuban venture, CyberDust.

Cuban said CyberDust (and presumably other ephemeral messengers) isn’t about trying to shield communications with the National Security Agency — it’s about controlling your own messaging so something you say can’t be used against you permanently in the future.

“It’s pretty stupid to text knowing that we lose control of the text once we hit send,” Mr. Cuban said. “Even the most innocent text loses its context and can be misunderstood over time.”

But Mr. Schneier said no matter the level of security promised, “what does secure mean?”

Ephemeral app services, he said, supposedly delete messages after they’re sent. “Well, is it true? We know that Snapchat was under investigation because they claimed they deleted messages and it turned out they hadn’t.”

“Let’s say they’re encrypted,” he said. “That means that, assuming they did a decent job, no one can read the messages in transit. It doesn’t mean they can’t read them on your computer, and it doesn’t mean that someone can’t issue a court order to get those messages off a server somewhere.”

Worse, he said, a government (like ours) could secretly issue a court order forcing a messaging app to circumvent its own encryption, as happened with the secure email service Lavabit, or even ordering an ephemeral messaging app to keep messages it said it had deleted.

“What are these companies promising?” Mr. Schneier asked. “They’re not saying that they’re going to defy a court order, that they’re going to go to jail to protect your messages.”

Mr. Schneier said he relies on “any chat service” for casual communications and good old-fashioned OTR (off the record) and PGP (Pretty Good Privacy) for private communications. But he said that for most people, secure messaging apps of any stripe are probably sufficiently secure.

“We lock our front doors even though we know someone can break the window — it’s good enough,” he said. “We know our burglar alarm companies won’t protect us against military invasion.”