How to make encrypted messengers work for you

Following the large-scale data breaches, privacy violation scandals and the initatives of the governments willing to control what people share online, the demand for secure communication solutions today is higher than ever. There are multiple messengers and services designed for protecting most sensitive data with end-to-end encryption. However, encryption only cannot guarantee complete safety, and the features of secure messaging apps differ. This overview will give you an idea of what you get in each case.

VIPole

VIPole encrypted messenger provides instant messaging, chats, file sharing and managing, secure calls, group calls and screen sharing. It is a privacy app and also a platform that powers business. As the service was designed for uniting teams and safeguarding the connections of business users, it includes a number of productivity features, a calendar with a simple task manager, encrypted notes and a password manager.

It has numerous options for those who need the maximum confidentiality, including IP hiding, auto burning messages, auto lock and auto logout. Here you can share files of any type, the limit is 150 MB per file. In the Enterprise VIPole version, there are no limitations for file size. The number of participants in group chats in unlimited. Conferences allow to bring together up to 256 users.

The security of communications is ensured by end-to-end encryption for chats, shared media, calls and conferences. To protect user data, 256-bit symmetric AES encryption and 3072-bit RSA encryption are applied. Transport Layer Security safeguards all data transmission channels. Only the users themselves own their keys, and due to Diffie-Hellman secure key exchange the risk of interception is excluded. If a user forgets the secret phrase that protects the keys — there is no way to recover them unless the user remembers the phrase.

There is a key management tab in the app that allows to see the keys that are used to encrypt the data now and the previously used keys. While the data is encrypted end-to-end, it is also stored securely on the VIPole server or on the own company server in the on-premise verson, and secure synchronization allows users to have permanent access to all their conversations and media on all mobile devices and computers.

Signal

The famous application for privacy enthusiasts widely adopted by the people who value their personal life, especially in the countries with the excessive governmental control. Here you can send encrypted instant messages, images and files, hold voice calls and create secure group chats. In the settings, you can select the types of data you share over Wi-Fi and mobile data. Other messaging apps usually require all parties to have it installed to be able to communicate. Signal is more powerful in this respect, as it can work with SMS and MMS. Even if your friends of business partners are not in Signal — you can still stay in touch. It should be mentioned, that Signal is not always the fastest messenger. However, Edward Snowden recommends it, so Signal security is trusted.

In Signal, all types of conversations are protected end-to-end. Security in the app is based on the OTR protocol, AES-256, Curve25519, and HMAC-SHA256. Metadata in Signal, including the phone numbers of your contacts and the time the messages were sent, is not recoded. Which means that if you back up your device — you will no longer get access to your messages. Signal is handy and simple, and it fits best for real-time secure conversations, after which you won’t necessarily need your messages to be stored. Unlike Wickr, Signal does not save your password on the server. Additional features for managing privacy include self-destructing messages and the ability to delete full history on the device. Deleting an account is also easy — there is a big red button in the main menu for it.

Wickr

Wickr is available for Android, iOS and provides desktop applications as well. You can configure the self-destruction mode for messages, and after the period of time you need they expire. You can erase any message anytime, and your contacts won’t see it anymore. The number of users in group chats is limited to 10, and 30 in the Professional version. The recently released Professional edition also includes calls and video chats.

Like other messengers from the list, Wickr provides end-to-end encryption, and in addition in this app you can remove metadata from chats, including the timestamp and geolocation. You can be sure that your history on the devices of your contacts will stay hidden from third parties. It is recommended to Android users to encrypt their devices, as there is no information whether Wickr data is stored encrypted on devices. Self-destructing messages allow you to hide the traces of all your conversations, and you can completely wipe all your messages stored on the device. In February this year, Wickr has opened its code for public review, and you can audit the service yourself.

Threema

Threema is a secure messaging service especially popular in the German-speaking countries. It is a mobile app for iOS, Android and Windows Phone, there are no desktop versions. It is deservedly named among the most secure options for protecting privacy, as conversations in it are unreachable for corporations, governments and hackers. The features include messages and group chats for up to 50 users. Other handy features include polls for quickly getting the opinions of group chat members, and sharing files of most common types (up to 20MB). The messaging provider deleted all data from the server after the messages are delivered. The contacts and groups are stored locally on the devices of the users. Threema does not provide voice and video calls now, so you will need to use another app for this.

Threema is an encrypted mobile app that employs the NaCl cryptography library to safequard the chats. Both one-to-one and group chats are encrypted end-to-end, the media files you share and your statuses are also encrypted. After your messages are delivered to recipients, they are deleted from the server. When users first sign up, a unique Threema ID encryption key is generated, ensuring the anonymity of your communications. To verify the contacts, you can use a scannable QR code when you meet them in person.

Symphony

A probably less known, but a more secure platform for corporate communications than Slack, HipChat and Microsoft Teams. The system was developed for and supported by banks, as its goal was «to enable richer workflow and collaboration throughout the financial industry and other sectors». The system allows to organize communications within teams and externally, share encrypted documents, organize conferences with screen sharing. The product is business-oriented and provides the instruments to control the communication flows within companies. However, the options for managing the content that are available to Symphony users are limited in comparison with other messengers, including even the much less secure popular applications that have deleting and editing for shared contentment that users are used to.

Symphony ensures security while data is sent, transmitted, received and decrypted on the devices of authorized recipients. The data is stored encrypted in the cloud in order to meet the compliance regulations of the companies that use it. The customers own their encryption keys, and their access is protected during internal and external communications. However, as Symphony was developed mostly for financial companies, the New York Department of Financial Services raised suspicions that banks might use encryption to avoid the eyes of regulators. As a result, Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon agreed to hand the copies of their encryption keys to an independent custodian. Which means that a regulator will be able to review the messages sent within the service, decrypting them upon request. This security compromise weakens the security of the service: the data is safe only until the time the regulator decides to have a look at it.

Symphony has raised a fresh round of funding recently. The platform is planning to integrate with other systems, expanding as a collaboration tool, which is likely to make it more handy but at the same time more vulnerable for violations.

Confide

Confide is an app for encrypted one-to-one and group messaging, sharing photos, documents and voice messages. The swipe-to-reveal scheme in Confide prevents screenshots, thus ensuring that your secure conversations won’t be passed to third parties. You can retract un-send the unread messages, however, many messengers today offer this feature for all messages you’ve ever sent, or at least have a 48-hour limit like Telegram does. With the self-destructing mode for messages that disappear once they are read, here you can take yourself off the record, just make sure that you’ll never need them again. This is great for most sensitive conversations but that is not necessarily what you would use for collaboration where you may need the files you share today a month later. Messages in Confide cannot be saved or forwarded unlike in other messengers. To read the messages, you need to move your finger, line after line, feeling a bit like a spy. Only the last sent message can be shown for you to recollect what you’ve been speaking about.

Confde was reported as being used by White House staffers, however, IOActive security researchers have discovered multiple critical vulnerabilities in the service after auditing it. Confide does not notify users when a new encryption key is generated for their account which makes the man-in-the-middle attack possible. Confide co-founder and president Jon Brod said that the revelations of the security researchers did not show that the system is exposed to violations actually.