TL;DR: Does the app secure my messages and attachments? No No No No Yes No No Yes No No No Yes

Company jurisdiction USA USA USA UK USA USA USA / UK / Belize Switzerland Luxembourg / Japan USA USA Switzerland

Infrastructure jurisdiction USA, Belgium, Finland, Ireland,the Netherlands, Chile, Taiwan,and Singapore USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud USA, Sweden (Ireland planned) UK (and potentially all jurisdictions, given it's a decentralised messaging platform) USA USA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and Japan UK, Singapore, USA, and Finland Switzerland USA USA (unsure of other locations) USA (unsure of other locations) Germany / Ireland

Implicated in giving customers' data to intelligence agencies? Yes Yes Yes No No Yes No No No Yes No No

Surveillance capability built into the app? No No No No No Yes No No No No No No

Does the company provide a transparency report? Yes Yes Yes No Yes Yes No Yes No Yes Yes Yes

Company's general stance on customers' privacy Poor Poor Poor Good Good Poor Poor Good Poor Poor Good Good

Funding Google Apple Facebook New Vector Limited Freedom of the Press Foundation, the Knight Foundation, the Shuttleworth Foundation, and the Open Technology Fund, Signal Foundation (Brian Acton) Microsoft Pavel Durov User pays Rakuten, friends and family of Talmon Marco (it's very unclear) Facebook Gilman Louie, Juniper Networks, the Knight Foundation, Breyer Capital, CME Group, and Wargaming Janus Friis, Iconical, Zeta Holdings Luxembourg

Company collects customers' data? Yes Yes Yes No No Yes Yes No Yes Yes No No

App collects customers' data? Yes Yes Yes Minimal Minimal Yes Yes No Yes Yes No Minimal

Is encryption turned on by default? No Yes No No Yes Yes No Yes Yes (if device supports it) Yes (if device supports it) Yes Yes

Cryptographic primitives RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1 Curve25519 / AES-256 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 RSA-1536 & 2048 / AES 256 / SHA-1 RSA 2048 / AES 256 / SHA-256 Curve25519 256 / XSalsa20 256 / Poly1305-AES 128 Curve25519 256 / Salsa20 128 / HMAC-SHA256 Curve25519 / AES-256 / HMAC-SHA256 ECDH512 / AES-256 / HMAC-SHA256 Curve25519 / ChaCha20 / HMAC-SHA256

Are the app and server completely open source? No No No Yes Yes No No (clients and API only) No No No No Yes

Can you sign up to the app anonymously? No No No Yes No No No Yes No No Yes No

Can you add a contact without needing to trust a directory server? No No No No No No No Yes Yes No No No

Can you manually verify contacts' fingerprints? No No Yes Yes Yes No No (session only, does not provide users' fingerprint information) Yes Yes Yes Yes Yes

Directory service could be modified to enable a MITM attack? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Do you get notified if a contact's fingerprint changes? No No Yes Yes No No (session only, does not provide users' fingerprint information) Yes Yes No (setting turned off by default) No If contact was previously verified

Is personal information (mobile number, contact list, etc.) hashed? No No No Mostly No No Yes No No Yes Mostly

Does the app generate & keep a private key on the device itself? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

Can messages be read by the company? Yes No Yes No No Yes Yes No No No No No

Does the app enforce perfect forward secrecy? No Yes Yes Yes No (session keys do change after being used 100 times) No Yes Yes Yes Yes

Does the app encrypt metadata? No No Yes No Yes No Yes Mostly

Does the app use TLS/Noise to encrypt network traffic? Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes

Does the app use certificate pinning? Yes (>=iOS 9.3) Yes Yes Yes

Does the app encrypt data on the device? (iOS and Android only) Yes (if passphrase enabled) Yes (if passphrase enabled) iOS: Yes (if passphrase enabled); Android: Yes (if master key set in the app) iOS: Yes (if passphrase enabled); Android: Yes (unsure of function) Yes

Does the app allow a secondary factor of authentication? No No No No No No Yes Yes No Yes Yes (password for account used) Yes

Are messages encrypted when backed up to the cloud? No N/A, Signal is excluded from iCloud/iTunes & Android backups Yes iOS: Yes

Android: No N/A, Wire is excluded from iCloud/iTunes & Android backups

Does the company log timestamps/IP addresses? Yes Yes Yes No Yes Yes No Yes Yes No Some

Have there been a recent code audit and an independent security analysis? No No No No Yes (October, 2014) No Yes (November, 2015) Yes (November, 2015) No No Yes (August, 2014) Yes (March, 2018)

Is the design well documented? No Somewhat Somewhat Somewhat Somewhat No Somewhat Somewhat Somewhat Somewhat Somewhat Somewhat