Email has been around forever, and remains a leading way for businesses and individuals to communicate at a distance. But email has several problems, the most severe of which (from my perspective as a security guy) is that it is insecure. Secure and encrypted messaging apps make a great alternative when you want to prevent outsiders from reading your messages.
However, there are many messaging apps out there, each with its own mix of security, privacy, and additional features. In this guide, we'll look at my picks for the 5 best secure and private messaging apps available today. We'll also talk about some messaging apps I think you should avoid, and why I say that. Finally, we'll wrap it up with an FAQ section that covers the most common questions I came across while putting this together.
Are you ready to upgrade your internet communications to something fast and secure? Then keep reading.
Our list of the best secure messaging apps includes only a handful of contenders. They use powerful encryption and a range of privacy-enhancing features to give us ways to communicate online without having to worry about who else is reading our messages. I've also written detailed reviews of each of the secure messengers I recommend, and include links to all those reviews here too.
But before we get into the specific messenger apps, we're going to talk a little bit about why it is so important to use a secure messenger instead of say, WhatsApp or even “secure” email services like Gmail. I'll also show you the characteristics I use when choosing the best services, so you can have confidence in these recommendations.
Note: In case you were wondering, I don't have any ties to any of the services I recommend here, and I don't receive any kind of compensation for recommending them. This is all about helping you fend off the endless list of people and organizations that want to spy on you for their own benefit.
Do you really need a secure messaging app?
In today's world, it seems everyone and their brother wants to spy on us. From evil hackers to mega corporations like Google to government intelligence agencies, there are powerful entities that absolutely hate the idea that you or I can communicate without them watching over our shoulders. Why does our desire for privacy upset these groups so much?
- Hackers want all the information they can get about you to sell it, blackmail you with it, or use it to impersonate you and rob you blind.
- Companies like Google crunch every bit of information they can get about us so they can make more money by selling us stuff or selling information about us to the highest bidder.
- Intelligence agencies want to monitor and record everything about everyone, everywhere so they (and the politicians behind them) can control our lives and keep us from doing something ‘bad' (as in something the current regime doesn't like).
While there may be privacy laws in force where you live that should protect you from these kinds of activities, they don't seem to be working very well. There's too much money and power to be gained by violating your privacy for mere laws to protect you. You have to protect yourself.
The one tool that seems able to protect us from them is encryption. There are encryption algorithms that can't be broken (as far as we know). These encryption algorithms are incorporated into messaging protocols like the Signal protocol that allow you to communicate securely over the internet. Your messages get encrypted before they leave your computer or other devices. The messages travel securely because, even if one of those powerful entities gets a copy of your message, they can't break the encryption to read it.
Another factor here is the way people are being forced to work from home due to COVID lockdowns. When you are working in the office, you usually communicate through internal systems behind corporate-grade firewalls and other security. When people work at home, they don't have all that corporate security infrastructure to protect them. Imagine all the proprietary information that's flowing between people working from home with only their ISP's consumer-grade security to protect it. Heck, in the USA, your home ISP is allowed to collect and sell information about your activities online themselves.
If you are not using a secure messaging service, you are virtually unprotected. There are lots of services that claim to be private and secure, maybe even anonymous. However, most of them don't make the grade. Some services provide excellent security for your messages while they travel across the internet, but their own employees can read your messages while they are sitting on some central server somewhere. Other messengers are products of companies that have bad privacy records. Still, others use security that may have been hacked or backdoored by the NSA or other national intelligence agencies.
While most messaging apps don't provide the security you really need, there are some that are worth considering for your own use. I have five for you to consider. We'll get to them in a moment. First, let me give you a quick rundown of the criteria I used to select them.
Ranking the most secure messaging apps
Here are the criteria I use to evaluate secure messaging apps / services. While you may have some special requirements you need to meet, you should include these criteria in your evaluations:
- Your special requirements
- End-to-end (E2E) encryption
- Minimal logging and metadata collection
- External security audits
- Use of open source code
- Self-destructing messages
- Anonymous signup options
1. Your special requirements
If you have special requirements that must be met, this of course takes precedence over anything else. For example, if you must be able to communicate with people using Telegram messenger, then it doesn't really matter that other messaging services may be more secure or protect your privacy better. Since these kinds of requirements are unique to your own situation, there really isn't anything else I can say about them here. So let's move on to the more general criteria.
2. End-to-end (E2E) encryption
End-to-end (E2E) encryption is my most important criteria when choosing a secure messenger. With end-to-end encryption, messages get encrypted before they leave your computer or other device and remain encrypted until the intended recipient's device decrypts them. Depending on the design of the messaging service, E2E encrypted messages may be stored on a central server for a time, but that doesn't matter. Even though a message is sitting right there on the company's server, they can't read it.
I have to amend that slightly. You can be sure your E2E encrypted messages will remain secure if the encryption algorithms used in the messaging protocol have been found to be secure by the cryptographic community. While the math is way over my head, cryptographers can determine how long it would take current computer systems to crack any given encryption algorithm. Cryptographers have analyzed algorithms like Signal‘s Signal protocol and shown it to be secure against any reasonable attacks.
Some services use their own custom encryption algorithms and protocols. In those cases you should put extra effort into reading up on what the cryptographic community has to say about the situation. One example of this is Telegram. Their overall security model gets lots of criticism from cryptographers. Does this mean Telegram is not secure? Possibly. Does it mean that Telegram isn't secure enough for your purposes? I have no idea. This is a judgment you will have to make if and when you consider using Telegram.
3. Minimal logging and metadata collection
Here's something you might not be aware of. The fact that a service uses 100% E2E encrypted messages does not mean they have no information about you. The majority of messaging services collect some personal data when you sign up for an account. This would typically be your phone number or email address, and possibly some data about your contacts.
Aside from that, every message has metadata associated with it. This includes things like your IP address, the time you log on and off, the IP addresses you communicate with, and potentially much more. This information doesn't directly reveal anything about you, but with a little bit of detective work, those hostile entities out there may be able to map your social graph, track your activities online, even deduce your identity.
There are two things you can do to reduce this risk. First, choose a secure messenger that gathers as little personal information and metadata as possible. As you'll see, two of my recommendations let you create an account anonymously.
The other thing you can do is use a VPN to connect to your messenger service. This helps because a VPN prevents your real IP address from being exposed to the messenger service. Instead of seeing an IP address that is associated with your device and physical location, the messenger service will see an IP address associated with the VPN. Any data the messenger service logs will be associated with the VPN rather than with you. Here are my top current VPN recommendations:
- NordVPN – Based in Panama, zero logs, fast speeds, apps for all devices (see our NordVPN review)
- Surfshark – Based in the British Virgin Islands, zero logs, very low prices (see our Surfshark review)
- VyprVPN – Based in Switzerland, zero logs, very good value (see our VyprVPN review)
4. External security audits
Companies make lots of claims for their products. But not all the claims made by every company are true. The same is true in the secure messenger space. That means we need a way to validate the claims companies make about their secure messengers.
A great way to address this issue is to look for external (third-party) audits of the messengers you are interested in. I realize that many messenger apps are open source, meaning their source code is available online for anyone to see. But can you review cryptographic algorithms and messaging protocols to see if they work the way some marketing guy says they do? Me neither.
This is where external security audits, and other types of independent testing come in handy. Many of the better companies pay outside experts to come in and validate the service. There's no standardized testing here. Each company decides what they want tested and who they want to do the testing. So this isn't a perfect comparison tool. But seeing test results like these make me more confident that the messenger will deliver the promised results.
5. Use of open source code
When a project uses open source code, I feel more confident that they are going to deliver the features and capabilities that they promise. As I mentioned before, I'm not in any position to analyze the source code a messenger uses to look for problems. But there are people out there who can do so.
What this means is a greater chance that flaws in the code are more likely to be spotted and fixed than if the project uses proprietary code that no outsiders can examine. This also argues for choosing a more popular messenger app. Why? The more popular an app is, the more likely people will be to go looking through the open source code looking for problems.
6. Use of self-destructing messages
If you are a fan of the old spy shows, you might remember self-destructing messages. For example, episodes of Mission Impossible would begin with the agent receiving his assignment in some exotic manner, followed by the warning, “This tape will self-destruct in five seconds.” And it makes sense. A message that self-destructs can't be read by the enemy or otherwise used against you.
Self-destructing messages are reappearing as an important part of modern secure messaging technology. A chat message that self-destructs can't be decrypted by the enemy or otherwise used against you. Even if someone were to somehow crack the encryption on your device or physically steal the thing, messages that have already self-destructed still can't be read.
More and more secure messengers give you the ability to set messages to self-destruct. Wickr takes this one step further, with automatic destruction of all messages and attachments after a certain amount of time. If you can function without all your old messages hanging around on your device, this approach provides the ultimate in security.
7. Anonymous signup options
One of the things I dislike about most messenger apps is that they require you to give them either a phone number or email address when you create an account. Depending on your own use case, this may not be a big issue, but all other things being equal, I would prefer a messenger app that allows anonymous signups.
Note: If the messenger you like doesn't support anonymous use, you can use a disposable email account or get a temporary phone number to use during the registration. I've covered the relevant options in the in-depth reviews of the different messengers.
The 5 best secure messaging apps
After going back through all the secure messaging app reviews we've done here at Security Tech, I've picked out the 5 best for you. While they are all quality products, each has its own mix of pros and cons. You'll want to evaluate them from your own perspective to see which is the best match for your needs.
1. Signal: the gold standard of secure messaging
Signal Messenger is considered the most secure messaging app available today. It is built around the Signal protocol, a messaging protocol so good that numerous other messaging services (including WhatsApp) have adopted it to secure their own messages.
Signal is E2E encrypted open source software, and is available free of charge. It supports disappearing messages (self-destructing messages), and has successfully completed various third-party audits. While imitation (or copying your messaging protocol) is the sincerest form of flattery, Signal also has celebrity-level endorsements from luminaries including Edward Snowden and Elon Musk.
This secure messenger is so good that in early 2020 it was officially recommended for official communications by the 82nd Airborne’s Task Force Devil during their deployment to the Middle East.
In my opinion, the only reason not to use Signal is that you can't get the people you need to communicate with to make the switch. And if you point them to our full review of Signal, they may just change their minds and do it.
I can only think of two reasons you might not want to at least give Signal a try: you don't want to use a telephone number to register an account; or the people you need to communicate with don't use, and won't switch to, Signal.
Note: While Signal does require you to enter a telephone number during registration, there are some workarounds for this problem.
- E2E encryption – Complete E2E encryption using the Signal protocol
- Logging and metadata collection – minimal, with all metadata stored in encrypted form
- External security audits – audited multiple times
- Use of open source code – 100% open source
- Self-destructing messages – optional
- Anonymous signup options – no
For more information, check out our full Signal Messenger review.
Wickr Me: the anonymous, ephemeral messenger
Like Signal, Wickr was also recommended for use by the 82nd Airborne’s Task Force Devil in the Middle East. While the Wickr product line contains a range of free and paid products, the version we are talking about here is Wickr Me, the free personal version of Wickr.
Wickr Me mostly uses the same code as the paid versions, but with some functions of the paid versions disabled. As noted earlier, Wickr Me is an anonymous service. That means you don't need to enter either a phone number or an email address to create an account. That's a strong boost to your privacy (and a possible reason to choose Wickr instead of Signal). Wickr can't be compelled to reveal your identity since it doesn't know your identity.
In addition, Wickr Me content is ephemeral. In plain English, everything you send or receive in Wickr is deleted automatically after a set time. Everything goes through their “digital shredder” where it is replaced in memory by random bits of code, ensuring the data can never be recovered. This includes messages and attachments that haven't even been read yet.
- E2E encryption – Full E2E encryption using AES-256 and Perfect Forward Secrecy (PFS)
- Minimal logging and metadata collection – Very limited logging and no metadata recorded
- External security audits – the company runs continuous third-party audits
- Use of open source code – while the code is available for review on Github, it is not open source code
- Self-destructing messages – all messages and attachments are ephemeral (self-destructing)
- Anonymous signup options – signup is always 100% anonymous
For more information, check out our full Wickr Messenger review.
3. Wire – Secure messenger with uncertain future
We've got a lot of experience with Wire. It is an excellent E2E encrypted messenger with serious privacy and security benefits. From the technology side alone, this is definitely a contender. However, the user base for Wire Personal is small, with only around 500 thousand users. By contrast, Telegram Messenger has over 500 million users.
Another potential problem is that the company has made it clear their focus is corporate users and corporate use cases, rather than individual users. While there are currently no signs that Wire Personal will be shut down, you should be aware of the non-zero chance Wire Personal will someday go away.
- E2E encryption – full E2E encryption using the Proteus protocol and Perfect Forward Secrecy
- Minimal logging and metadata collection – some logging and email address or phone number required at signup
- External security audits – some old (2018) security audits published
- Use of open source code – Wire uses 100% open source code
- Self-destructing messages – optional self-deleting messages
- Anonymous signup options – no anonymous signup supported
For more information, check out our full Wire Messenger review.
4. Threema – Anonymous messaging with no data collection
Threema is a secure, anonymous messaging app that never achieved the notoriety of apps like Signal or Telegram. But that doesn’t mean that it’s not worth your attention. With around 8 million users (over 15 times the number that Wire Personal could claim), it has a decent-sized user base, and some serious security features.
Most importantly, Threema, like Wickr Me can be used anonymously. A randomly generated Threema ID with no connection to any user-identifiable data, full E2E encryption, and all user data stored on the device makes this an extremely private app.
Threema differs from the other secure messengers we recommend in that there is no free version of Threema. You can buy Threema through the Threema store or download it from the relevant app store.
- E2E encryption – full E2E encryption using the NaCl open source encryption library
- Minimal logging and metadata collection – minimal metadata retained until message delivered
- External security audits – the most recent security audit was conducted in 2020
- Use of open source code – Threema is fully open source
- Self-destructing messages – GDPR compliant with some logging and minimal metadata retained until message is delivered
- Anonymous signup options – can be used anonymously
For more information, check out our full Threema messenger review.
5. Telegram – over 500 million users and growing
Telegram was the biggest of the secure messaging apps in our list when 2021 began. Then WhatsApp had a few disturbing privacy lapses and people started looking for a new messenger app. It appears that most of those people decided to move to Telegram. In the first few days after those problems, Telegram gained tens of millions of new users. They now have over 500 million users and that base is growing by the day.
The size of a messenger's user base is important because the more users, the easier it is to find someone to talk to. It also increases the odds that the people you know you want to talk to are already using the service. So based on size alone, Telegram would merit serious consideration.
But Telegram also has a large, ever-growing feature set, is free, and is fun to use. It is easy to see why people are flocking to it. On the other hand, Telegram does not apply E2E encryption to all messages. The feature is only available on voice calls and Secret Chats (one-on-one conversations) and even here it must be turned on manually.
Now add in the fact that many people in the cryptographic community have reservations about MTProto, the encryption protocol used by Telegram. There are conflicting claims about how secure this protocol really is. The only way to put these doubts to rest is for Telegram to commission the kind of security audit that other secure messengers have had and publish the results for the world to see. Until such time there will be a cloud of doubt about the security of this service.
You'll have to put some serious thought into the tradeoff between rock-solid security and privacy protections on the one hand and a huge user base plus a rich feature set on the other. One thing you can do to improve both your security and privacy when using Telegram is to always use a good VPN service. The VPN will keep your IP address from getting logged by Telegram (Telegram logs more personal information than any of the other services listed here), and the VPN's encrypted tunnel will add an extra layer of defensive encryption around your Telegram message traffic. You can see our review of the best VPNs here.
- E2E encryption – limited
- Minimal logging and metadata collection – Telegram captures more data than the other services listed here
- External security audits – no formal security audits have been published
- Use of open source code – much of Telegram's code is open source, but the server code is not
- Self-destructing messages – this capability was recently added for some message types
- Anonymous signup options – no
For more information see our full Telegram Messenger review.
In this article, our goal was to give you several options to choose from when looking for a secure and private messaging app. But some people out there want us to pick a single winner. By far, the most frequently asked question we've heard when researching this topic is:
We get it that you want us to tell you that one particular messaging app is the most secure and private. But we're not going to do it. While we have our own opinions on the subject, we prefer to defer to the 82nd Airborne. They recommended Signal and Wickr as the secure and private messaging apps to use in a combat zone. Who are we to argue.
Why should I avoid WhatsApp?
If you are interested in secure and private communication, you should avoid WhatsApp. There are a few reasons for this. First, WhatsApp is owned by Facebook. WhatsApp collects a lot of metadata about every user, which it shares with Facebook. This data includes your name, IP address, mobile number, location history, cell network, contacts, and device type. Facebook has huge economic incentives to make use of that metadata, which makes every privacy-conscious user nervous.
WhatsApp had some privacy disasters last year, with personal data about their users somehow leaking out into search engine results, and private WhatsApp groups becoming accessible to people who weren't invited.
Because WhatsApp is a US company, it can also be compelled to hand over all the metadata it collects to US government agencies without even letting you know it is happening.
In short, neither WhatsApp or Facebook has a great track record right now of protecting user privacy.
Conclusion on the best secure messaging apps
With the disturbed state of the world in the 2020's, controlling access to our communications is more important than ever. Today you can be cancelled from social media, friendships, even your livelihood because of something you said that some stranger doesn't like. Or your messages can end up in some enormous commercial or government database where at best it will be used to try to sell you something or at worst put you on some government watch list.
You need to protect yourself. One of the best ways to do this is to stop sending important messages through email or the messaging apps offered by mega corporations. Switching to a secure messaging app like the ones we looked at here is your best hope to stay safe from all those entities who hate the idea that you have privacy.
We are optimistic that one or more of the secure messaging apps we have discussed here has piqued your interest. If so, take advantage of the links at the end of each mini-review to get our in-depth analysis of the one you like and give it a try. The sooner you move to a secure messaging app for all your important communications the safer you will be.
This secure and private messenger review was last updated on January 7, 2022.
Sadly you will have to remove Wickr from this list as its set to stop functioning on December 31st 2023. All that will remain is Wickr Enterprise which is only for businesses and Wickr RAM which is only for military. The best secure messaging app ever created has been killed by Amazon. Even people who paid for Wickr Pro will be getting cut off.
Wickr and signal the best one
I would say Wickr was the best as it used known and trusted encryption protocols and didn’t require a phone number for verification. I believe Signal only recently added an option to hide your phone number, before that anyone you spoke to could see your number and call/message you outside of the app. Not very good safety and privacy wise.
Why did you not include Jami, session msgr, element (matrix), or blabber.im (xmpp)? All those are foss, e2ee, all can be anonymous signup.
Yep, and they are all so obscure and unknown that practically nobody uses them. So you can just chat with yourself I guess. Session may be the exception and we’ll probably get it added to the list soon.
Although session is decentralised, when you recover your account with 12 words backup all chats that was deleted as ephemeral appear again and disappear with the time that was set the first time, in my opinion when someone get your secure words backup can read all your old chats. Status.im app better than Session as decentralised app.
The user base of each of these applications was small at one time. If an app is new, it shouldn’t stop you from trying it out, testing it. If it has qualities that people are looking for, to protect privacy, then the flood of people will start using it.