One of the most common questions I get is what secure messaging system to use on Mobile devices. That’s a rather complicated question so it’s worth digging into.
First, you have to ask, who is your adversary? If it’s the government, you’ll have to take wildly different preventative measures than, say, a random eavesdropper. But that said, some of the tactics are simple enough.
For instance, the first thing I always tell people to look for is end to end encryption. If you are only encrypted to a server and that server then can read everything you write, it’s not a good solution. For instance, email is does not have end to end encryption built in, which is why Gmail is a poor choice for secure messaging.
Next, you want to look for something that automatically deletes your messages after a certain amount of time. Lots of systems allow you to have end to end encryption but then keep the data around forever. You can’t guarantee that the messages will be safe from an adversary forever. So make sure the data is deleted after a certain amount of time.
Next, make sure that the systems are resilient against forgot password/account changes, or account takeover. Just because you are talking to a person one day doesn’t mean you are talking to the same person the second day. So lots of platforms are automatically out since they don’t warn you when that occurs.
Generally speaking my favorites are Signal (with ephemeral messaging enabled), Wickr, and Facebook messaging (when you’re in secure mode with ephemeral messaging enabled). Wickr is the only one of the three that turns it on automatically, but it’s also the least used. Facebook is great, but it is Facebook and doesn’t default to secure mode opportunistically because it doesn’t work with mobile to desktop chat. Signal is great because it is a stand alone app but it also doesn’t enable ephemeral messaging by default. Wickr doesn’t tie to a phone number in the same way that Signal does so that is a nice added feature if you want to keep that detail private. Neither Signal, nor Wickr require you to have an identity, like Facebook does, but Facebook is by far the biggest platform.
Some people will bring up Whatsapp, but they are very similar to Facebook since they are owned by Facebook. And it’s worth mentioning iMessage in passing because they do have end to end encryption, but as soon as you sync with iCloud, your information is imperiled once more.
So there are some tradeoffs and you need to research what is right for you. I think ephemeral messages are a very important feature that most people don’t think about. It’s certainly something you should be aware of before you pick one. Or use all three. But whatever you do, don’t use default built-in chat clients.