Mobile Messenger: How secure are WhatsApp, Threema & co.?

The subject of security in mobile messenger apps such as WhatsApp is becoming more and more important. Such security is not only a matter of end-to-end encryption, but things like privacy, server security and data economy are also of importance. We took a look at what security features the most popular messengers work with in this regard.

WhatsApp: encrypted, but nosy

The highly popular messenger WhatsApp has been using end-to-end encryption as a standard feature since April 2016. This encryption uses the same protocol as the standard Signal. WhatsApp also makes use of client-to-server encryption, though this is an own development of the company and not an open standard. One critique raised against WhatsApp is that it is a standard procedure in the app to access the user’s address book and save these data. Other messengers such as Threema access the user’s address book only at the user’s request. In this process, the hash values are checked without saving the data. Once a message is read in WhatsApp, other keys come into play to which the US authorities could theoretically gain access.

Facebook Messenger: security only on request

The Facebook messenger might often ask the user to enter his/her phone number, but commendably, the service can also be used without disclosing any phone number. Nevertheless, the messenger saves a lot of meta data, i.e. who communicated with whom, where and when. Though the messenger offers end-to-end encryption on the basis of the Signal protocol, this encryption is not a standardly activated feature, but must first be manually activated by both the sender and recipient.

Telegram: the rebel without standard end-to-end encryption

Telegram is the creation of the Russian internet guru Pavel Durov. The service offers a self-developed client-server and end-to-end encryption, though the latter is not activated by default. Telegram is seen as somewhat nosy in its recording of meta data. Additionally, a mobile phone number must be provided during registration. Chat histories are saved on the Telegram servers. Reading of the address book is optional, but entering a mobile phone number for contacts is not required. Telegram has garnered a reputation as a rebel in the scene since Durov refuses to grant authorities access to chat histories. He is helped in this by his tactic of setting up the Telegram servers in a multitude of countries, which means that providing individual data would require a judicial decision from numerous countries every time.

Signal: renowned encryption

Signal’s end-to-end encryption is said to be the best there is. The fact that the protagonist of the hacker TV show “Mr. Robot” uses Signal for his secure communication makes the messenger even more popular. Signal uses TLS/SSL protocols for its client-server encryption. Messages and meta data are not saved on the server. But Signal is also not free of criticism. The app, formerly known as TextSecure, requires access to the user’s address book, even though only the hashes are accessed, as well as the use with a valid SIM card.

SimsMe: DSGVO-compliant data protection

In 2014, Deutsche Post launched the SimsMe messenger based on "over 500 years of experience in the transmission of messages". It is now available in a private and a business version. Both include end-to-end encryption and DSGVO-compliant data protection. According to Deutsche Post, the related servers are placed solely in Germany. Messages can be protected additionally by prompting recipients to unlock them with their fingerprint sensor. Similar to Threema, SimsMe offers direct unblocking of contacts using QR codes, which the two connecting parties must scan from each other’s smartphone.

Wire: hidden industry leader

Wire, a messenger based in Zug, Switzerland, too has been encrypting all messages sent via the app end-to-end as a standard for quite some time. Wire requires access to the user’s address book and uses the hashes from it, though this step can be skipped. Wire can be used without a SIM card or entering a mobile phone number, but this would require setting up a user account per email. Since Wire also integrates the added security levels authentication, deniability and perfect forward secrecy, this messenger is increasingly seen as a secure alternative. Furthermore, Wire uses open protocols and advertises with a registered office in Europe and the stricter privacy regulations that apply here compared to the USA.

Threema: anonymity is king

Threema, based in Pfäffikon in the Swiss canton of Schwyz, is by now quite well-known and popular in the German speaking world. The messenger opted very early for end-to-end encryption and is generally praised for its data economy. As is stated on Threema’s own website, the service is designed to not leave a data trail. Groups and contact lists are managed on the device and not on the server, and messages are deleted immediately after delivery; this prevents the creation of meta data.

If the user so wishes, Threema can also be used in complete anonymity, meaning neither with an email nor with a mobile phone number. Moreover, contacts can be verified by entering a number or a QR code directly between two devices. The only point of critique raised against Threema is that the source code of the app has only been partially published, for example the used cryptography libraries.

Unlike the other messengers mentioned here, Threema costs a one-off fee in the Apple App Store or on Google Play. Alternatively, the app is available for download on the company’s website.