If you’re wondering about the privacy and security of apps like Facebook Messenger, WhatsApp and Wickr, our messaging app review (free) has put 14 of the most popular apps through their paces.
Use the comparison tool to find out which messaging apps have the most security features and are the easiest to use, or see the Recommended picks to discover which apps come out on top. Have a question about secure messaging apps? Feel free to post it below.
But Choice didn’t assess some of the popular ones such as wechat, line and Skype.
Wechat and Line are very popular with those with Asian heritage who communicate with family members overseas. We use Wechat to communicate with friends from China, but realise that there are reported potential privacy issues as the platform has been developed considering and to meet Chinese legislative requirements.
We also use Line as it has free calls using data/wifi, albeit short ones, to landlines in Australia and also to mobiles in some countries. From my own research, it has a reasonable security and at one stage lead the pack in relation to its platform.
There is also Skype which many use, including businesses.
I would agree with @phb’s assessment of LINE’s security as reasonable. My wife and I are happy LINE users.
Microsoft have introduced end to end encrypted calling. This means that the conversation can no longer be easily intercepted and listened to, and if the info is correct not even by Microsoft.
The conversation is only allowed between two parties so not conference calls but will add a good deal of security to what previously was an easily captured and usable data stream by others. This obviously will be of some concern by State Security Departments eg ASIO (Dept of Home Affairs).
To read more see:
Privacy and encryption are great to have if the basic feature set works for each of us who wants to use the software.
(rant)
I do not follow skype for business that is now part of Office 365 with its costs, but Microsoft has consistently been dumbing down consumer skype to reflect the look and feel and limitations of the phone app. Although I have been a paying subscriber for skype VOIP incoming/outgoing services for more than a decade it has almost reached the tipping point where I’ll move on because it is obvious ‘social’ has outweighed ‘functionality’. The VOIP services no longer offer a customised voicemail message even for paying subscribers, and skype has never supported incoming SMS. The Windows 10 version will not even autostart when one logs on while ‘classic desktop’ continues to offer that feature, all while being more dumbed down with every so-called update.
(/rant)
I disagree that it has been ‘dumbed down’ - its more like a complete lobotomy, in which they took the rest of the brain, brain stem, and cord as well. Then stopped the heart, and cremated the remains and flushed the ashes. I’ve never been a huge fan of Skype, but used it quite a bit over the years because it was the common thing - but what are they playing at? Some competing app that is a game changer they are about to release and nobody knows about?
For our family and friends parallel multi-device use is mandatory item for a single use messaging service. The keyword is parallel. Threema, & Signal are both listed as multi device, but they are not really. Signal says “Multiple mobile devices and Android tablets are not currently supported”. Looks like you can with a desktop. Threema kluges via creating a message group containing your devices, but this doesn’t really help for senders to you.
We find all our friends are on different messaging platforms, generally centred around their family & especially what their children use. The only common app is the now less often used email & SMS. Because of the later, anything which integrates with SMS (like Signal & some others) is an advantage. Hopefully broader support for “RCS Messaging” & interoperability between carriers will help when people aren’t on your message platform. It would be good if support for SMS & RCS was a report criteria.
Perhaps a concern for those who use Whatsapp on their mobiles and never want the info to come to light is this bit of newsy blog:
Is what we have considered secure really secure in this moving world of new tech. The ability to downgrade an app on a system to then harness the information should be of great concern. Is this a result of some desire for backward compapibility? If so it is a major failure to recognise the security concerns of many users worldwide who may have their lives put at risk by not benevolent governments and others. While I applaud the use to bring justice the cost to others may be just too great to allow it.
Given that WhatsApp is owned by Facebook I am extremely surprised that it is ranked second in that review. I am also interested in how Choice evaluates the actual security of an app - which is a complex task at the best of times (which require access to source code).
This is something that similarly puzzled me with the comparison of password managers - again, software that absolutely requires good security.
We have some info on our testing process here, but if you have specific questions I’m happy to relay the info 
My view is that in summary there are two types of systems of any kind (not limited to messaging apps) - those that have already been compromised, and those that are about to be compromised.
A much bigger discussion could ensue on points such as who has compromised the system, who knows it has been compromised (is it public knowledge), who is capable of performing the compromise (script kiddy->???), what effort does the compromise require, what class of user feels threatened by the compromise, whether that class of user is actually under threat from the compromise … to name a few. it makes for great dinner party conversation - but sweep the room first …
Thanks Brendan. From that article:
We rated the security of your message when it’s on your phone, on its way to your contact and on your friend’s phone, including how it’s stored at both ends. The apps that rate highest for security fulfil more of the security features criteria. These include encryption, amount of user data collected, server location and protection. They also include protection from messages being copied/forwarded, message destruction, security audit and if the code is open-source.
Encryption - fine. Except it can be done right and it can be done wrong. Does the app hash first or encrypt first, for instance.
Where is the message stored? Good - except in some apps messages go through a central server, meaning that the app owner (such as Facebook) has access to them.
Protection from messages being copied/forwarded? This is impossible, as anyone with a digital camera or who used an app that boasted this can attest. I suggest that this should not be a criterion, as it merely provides a false sense of security (security theatre).
Same with message destruction.
Security audit? How many of the messaging apps have been independently audited? As far as I know, only Signal can boast this, and while WhatsApp uses the signal protocol the implementation matters - and is proprietary. Wait - I understand Threema has also been audited.
Open source is absolutely important, because it allows for the IT security community to try to find holes in the software. Unfortunately, most of the listed apps are not open source - meaning that researchers are working on them with both hands tied behind their backs and typing with their noses.
Finally, I would suggest another and much more important criterion - how does the provider respond when (not if) a vulnerability is discovered in their product? If they deny, delay and defend then they are not doing the right thing by their customers, who are left with an insecure product for an extensive period. If, like LastPass, they produce a patch within hours, then they are trustworthy.
I use Facebook messager since i’m a Facebook user i don’t use any of the other’s
Thanks @postulative, I’ll be sure to pass on your thoughts. Perhaps we can add a some more detail to our article the next time we cover secure messaging apps to explain the points you have raised in more detail.
Exactly why I don’t. Most of my friends are happy to use imessage or Telegram/Signal with me, but still use fb messenger in spite of its shortcomings, with others.
It may be safer to simply assume that everything you send or receive over the internet is vulnerable and could
A) wind up in the public domain without your agreement or knowledge,
B) will be collected by third parties and saved for their future use as needed, most likely not to your benefit,
That is separate to all the other web sites and businesses many of us have already clicked and agreed to their pop up privacy T&Cs. More likely non-privacy agreements. How many read all those pages, or if done are capable of understanding what they agreement is really offering?
For banking, financial services, Centrelink etc many have already moved to requiring or offering as an option 2 factor authentication. Eg mobile phone sms code, rsa keys etc. It’s not paranoia, it simply reflects their informed assessment of consumer risks.
Assuming you have unbreakable encryption in your messaging and a reliable provider, the weakest link in any system remains the end points, sender and recipient.
Keep it in your head - for now, mostly, things kept there are relatively safe - once a thought leaves your head, well … 
The last time I experienced unbreakable encryption and a reliable provider they were delivered by a virgin riding a unicorn … from memory …
Totally insecure. It is easy for someone to port your mobile phone number in the middle of the night, and then get access to any accounts that use SMS for verification. Additionally, SMS in unencrypted so if you’re on public WiFi your message is in plain text.
For Centrelink to be using SMS indicates that they are uninformed in assessing consumer risks.
Mostly. If you are using an open source app that encrypts on the client side and requires authentication on receipt you may be okay. Signal is one such app - but in order to be secure you need to physically confirm yourself and the recipient before you start your secure communications. Your messages do not go to Signal, but do go via telecommunications providers - who do not have access to your private key.
Similarly, I understand that at least one password manager (which has been independently audited) encrypts passwords locally with a key that the app developer cannot access - and so if you lose your access then you have no fall-back, but they also can’t give it away to three letter agencies.
