How SnapChat, Secret, WhatsApp Don't Protect Messages
Do you trust messaging apps such as Google Hangouts, Facebook chat, Snapchat or WhatsApp to protect your messages? You may want to reconsider - all those apps, and many more, failed simple security tests, according to San Francisco-based consumer privacy group the Electronic Frontier Foundation (EFF).
The only apps to receive perfect scores by meeting all of EFF's seven criteria were TextSecure, Silent Text, Silent Phone, CryptoCat, ChatSecure + Orbot, and Signal/Redphone. The worst-scoring apps, which met one or none of the criteria, included AIM, BlackBerry Messenger, Kik Messenger, Secret, Viber and Yahoo Messenger.
MORE: Blackphone Review: All-Encompassing Security
The EFF tested 39 common messaging apps on criteria including: Does this app encrypt data in transit? Are encryption keys stored on the user's device, so the app's creators can't read the messages? Does the app use well-documented and trusted encryption algorithms? Does the app use perfect forward secrecy, so that even if one message is compromised, the rest of the conversation is still secure?
For every 'Yes' an app received, it got a check on the EFF's Secure Messaging Scorecard. For every 'No,' it got a red slash.
It's important to note that the EFF's analysis did not assess the strength of each app's encryption algorithm or the encryption's implementation. It simply looked at the basics of the encryption and privacy setups.
The EFF's findings don't reflect well on many popular messaging apps. Snapchat, WhatsApp, Facebook Chat and Google Hangouts, for example, each earned only two checkmarks: They do encrypt data in transit and have had their code audited, or reviewed.
None of the four have end-to-end encryption, and providers can read users' messages because the apps use the providers' encryption keys instead of keys created by the user. Nor do any of the four have perfect forward secrecy or any way to verify contacts' identities, their software isn't open to independent review and their security designs have not been properly documented.
Skype also received only two checks: one for encrypting data in transit and one because it does have end-to-end encryption. It failed all the other criteria.
Secret, Kik, AIM and BlackBerry Messenger, Viber and Yahoo Messenger all received a single checkmark, for encrypting data in transit.
Even Wickr, a free secure-messaging app with a good reputation, received only four out of the seven because it does not provide a way to verify contacts' identities, its code is not open to review and its encryption has not been properly documented.
All the apps that received perfect scores are well known in the security community, though not as widely used as others in the test. Silent Text and Silent Phone, for example, are subscription-based apps from security company Silent Circle that also form the backbone of the new privacy-oriented Blackphone.
MORE: How to Use TextSecure to Send Encrypted Text Messages
TextSecure is a free app for adding encryption to SMS and MMS messages on Android phones. While most other messaging apps let you communicate only with other users of the same app, TextSecure sends SMS and MMS messages the way you usually do - although only with other TextSecure users will you receive the app's full protections.
TextSecure is created by San Francisco-based company Whisper Systems. Two more of Whisper Systems' apps, Signal and RedPhone, also achieved perfect scores on EFF's scorecard. Signal is a secure messaging and voice app for iOS, and RedPhone is a voice app for Android.
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr. Follow Tom's Guide at @tomsguide and on Facebook.