Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Google Privacy

Battle of the Secure Messaging Apps: Signal Triumphs Over WhatsApp, Allo (theintercept.com) 171

There is no shortage of messaging apps out there, so which one should you be using? If you care about your privacy, you would want your messaging client to be end-to-end encrypted. This narrows down the list to WhatsApp, Signal, and Allo. The Intercept has evaluated the apps to find which among the three is the best from the privacy standpoint. The publication says that while all the three aforementioned apps use the same secure messaging protocol (Open Whisper System's), they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud.
WhatsApp:It's important to keep in mind that, even with the Signal protocol in place, WhatsApp's servers can still see messages that users send through the service. They can't see what's inside the messages, but they can see who is sending a message to whom and when.In addition, WhatsApp also retains your contact list -- provided you have shared it with the service. If government requests access to this data, WhatsApp could hand it over.
Allo:The first thing to understand about Google's forthcoming Allo app is that, by default, Google will be able to read all of your Allo messages. If you want end-to-end encryption via the Signal protocol, you need to switch to an "incognito mode" within the app, which will be secure but include fewer features. [...] Allo's machine learning features prevent Google from turning on end-to-end encryption for all messages, since Google needs to be able to ingest the content of messages for the machine learning to work, a Google spokesperson confirmed. Signal:The first thing that sets Signal apart from WhatsApp and Allo is that it is open source. The app's code is freely available for experts to inspect for flaws or back doors in its security. Another thing that makes Signal unique is its business model: There is none. In stark contrast to Facebook and Google, which make their money selling ads, Open Whisper Systems is entirely supported by grants and donations. With no advertising to target, the company intentionally stores as little user data as possible. Signal's privacy policy is short and concise. Unlike WhatsApp, Signal doesn't store any message metadata. [...] If you back up your phone to your Google or iCloud account, Signal doesn't include any of your messages in this backup.But what about Telegram, you ask? A Gizmodo report, also published on Wednesday, says that Telegram's default settings store your message on its unencrypted servers. "This is pretty much one of the worst things you could imagine when trying to send secure messages."
This discussion has been archived. No new comments can be posted.

Battle of the Secure Messaging Apps: Signal Triumphs Over WhatsApp, Allo

Comments Filter:
  • Want a messaging app that is secure, get a peer-to-peer messaging app that does not depend on servers.

    • by Anonymous Coward

      > Want a messaging app that is secure, get a peer-to-peer messaging app that does not depend on servers.

      And:
      (1) Was not compiled by anyone else
      (2) Does not depend on libraries compiled by anyone else
      (3) Does not run on an operating system compiled by anyone else
      (4) Does not run on hardware built by anyone else
      (5) Is completely bug-free all the way down to the hardware
      (6) Does not depend on unique identifiers like telephone number
      (7) Only uses onion routing to prevent 3rd parties from building a social-gr

      • by drpimp ( 900837 )
        Clearly the only "Safe" option is using telepathy.
      • by Anonymous Coward

        The Wickr instant messaging app allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments.The software is available for the iOS, Android, Mac, Windows, and Linux operating systems and is very secure.

      • You clearly missunderstood your parent.

        Want a messaging app that is secure, get a peer-to-peer messaging app that does not depend on servers.(7) Only uses onion routing to prevent 3rd parties from building a social-graph of your contacts

        Onion routing requires nodes, aka servers.

        As we are talking about phones which get basically dynamic IP adresses all the time, it is impossible to have such a service without a central server infrastructure that knows who is online and how he is reachable.

        Of course such ser

        • by unrtst ( 777550 )

          Onion routing requires nodes, aka servers.

          As we are talking about phones which get basically dynamic IP adresses all the time, it is impossible to have such a service without a central server infrastructure that knows who is online and how he is reachable.

          That isn't true. Anytime you write "impossible", it should make you think twice.
          Here's an example (I haven't used this, but I know this sort of thing is very feasible via Tor): https://github.com/prof7bit/To... [github.com]

          • Of course it is true:

            TorChat is a peer to peer instant messenger with a completely decentralized design, built on top of Tor's location hidden services,

            You need a Tor Service to find your peer. How else would you find a peer?

            Reading the wiki helps: https://github.com/prof7bit/To... [github.com]

            On the other hand, we talked about Phones, where IP adresses change constantly (actually they use a different protocol for addressing), Tor is for "PCs" only.

      • Every choice in life is a trade-off. There is no such thing as perfect. You must prioritize what matters most to you.

        A confounding factor in my case is that every clique I communicate with seems to have their own pet IM app, to the extent that I've got an entire subfolder in my phone dedicated to all the IM apps I need to run to communicate with them all. All taking up memory and resources when they poke around for new messages. What I want most is some sort of Trillian Mobile that unifies everything into one single app, not one app per user or group.

        Also, is it just me or is Wickr on Android the least reliable IM app e

      • by AmiMoJo ( 196126 )

        In this case we know something about how governments and other spies operate. I'm sure if the NSA or GCHQ really wants you data they will get it by some foul means, but for avoiding bulk surveillance and preventing your private communications entering the hands of law enforcement, local government, ISPs, consumer rights groups (see proposed UK Snoopers' Charter) etc. keeping your data off a third party server works really well.

        In the UK the government is likely to require ISPs to log your traffic. It is the

    • Want a messaging app that is secure, get a peer-to-peer messaging app that does not depend on servers.

      That sounds incredible. So now you must email or call the person you're attempting to chat first and get their IP address as well as make sure the proper ports are open for bi-directional communication. Why didn't anyone think of this already!

      • by NotAPK ( 4529127 )

        I'm not picking on you in particular, there is a whole rash of posts in this thread going "der, dynamic IPs, der, P2P lol" and no one is thinking at all.

        Yes, a distributed server infrastructure is probably (weasel word because I'm not a computer scientist) required for randomly distributed hosts to discover each other across a NAT-heavy dynamic IP internet.

        However, the host finding protocol is entirely different to the P2P messaging protocol.

        Once the hosts are knows and can be contacted then the P2P protoco

      • That's what NFC is for.

    • Honestly, most users don't care about this type of privacy. They just want something that can prevent their spouses/boyfriends/girlfriends/parents from seeing their conversations and more points if there is no record left that their was a conversation.

    • ... which is strictly distributed and available as open source, see Ring official site [ring.cx] or Ring on F-Droid [f-droid.org]. Unlike Signal, you can compile your own working Ring App from the sources.
      • by johanw ( 1001493 )

        If you can't compile Signal yourself that's only due to lack of knowledge on your part. I compile my own Signal version (with some slight changes) with each new release. All the required tools can be downloaded for free.

    • by johanw ( 1001493 )

      Try Silence (former SMSSecure): https://github.com/SilenceIM/S... [github.com] . It is a fork from TextSecure, the predecessor of Signal, and uses the Signal protocol over SMS. You still need phone providers, so technically you need servers, but you need no account and no registrations.

    • by jrumney ( 197329 )
      And talk to all your friends on the same subnet, or with a static IP address. Somehow I don't see this level of security taking off.
  • by H3lldr0p ( 40304 ) on Wednesday June 22, 2016 @04:11PM (#52368893) Homepage

    and it's need to have a machine-learning built into it. It's going to be like that stupid Inbox stuff Google tried pulling a few years back, isn't it? I don't need something to create rules and read my email for me to sort it out. I can do both of those tasks just fine. Doing that doesn't save me effort or mental expense; just the opposite. If I had it turned on, I'd be worried it was screwing something up.

    With Allo auto replying for me, I'd be very concerned it would be handing out information to people I didn't want to know certain things in my life. Even though Google is likely going to indemnify themselves in the click-thru, I can't wait for the first lawsuit from someone who was stalked and assaulted because Allo told said stalker where they were.

    • by Anonymous Coward on Wednesday June 22, 2016 @04:29PM (#52369047)

      It's Google. Google doesn't care about your privacy. In fact, Google hates your privacy. Don't touch anything from Google. It's an evil company.

    • I'm confused by google, I really REALLY can't understand their messaging app strategy.
      They had a great, easy, fast, and ubiquitous app with Gtalk, it had an open protocol, integrated with several third party software, had a simple and effecitive desktop client, then, out of nowhere they decided to do hangouts... ok, it added video and some other bells and whistles, but it was worse, it was separate from Gtalk in the begining and just pushed people away. Then they decided to stop supporting gtalk and tried
    • It's going to be like that stupid Inbox stuff Google tried pulling a few years back, isn't it? I don't need something to create rules and read my email for me to sort it out. I can do both of those tasks just fine. Doing that doesn't save me effort or mental expense; just the opposite.

      Inbox is awesome.

      The thing you have to understand about Inbox, though, is that it's an e-mail client focused on the needs of people dealing with enormous volumes of email, and people whose email inbox (or at least a subset of it) represents their to-do list. If you get 400+ emails per day, including lots of emails from mailing lists and various automated systems, and including many emails that you don't actually need to read but just scan quickly, Inbox is a lifesaver.

      What makes it great?

      1. Gmail's la

      • And in return, you let google read, index, and data mine all your email.
        You gave up some privacy for a few minutes of convenience.
        No thank you.

        • And in return, you let google read, index, and data mine all your email. You gave up some privacy for a few minutes of convenience. No thank you.

          Well, that's the same with Gmail. I was presenting Inbox as a Gmail UI alternative. There are clearly other issues which may lead people to other decisions. Personally, I'll take the convenience (and did even before I started working for Google).

          As a practical matter, what negative impact on your life would you expect from allowing Google to index your email? For me it's fewer ads for tampons and more ads for cameras and quadcopters, which works for me.

          • It crosses a line with me. Knowing personal details gained from 'reading/indexing' what are supposed to be private messages is just wrong. I know its in your EULA and anyone using your services has agreed to allow Google to do this. But I never will. Even if the data is for ads, its still a personal profile about very, very private details. I know Marketers drool at the mouth for information like this, but I will not give you that info. EVER!

  • by Anonymous Coward on Wednesday June 22, 2016 @04:16PM (#52368937)

    Encrypted end-to-end by default.

  • by Anonymous Coward

    Seeing their source does not assure you of anything. You'd have to decompile the app you download from the store to know if it was bugged.

    • by vux984 ( 928602 )

      you are welcome to compile and install signal yourself; if you don't trust the app store download.

    • by wbr1 ( 2538558 )
      Uh... dude you can compile your own APK if you so wish and sideload it. Most won't, but most people don't compile any of their own software.
    • by Striek ( 1811980 )

      You can also compile it from source yourself and verify the checksums. While you can't prove that nothing was changed from the given source code, you can prove that that same source code can produce an identical binary, and induce that nothing has been altered.

      It's still good enough to eliminate the possibility of tampering, assuming someone is watching.

      This was done, for example, with TrueCrypt [concordia.ca].

  • by Yvan256 ( 722131 ) on Wednesday June 22, 2016 @04:17PM (#52368953) Homepage Journal

    The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?

    • by heypete ( 60671 )

      The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?

      Users can install multiple messaging apps. I, for one, have several: Signal, WhatsApp, Google Hangouts, Skype, etc.

      So far it works fine, and most of my friends and family use Signal.

    • The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?

      My work uses Jabber, our outsourced developers use Hipchat, our other outsourced consultants use Slack, my kids use WhatsApp, and Snapchat, my wife uses Facebook, and SMS, My close friends use Wickr, my other friends are still on MSN/Skype. I have all these (except Facebook which I refuse to be a part of) and it's no big deal, I actually prefer that there's no crossover of worlds. This is the one thing Facebook/Google/Linkedin etc don't get. I have different relationships, and I like to keep them all separa

  • Wire is a rather nice messaging App that has end to end encryption. They don't advertise, or hold encryption keys. See here: https://wire.com/privacy/

  • by Anonymous Coward on Wednesday June 22, 2016 @04:22PM (#52368989)

    If you care about your privacy...

    ..then you have already stopped obsessing with "apps" and are primarily concerned with protocols. Once you have decided on, say, XMPP plus OpenPGP extensions, then you have plenty of competing apps to chose from.

    And of course, it follows that whatever protocol you use, will be "service-agnostic." Since you're going to pick something which uses a secure protocol, you basically don't care about servers; they're all commodities. Install jabberd or whatever at your Linode. Seriously: whatever.

    I don't know how WhatsApp or Allo are even seriously considered. What do they speak? When people talk about the app more than the protocol, that's a bad sign. (e.g. I use the web and it's irrelevant whether I use it with Chromium or Firefox. The more you care about my specific browser, the more I think you're trying to talk me into not-using-the-web.)

    • by BlortHorc ( 305555 ) on Thursday June 23, 2016 @05:56AM (#52372663)

      If you care about your privacy...

      ..then you have already stopped obsessing with "apps" and are primarily concerned with protocols. Once you have decided on, say, XMPP plus OpenPGP extensions, then you have plenty of competing apps to chose from.

      And of course, it follows that whatever protocol you use, will be "service-agnostic." Since you're going to pick something which uses a secure protocol, you basically don't care about servers; they're all commodities. Install jabberd or whatever at your Linode. Seriously: whatever.

      I don't know how WhatsApp or Allo are even seriously considered. What do they speak? When people talk about the app more than the protocol, that's a bad sign. (e.g. I use the web and it's irrelevant whether I use it with Chromium or Firefox. The more you care about my specific browser, the more I think you're trying to talk me into not-using-the-web.)

      This gets modded as Insightful? Really?

      You don't have to have read TFA, read TFS ffs. They all use the Signal protocol, what is relevant is precisely the servers and what meta data they store and what their privacy policy says they will disclose to 3rd parties.

      Hence the fricking article.

  • Threema is missing (Score:3, Insightful)

    by Knuckles ( 8964 ) <knucklesNO@SPAMdantian.org> on Wednesday June 22, 2016 @04:23PM (#52368997)

    n/t

  • by nitehawk214 ( 222219 ) on Wednesday June 22, 2016 @04:24PM (#52369005)

    Whats the point of "secure" messaging in Whatsapp and Allo if the messages are not actually secure?

  • Wickr (Score:4, Informative)

    by lazarus ( 2879 ) on Wednesday June 22, 2016 @04:29PM (#52369049) Homepage Journal

    "We commend Wickr for its strong stance regarding user rights, transparency, and privacy [eff.org]"

    Wickr [wickr.com]

    • Re: (Score:3, Interesting)

      by ffkom ( 3519199 )
      But Wickr is commercial and requires central servers. Ring [ring.cx] does not.
      • But Wickr is commercial and requires central servers. Ring [ring.cx] does not.

        If Slashdot has taught me anything, it is: Never, ever click on a URL ending in ".cx".

    • >"We commend Wickr for its strong stance regarding user rights, transparency, and privacy [eff.org]"

      And, yet, the product is still completely coded-source. You are downloading and running an unknown binary and have no idea what they or are not doing with your data. There could be backdoors in that code either by Wickr or by some three-letter government agency and nobody will ever know.

      You really can't assure security/privacy of anything if you are using closed-source software. Period.

      • I completely agree with you FWIW. Two points though:

        1. The closed source on my mobile device could have back doors that I wouldn't know about. And frankly some open source code that is principally written by a large Corp (Google) is not particularly peer-reviewed by the FLOSS community and could be riddled (and often is) with vulnerabilities. Open source is not "the" answer - it also has to be accompanied by an open development community.

        2. Some (but not all) of the closed-sourced concern about Wickr is

  • Use Wickr. It's very secure.

  • by Anonymous Coward

    All messaging apps are replaced by open standards, and you have your choice of client.

    • by dovf ( 811000 )
      Check out https://matrix.org/ [matrix.org] -- might just be what you're looking for, looks very promising so far...!
    • XMPP is an open standard supported by dozens of messaging applications on every platform in existence. I use "Conversations" which supports end-to-end encryption.

      Who posted this article? It is truly uninformed.

  • iMessage is also end-to-end encrypted... and already has a huge install base.

    • Re:iMessage (Score:5, Informative)

      by Aqualung812 ( 959532 ) on Wednesday June 22, 2016 @04:56PM (#52369303)

      iMessage has a few issues:

      -Can't verify keys
      -By default, will send as SMS if you have data connection issues
      -Will send as SMS regardless of settings if the other person's iPhone is signed out from iMessage
      -Only works on iOS devices

    • iMessage only works on iOs/OS X and is not reliable it loses messages all the time (unless it falls back to SMS).

      • Reliability is pretty good... but you are right that it will fall back to SMS by default (you can turn that off).

        • I switched SMS ON and switched internet usage off, as I have plenty of messages that never reached the recipient and plenty of messages that only reached one of my devices (via internet).

          In my case you clearly can see what I have sent and what I have received does not match on the iPad, iPhone and Mac.

          • Then you have something misconfigured on your devices. I successfully use iMessage all day long (everyone in my sphere other than my boss uses iDevices) across an iPhone, iPad, Apple Watch, Macbook Pro and two Mac Pros... all of them are always in perfect sync with all messages showing on all devices instantly.

            Take some time to work on the configuration on your devices. Make sure that they are all signed into the same iCloud account and set to be "Reached by iMessage" at all of your contactable addresses

            • by Yvan256 ( 722131 )

              I do NOT have cellphone service on my iPhone so you can put aside any SMS-related problems for my case. I also don't use iCloud so it can't be that either. Don't confuse Apple account with iCloud account.

              I use iMessage on my iPhone and my Mac. Sometimes, the iPhone will keep annoying me about new messages even though I'm reading them on my Mac. Other times, the iPhone will receive days-old messages from multiple persons in a single burst. It also doesn't sort them in order either so my messaging threads for

              • Not using iCloud is your problem. They synchronize through iCloud. Get an iCloud account and put them both on it.

            • I don't think there was anything wrong configured.

              Which messages get missing on which device looked pretty random to me.

              With no longer using iMessage on my iPad and Mac and on the other hand having set my iPhone to SMS all is fine anyway.

              However you have interesting hints, did not know (or forgot already again) that there are so many options (where something can go wrong).

  • I was all set to go whole-hog with the Signal Protocol, until I realized I could only use it on three of my devices. It's a hard-coded limit (cf. github) and there are no plans to change that, currently.

    • by vux984 ( 928602 )

      For me, i could get away with 3 devices (just) but the desktop version appears to be a chrome application.

      I don't really know much about "chrome applications"

      I don't really want chrome in the first place. I definitely don't want a messaging app running in a broser tab or window if i can avoid it. If it gets its own task bar icon, and its own notification settings and it works with chromium etc etc it might be ok...???

  • by 93 Escort Wagon ( 326346 ) on Wednesday June 22, 2016 @04:56PM (#52369307)

    WhatsApp: You might have a chance of actually being able to communicate with someone you know - especially if you live in Brazil.

    Allo: "The first thing to understand about Google's forthcoming Allo app..." - yeah, because Google Plus was such a hit.

    Signal: The good news is, you can probably find all your Diaspora friends on this one.

    Seriously... let's ignore all the ones that most people actually use, shall we?

    • by johanw ( 1001493 )

      If you look at the installed base, WhatsApp if the biggest. After that, we get Viber, Wechat and Line. Wechat is of course unsecure and mostly used in China or by Chinese-speaking people. So for western countries, if you order by user base Whatsapp is by far the nr 1.

      SMS is falling FAR behind, even though even more people can use it, because it costs money in most countries and has far fewer functions.

  • by Anonymous Coward on Wednesday June 22, 2016 @05:05PM (#52369375)

    None of the three are secure at all. The FBI/CIA use time logging as a default tracking failsafe mechanism.

    To have private chat you will have to run a live cd of Tails on a cd or in a virtual machine from an .iso as a live cd.

    The only good version is 1.4.1. It is what Ed Snowden used. Do not ask me how I know, especially on Slashdot.

  • Centralized IMs (Score:4, Insightful)

    by MRZA ( 4458075 ) on Wednesday June 22, 2016 @05:11PM (#52369417)
    I think it's stupid to talk about privacy and centralized services. Only federation can give use decent privacy level. Like XMPP. XMPP has e2e encryption (OMEMO, PGP, OTR). And serverless solutions like Tox. Although, it's still missing some important functionality. If you have a choice use decentralized services.
    • by dovf ( 811000 )
      Check out https://matrix.org/ [matrix.org] -- federated, open source, open spec. it's still being actively developed, but from what I've seen so far it's looking really solid, and seems like a good development community, too... End-to-end encryption isn't yet finalized, but it's said to be coming soon...
  • so which one should you be using?

    The one that lets you contact people. So our choices are:

    WhatsApp: Used my hundreds of millions of people around the world. A de facto standard in many countries
    Allo: Forthcoming? As in not here yet?
    Signal: ... what? Who are you people?

  • by angel'o'sphere ( 80593 ) on Wednesday June 22, 2016 @05:33PM (#52369603) Journal

    https://threema.ch/en [threema.ch]

    Servers in Switzerland, Company has "bank status", open API, everything encrypted, anonymous ID.

    • was wondering why that wasn't included. Thought the user-authentication process would be considered a positive.

      • by johanw ( 1001493 )

        It's not free so that reduces usage a lot.

        • The app, costs like $5 or something, and then messaging is free. That is about the cost of a beer or two (depending on your country and beer sizes).

          Can't get it how "cheap" people are in our times.

  • Wire is missing! (Score:3, Informative)

    by rarruda ( 464686 ) on Wednesday June 22, 2016 @06:05PM (#52369829)

    Wire has complete e2e--encryption and a full set of features missing in the other apps. (As well as all encryption bits being open source).

    Simple comparison chart is here: https://wire.com/privacy/ [wire.com]

  • Signal is great! Easy to use, secure, open source. What's not to love? The iPhone version sucks more than the Android version and there really isn't a desktop version yet. I really want a way to read and respond to Signal messages on my big keyboard and monitor.

    And yes I know about the Chrome extension, I don't use close-sourced browsers.

  • [WhatsApp] can see who is sending a message to whom and when

    Of course they do. How could they manage replies otherwise?

    • by Striek ( 1811980 )

      They could have messages sent directly between peers and not need to manage the replies at all. It's the relieance on a central server that is one of their biggest privacy weaknesses, the article is arguing.

  • As far as I can tell, these apps all require a user to have a telephone number (Subscriber Identity Module). This is then used to ensure a securely authenticated connection.

    Good in theory.

    However in practice, I get a new number every few years (by choice even if I could keep my old number when signing a new contract). After 5 years on my current number, I still get accounts, calls, and other material (via SMS or MMS) intended for the previous owner of the number.

    Also, in my country, some banks use the sa

  • Telegram is a good compromise for all my needs.

    Not everything needs to be encrypted. If the gov't finds out that I told my friend that my kitty did the cutest thing with a tissue, who cares? If I need to give someone a password to an account I set up for them on a server, then I have the option to encrypt. It would be nice if Telegram switched to using Signal's protocol for encrypted communications, cause Signal appears to be the benchmark that all other protocols are compared to, and I know there have b

  • Whatsapp and Signal can probably (whatsapp is no open source) see the same amount of data. Whatsapp is honest and tells the user, what they possibly can see, signal doesn't do this that upfront.

    Nothing against some actually secure apps (and one point you should not neglect is a trustworthy vendor, which doesn't push malicious updates to an app, which is secure at the moment), but check your facts. I think there was one messanger (app, programs there are some), which wanted to get rid of the metadata by usin

"The urge to destroy is also a creative urge." -- Bakunin [ed. note - I would say: The urge to destroy may sometimes be a creative urge.]

Working...