What is Secure? An Analysis of Popular Messaging Apps

Justin Hendrix, Cooper Quintin, Caroline Sinders, Leila Wylie Wagner, Tim Bernard, and Ami Mehta.

In a world where privacy and security are increasingly under threat, particularly in countries swept up in a global wave of autocratization and erosion of rights, encrypted messaging apps are an increasingly popular—and necessary—way to share information, organize and engage with one another, and do business. But while the promise of secure messaging is private communications and user control over the spread of personal or group information, the reality is often more complicated, particularly in the age of surveillance capitalism. An overlapping, interconnected set of engineering, design, and system factors, coupled with varied user behaviors and shifting policy environments, have created conditions in which individuals may subvert their own interests or those of their communities while using encrypted messaging apps.

From September 2022 through May 2023, we analyzed popular messaging apps–including Signal, WhatsApp, Telegram, Messages by Google, Apple Messages and Meta’s Messenger–across a range of dimensions, including technical security, user experience, how the apps engage with users and developers, and their policies, terms and conditions. We sought to understand how people form mental models of their own individual or group digital security and corresponding threats, ways in which the technical and design decisions that the developers of encrypted messaging apps make can leave users vulnerable, and potential solutions that encompass technical, design, and policy adjustments.

To answer these questions, we adopted principles from frameworks such as Privacy by Design and Design from the Margins. We completed a technical review of selected apps; a detailed user experience and user interaction design analysis; and a comprehensive policy review. We interviewed a range of experts, and conducted field work with at-risk users including abortion rights activists in New Orleans, Louisiana and journalists in Delhi, India. 

The full 86-page report PDF is available for download here.

Key findings and recommendations include:

1. Users are too often flying blind. Even those most concerned about privacy rarely have sufficient information to make decisions that are in their own best interest. There is a substantial gap between the promise of encryption and the reality of threats to secure messaging in practice. We encountered various forms of “security folklore” that inform user decisions in place of information grounded in fact, as well as “security nihilism,” a debilitating sense among some that there is no way to communicate securely.

2. An app’s cryptographic security doesn’t mean it is secure. Implementation is everything. The failure to implement end-to-end encryption by default, such as on Telegram and Meta’s Messenger, illustrate this point. Users may not understand the distinction when presented with confusing options like “secret chat” and “private chat.” And few users understand design distinctions, such as different colors for messages in Apple’s iMessage and Google Messages, that are intended to communicate different types of messages (SMS or encrypted,) and thus different levels of security.

3. Follow Signal’s lead and encrypt or don’t store metadata. Signal is the only app that has taken steps to hide users’ profiles, contacts, group metadata, and even message sender information. Other developers need to follow Signal’s example and hide user metadata by keeping it encrypted with the user’s account key and only handling unencrypted versions in secure enclaves.

4. Let users decide which features should be on or off. Companies need to allow for any feature that impacts privacy and security to be turned on and off, and to explore and implement more granular settings that allow for users, especially high-risk users, to tailor the service to their needs, including when it comes to disappearing messages, link previews, storing and deleting call logs, and interaction history.

5. Close technical and design ‘loopholes’ that betray privacy. From unencrypted backups of messages and the use of phone numbers as identifiers to flaws in how deleted messages are handled, confusing naming conventions for certain features, and bad user design on some options, there are a range of technical and design issues that the makers of messaging apps need to address urgently.

6. Beware the bloat. Especially when it comes to apps that are connected to or are trying to emulate some aspects of social media plat