Privacy and security in messaging apps, explained
You just got one of the best Android phones and chances are one of the first things you'll do is message a friend to tell them the good news.
When we send a message to someone, we should expect a few things: that they'll get the message, nobody else can read the message, and no other company is tracking anything we do while we're chatting it up. Unfortunately, it doesn't usually work that way.
Most one-on-one ways to message someone are secure to an extent. Nobody can read your Twitter DMs unless they are logged in as you. Google and Facebook spend a lot of money to make sure the servers that transmit messages are locked-down tight. Apps like Signal and Telegram are developed with help from security specialists to make them secure.
Unfortunately, privacy is another matter. Most messaging apps are designed to track you in some way. The developers want to know how and when you use them, how long you used them, where you are, whether you're on Wi-Fi or cellular network, and so on. Your carrier tracks everything you do and even keeps a log of what you typed. Nobody is actually reading your messages because all this tracking is automated, but there's a file attached to you that's chock full of data about you.
Both of these things are pretty important — and before you say you don't care, think how you would feel if I came into your house and dug through your dresser drawers. Privacy and security should be important to everyone. Unfortunately, how it all ties together when you send a message to a friend is confusing, so let's break it down and try to fix that.
Guess what? I fell going down the steps the other day. I was chatting in a Telegram group when it happened and I said something like "o crap I just fell down the stairs again" and laughed it off. I shared this with a few friends, and to my pal Jeramy I mentioned that I usually have to kind of crawl my way up or down because walking isn't my strong point. Now I'm sharing that with you.
This isn't the kind of information I want to share with the world, but I'm doing it this time to prove a point — we say things in messages that we don't ever want other people to read. It doesn't have to be something illegal or something sexy or something dramatic. It could be something as simple as saying you're a grown man who has to crawl up and down the stairs. We want to keep the things we message private between just ourselves and the intended recipient(s). And yes, Jeramy said I could share this.
This is the kind of privacy we understand. Nobody wants someone else to read their messages. But privacy means a little bit more when you're talking about an app on your smartphone. All Android apps aren't offenders, but many of them try to track everything you do. Most messenger apps are fairly decent about the data they collect and only want metrics that they can use to improve the app or the service.
One thing almost every messenger app does though is ask to look into your address book to help you find friends that also use the app. Unfortunately, that often ends up with an app harvesting all the contact data you have on your phone including phone numbers and notes you've added. Always say no when a messenger asks for access to your contacts. If not for yourself, do it for your friends.
Also, remember that your carrier tracks everything, and also keeps a record of your SMS messages. It's doubtful that anyone reads them unless they are subpoenaed by a law enforcement agency.
When it comes to messaging, security means two different things: the security of the service and any cloud components, and the security of the messaging service itself. A big part of a messaging service's security is also designed to protect your privacy.
Every name that you know when it comes to a messaging service keeps its servers secure. That doesn't mean that they are impenetrable — it means that the company spends the time and money to make the servers that transmit your messages as secure and up to date as they can be. Your messages only spend a very short time on these servers and should never be stored.
The second layer of security that applies to those servers is how the service itself works. Ideally, a messaging service should use true end-to-end encryption. That means when you send a message, it's encrypted and only the recipient has the key to decrypt it. If someone were to break into a server or find another way to capture a message that's being sent they would not have the key to decrypt it.
Encryption isn't foolproof though. Any encryption can be broken if someone wants to put enough time and effort into it. Thankfully, most of us aren't high-profile public figures and thus aren't worth that time and effort. A bigger problem is when a service is forced to share encryption keys with a government. That has happened and will happen again. Your government does not like encryption because it wants to be able to read your messages if you were on trial for committing a criminal act.
The final thing to know is that encryption on any level means nothing if someone is able to get access to your phone. Messages from any service are just a tap away from anyone. Keep your lock screen active, use a good password and PIN, set up a biometric lock for convenience, and never rely on Android's stock face unlock or pattern lock as the only thing keeping someone else out of your phone.
What's the most secure service?
The answer here is debatable, but my choice as the most private and secure messenger is Signal. Many services offer end-to-end encryption and have well-maintained cloud servers, but Signal is open-source and security experts love digging through the code trying to find a way to break it. By doing so, any vulnerabilities can be quickly patched and the process starts all over again.
Telegram is also open source, but only for a client that uses the Telegram API as the server isn't open-source the way Signal's is. That's some important code for security researchers to have access to and with Telegram, they just don't. Either Telegram or Signal is a very good choice though and you should consider your messages secure and private when using either service.
The more important conversation here is which services don't offer privacy or good security that helps protect it. That list is long and also debatable, but there are a few standouts.
- SMS is never secure nor is it private.
- Google Messenger/Chat is not end-to-end encrypted if you send an SMS message. The same goes for iMessage if you happen to use an iPhone, iPad, or an Apple computer.
- WhatsApp offers end-to-end encryption but Facebook simply can't be trusted to not track your usage.
- Facebook Messenger has the same problem as WhatsApp — Facebook itself.
- DMs through social networks aren't encrypted and your usage is tracked both on the web and through an app.
In the end, you're probably not going to be able to get all your friends, family, and odd acquaintances to switch messaging apps, so a lot of this conversation is moot. That's why I have and use four messaging services — nobody wants to switch to Signal, which is my preference.
What you can do is use some common sense when you're chatting and remember that it's possible someone else might get to see anything you send. It's doubtful that anyone with the time and the skill is trying to get into your messaging accounts, but it could happen.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.