When you send a postcard through the mail, the content is not protected and anyone who handles it could read it. The same is true of SMS text messages–any carrier of the message can potentially read the contents.
When a message is encrypted, it is scrambled so that only the sender and receiver can read it. Think of it like using a sealed envelope to send a letter in the mail instead of a post card.
A common way chat apps protect your messages is to encrypt them between your device and the app’s servers. The content of the message is decrypted in the app’s server then sent encrypted to the recipient. This type of encryption is like a letter being sent in an envelope to a mail centre, where it is then opened, repackaged in a new envelope, and sent to its destination. Security is provided when your message is in transit and stops your Internet Service Provider or network operator from reading the content. But the provider of the chat app has a copy of your message and that can lead to risks if: the companies servers are compromised; a rogue employee accesses them, or a government agency requests the data from the provider.
Recently, many chat apps have introduced "end-to-end" encryption, which means messages are encrypted so only the sender and intended recipient can read them - like sending a letter that is locked with a key that only the recipient has. End-to-end encryption protects the privacy of your messages and ensures only the people you send them to can read them.
Popular chat apps with end-to-end encryption
These apps have end-to-end encryption on by default!
These apps include options to turn on end-to-end encryption
Encrypted Messaging is Not Invincible
End-to-end encrypted messaging is effective at protecting the content of your messages from being read as they travel across the Internet to your contacts. But encryption alone is not invincible: to stay secure you also need to protect your device and be mindful of the other information that is sent along with your message.
Secure your Device
End-to-end encryption protects your messages when they are sent over the Internet, but you still need to protect the security of your device to ensure if it’s ever lost, stolen, or confiscated, your messages can’t be read.
Password protect your device. Use a strong passcode to lock your device. A screen lock protects your data from being accessed when your device is on. Set it up for Andriod and iOS.
Turn disk encryption on. Encrypting your device protects the data on it when your device is off and ensures your data can’t be copied and read if your device is lost or stolen. If you use a recent iOS device and have it protected with a passcode or touch ID your device is already encrypted! Most newer Android devices have encryption by default, but you can check if you have enabled disk encryption with a few easy steps.
Don’t wait. Update! Ensure your operating system and apps are updated with the latest security fixes.
Watch out for sketchy apps and messages: If your device or your contact’s device is infected by malware it's possible that someone can access your messages. Be mindful of the applications you install. Don’t install apps from unknown sources, and be vigilant about messages that ask for passwords or try to trick you into installing applications.
Be mindful of metadata
Sending a message with end-to-end encryption means that only you and your contact can read the content. But a lot can still be learned just from metadata (the data about the message), like when it was sent, to whom it was sent, and what application was used to send it. Metadata is like the address information and stamp on an envelope. Encryption protects the content (the letter inside the envelope) but does not protect the metadata (the address information on the envelope). An application may store this information or it could be intercepted by someone who is monitoring the network.
Choosing a Secure Chat App
Click on the three categories below for tips on how to make informed decisions about which encrypted messaging apps to use and how to securely use them.
How can you be sure that the person you are talking to on a chat app is really who you think they are? Secure chat apps should include identity verification features that help you to confirm who you’re talking to.
Identity verification features provide a verification code that you can check with your friend over a phone call, message in another app, or by scanning a QR code in person. A secure chat app should alert you if your chat buddy’s device information ever changes, which means you should re-verify them.
Chat apps equipped with identity verification include:
Chat apps with end-to-end encryption protect your message through secret keys that only you and your contact should have. If someone gets the secret keys, they can read any messages they've collected that were encrypted using those keys.
To protect against your key falling into the wrong hands, secure chat apps use "forward secrecy", which means each time a message is sent a new set of secret keys is used and old keys are deleted. This means that one set of keys can't be used to decrypt more than one message.
Chat apps equipped with forward secrecy include:
Facebook Messenger (Secret Conversations)
Follow best practices
Engineers who design bridges or skyscrapers follow building codes that describe well known and tested methods and materials. Other engineers can review designs against building codes to ensure the building has structural integrity.
The same principles apply to secure chat apps. By following public and well-tested design patterns and protocols, apps can be more easily tested, reviewed, and we can be more confident that their designs work as intended.
Chat apps that use well known and tested protocols include
Analyzing end-to-end encryption on LINE. We analyzed how LINE performs end-to-end encrypted messaging and found that it did not use forward secrecy between the sender and receiver and had other issues that show it was not following best security practices.
Customize the Comic
Secure Your Chats comics are designed to be customized. To make this easier, we design the comics without text and then import that image into Google Drawing. These Google Drawing files then have editable text bubble areas in which new text can be added or edited.
Click on one of the below language buttons to customize that version of the Secure Your Chats comic.