Looking for an alternative to WhatsApp and want to know which messaging apps offer the highest level of security and privacy? Read on to find out — plus what you should consider when choosing a secure chat app. We’ve also got some tips on how to use your (messaging) apps more securely and learn how a VPN like Avira Phantom VPN can help you encrypt everything you send and receive on your mobile device — no matter which messaging service you use.
Although some of us are probably aware that we’re not using the most secure or private messaging app, many are reluctant to switch away simply because we want to be on the same platform where most of our contacts are: WhatsApp.
This messaging service is by far the most popular messaging app in most countries, although there are good WhatsApp alternatives that perform a little better in terms of privacy and data protection. That said, confusion surrounding changes to WhatsApp’s terms of use [link in German] in 2021 unsettled many users. Ultimately, even the EU Commission was persuaded to intervene and official dialog was entered into — but more on that later.
When it comes to security, though, WhatsApp users needn’t worry. WhatsApp, like many messaging apps now, uses secure end-to-end encryption by default — unlike some apps, where turning it on is optional.
What is end-to-end encryption?
Secure messaging apps primarily use end-to-end encryption. This is an encryption method where the data is transmitted in an encrypted format throughout the transmission chain. This means that the message is encrypted on the sender’s device and only decrypted again on the recipient’s device. For this to work, keys need to be exchanged — something the user controls. This means that third parties, such as hackers, but also the service provider itself, cannot access, intercept, or modify messages.
The alternative is transport encryption. Here, however, it’s not the data itself that’s encrypted but the transmission channel over which the data is sent. With this point-to-point encryption method, the messages are forwarded across different nodes and are available at some of these points in a readable form — in other words, in plain text such as on the messaging service’s servers. This also makes these nodes a magnet for cybercriminals to launch man-in-the-middle attacks.
If you use apps which don’t offer end-to-end encryption on your mobile device and you write such things as confidential emails, we recommend using a virtual private network (VPN) like Avira Phantom VPN for Android or iOS — especially when using unsecured public Wi-Fi hotspots. That’s because although everything you send and receive between the website and your device’s browser is encrypted using the now very common communication protocol HTTPS, a VPN encrypts all of your device’s internet traffic — including that of your apps.
A VPN routes all the data traffic from your device through an encrypted tunnel to a VPN server and back again, so you can surf anonymously using that server’s IP address. In addition, no data is stored on the VPN servers. By the way, Avira Phantom VPN is not only available for mobile devices but also for Windows and Mac computers.
Current secure messaging apps
Secure instant messaging services, also known as chat apps, messaging apps, or messengers for short, use end-to-end encryption. That’s why we haven’t listed any apps that either don’t use this method or use it only selectively. The Snapchat app, for example, only uses this encryption method to share photos and videos, but not for texts and other messages.
Some messengers offer end-to-end encryption for almost all message formats, but this is not the default and you first need to turn on this feature — in some cases, even on a per-chat basis. If you don’t, you only get the protection of transport encryption. With some messengers, such as Telegram, end-to-end encryption can only be used for one-to-one chats — not for group chats.
End-to-end encryption usually doesn’t cover metadata either, which includes such things as information about the sender and recipient as well as length, date, and time of the conversation. This data sometimes reveals so much about the user that it can be used to create psychological profiles. As former NSA General Counsel Stewart Baker’s puts it (read more on Threema): “Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
Besides technical security, the issue of data protection and data frugality plays a key role when choosing a secure chat app. This raises the question of what personal data is processed — in other words, how it is collected, shared, stored, or erased. The EU General Data Protection Regulation (GDPR) sets out not only how data is to be handled but also stipulates that users are informed about the respective purpose and scope of how their data is used and transferred and that they must agree to this.
Read on for an overview of what else you should consider when looking for a secure chat app.
Key considerations when choosing your messaging app:
- End-to-end encryption: Use it for everything (texts, photos, videos, voice messages, voice/video calls, one-to-one and group chats) and keep it on by default — including for backups.
- Privacy policy: Since the same data protection regulations do not apply in every country, you should pay attention to where the company headquarters or server location of the messaging service is and whether it has an appropriate level of data protection in the EU.
- Data collection and transfer: Find out how the chat app processes your personal data and whether it’s shared with third parties — such as for advertising purposes.
- Transparency: Is the messaging app open source? By virtue of the fact that the app’s source code is open and can be viewed by everyone, the community can discover security holes and vulnerabilities, and the provider can close them more quickly. Although some messaging services expose both the API, protocol, and server code, some only partially disclose the source code or not at all.
- Anonymity: If you want to remain anonymous to the app provider, your options are truly limited. That’s because you typically have to give personal information such as your mobile number or email address to use messaging apps. One option is Threema, where users are assigned a randomly generated ID for identification purposes.
- Additional protections: Find out whether the chat app offers additional protection features, such as a lock function, two-factor authentication (2FA), auto-deleting messages, and so on.
The best of the current crop of encrypted messaging apps — from WhatsApp to other secure alternatives
Our rundown focuses purely on secure messaging services that offer end-to-end encryption of all your message formats and chats (one-to-one and group chats) by default — something you don’t get with Facebook Messenger, Skype, Snapchat, and Telegram. We also limit the list to chat apps that run on both Android and iOS devices — which is why iMessage and Google Messages don’t make the cut.
In addition, we only describe features here relevant to your security and privacy — although other aspects such as user-friendliness, scope of functions, and popularity are also deciding factors. Speaking of popularity, let’s first take a look at the highly popular messenger WhatsApp.
WhatsApp — better than its reputation
When it comes to data protection, the popular messenger WhatsApp, which is widely used around the world, has made improvements after criticism from many quarters. Meta, the owner of both WhatsApp and Facebook, has now committed to comply with EU regulations.
Following discussions with the EU Commission and EU consumer protection authorities, the company has committed to greater transparency in its terms of use. The Consumer Protection Cooperation Network will now actively monitor how these commitments made in March 2023 are implemented.
Since June 2023, WhatsApp has also included a privacy checkup with which you can adjust various privacy settings.
- Company: WhatsApp/Meta Platforms based in the USA
+ End-to-end encryption: On by default, also offered for backups (on Google Drive and iCloud)
+ Privacy policy: Stricter regulations for users in the European Union
- Data collection and transfer:
– Stores a relatively large amount of metadata like device and connection data, general location information, and usage information (time, frequency, and duration of interactions)
+ No sharing of personal data
– Temporarily stores messages on servers and deletes them after successful delivery; if the other user cannot be reached, messages are deleted after 30 days
– Transparency: Closed source
– Anonymity: Mobile number required to register
+ Additional protections: Two-factor authentication (2FA), screen lock, auto-deleting messages
Signal — one of the most secure messengers
Signal is considered one of the most secure messaging apps and is a good alternative to WhatsApp. The app, initially developed by Open Whisper Systems, was recommended not only by Edward Snowden but also by the European Commission in 2020. It is financed including from donations and is known for its data frugality and zero-knowledge principle. This means that the operator has no access to user data.
Signal is also the owner of the encryption software, which is now also used by WhatsApp, Skype, and Facebook Messenger.
- Company: Signal Foundation based in the USA
+ End-to-end encryption: On by default; encrypted backups for Android offered (stored on the device)
+ Privacy policy: Meets GDPR requirements
- Data collection and transfer:
+ Only stores metadata required for functionality, call set up, and data transfer, deleting it once a message is delivered
+ No sharing of personal data
+ Does not store messages on servers
+ Transparency: Completely open source (client and server)
– Anonymity: Mobile number required for registration
+ Additional protections: Optional registration lock by Signal PIN, screen lock, auto-deleting messages
Threema — anonymous and private
If you value your privacy, Threema is perfect for you. That’s because you don’t use your mobile number for identification, but a Threema ID — a randomly generated eight-digit character string that gives nothing away about your identity. Linking your Threema ID with a mobile number or email address is optional, which is how Threema can be used completely anonymously.
The app also scores points thanks to its additional privacy settings. Among other things, you can use it without the app reading your address book, plus you can turn off read receipts and typing indicators. In addition, your online/offline status isn’t displayed either.
However, there’s one small catch: The app costs a small one-time fee to install.
- Company: Threema GmbH based in Switzerland
+ End-to-end encryption: On by default; encrypted backups offered for Android (stored on the device) and for iOS (using iTunes); Threema Safe: Encrypted, anonymous data backups on the device, the Threema server, or another server of your choice (including without chat histories)
+ Privacy policy: Meets GDPR requirements and is subject to the Swiss Data Protection Act (DSG), which in September 2023, with the introduction of the new Data Protection Act (nDSG), was even more closely aligned with the GDPR.
- Data collection and transfer:
+ Only stores metadata required for functionality, call set up, and data transfer, deleting it once a message is delivered
+ No sharing of personal data
– Temporarily stores messages on servers and deletes them after successful delivery; if the other user cannot be reached, messages are deleted after 14 days
+ Transparency: Partially open source (client only; proprietary server)
+ Anonymity: No personal data required; Threema ID used for registration
+ Additional protections: Screen lock for private chats
Wire — just average
Wire was also developed in Switzerland, but performs slightly worse overall than Threema. That’s because the operators are now concentrating more on their paid version for companies and authorities.
Wire uses the Proteus protocol: A proprietary implementation of the Signal protocol.
- Company: Wire Swiss GmbH based in Switzerland/Wire Group Holdings GmbH based in Germany
+ End-to-end encryption: On by default; unencrypted backups for Android and encrypted backups for iOS offered on the device
+ Privacy policy: Meets GDPR requirements and is subject to the Swiss Data Protection Act (DSG), which in September 2023, with the introduction of the new Data Protection Act (nDSG), was even more closely aligned with the GDPR.
- Data collection and transfer:
– Stores metadata
+ No sharing of personal data
– Temporarily stores messages on servers and deletes them after successful delivery; if the other user cannot be reached, messages are deleted after 30 days
+ Transparency: Completely open source (client and server)
– Anonymity: Mobile number required to register
+ Additional protections: Screen lock, auto-deleting messages
ginlo — security & privacy made in Germany
ginlo’s servers are located in Germany, which is of course a big advantage thanks to the country’s strong stance on privacy. In addition, ginlo goes one step further compared to other messengers, also encrypting the data on the device and offering anonymous communication.
ginlo additionally offers a paid-for business version.
- Company: ginlo.net GmbH based in Germany
+ End-to-end encryption: On by default; additional local encryption on the device; encrypted backups offered for Android (on the device) and iOS (on iCloud)
+ Privacy policy: Subject to GDPR
- Data collection and transfer:
– Stores metadata
+ No sharing of personal data
– Saves messages on servers and deletes them 30 days after sending
+ Transparency: Partly open source (client only)
+ Anonymity: Email address or mobile number required to register — apart from when invited via ginlo now! via QR code; all users receive a ginlo ID with which they can communicate anonymously
+ Additional protections: Mandatory protection via password or numeric code for log in (optional) & encryption, screen lock, auto-deleting messages
Tips on how to use messaging apps more securely
Regardless of what measures the various messaging services take (or not) to protect your chats, data, and privacy, to some degree you are responsible for your own security. With these tips and tricks you’ll not only protect your chat app but also your other apps.
- Check access rights: We all know it makes life so much easier if your messaging app accesses your contacts, photos, and camera. However, some apps (and not just chat apps) access features and data that are not absolutely necessary for the app to function. The permissions manager of Avira Antivirus Security shows you which apps access which information and device features.
- Use two-factor authentication: Two-factor authentication (2FA) is a good way to strengthen the security of your messenger account — and is definitely something you should turn on, if possible. Avira Password Manager for mobile devices helps you create and store super-strong passwords. Plus, thanks to the built-in authenticator, you can also use it as an authentication app.
- Use the lock feature/access lock: Some messaging apps offer a lock feature to block others from accessing them should you ever just leave your device lying around. Avira Antivirus Security includes an app lock function. This allows you to set a PIN code to protect apps which don’t have their own lock feature from unauthorized access.
- Update your device regularly: Since security holes are often closed by installing the latest updates, you should update your apps regularly — same goes for your Android or iOS software.
- Secure backup storage: Make sure the messaging app also offers end-to-end encryption for your chat backups. Or make sure you use end-to-end encryption when backing up to iCloud.
- Beware of spoof apps: The more widespread a chat app is, the more attractive it becomes for cybercriminals to spoof it. Fake versions of popular messaging apps keep popping up, which may contain malware or other nasties. Find out here how you can spot spoof apps.
- Be careful with browser editions: Some messenger providers also provide browser editions and/or web applications in the form of desktop apps. Some work standalone (like Facebook Messenger), while others are linked to your smartphone (like WhatsApp Web and Signal Web). When using the browser edition, be sure you don’t accidentally end up on a bogus website and become a victim of phishing scammers. The all-in-one solution Avira Free Security for Mac and Windows computers offers antivirus protection as well as the Avira Browser Safety extension to block phishing websites.
- Watch out for signs of hacking: Learn more about phone hacking so you can better protect yourself against cyberattacks and act quickly if in doubt.
- Install an antivirus protection or security app: You should definitely arm your Android device with protection against mobile threats with a solution like Avira Antivirus Security. For iOS devices, we recommend the app Avira Mobile Security, which also offers various protection features. By the way, both apps also include a VPN — which brings us neatly to our final security tip.
- Use a VPN: As mentioned, you should encrypt all the data you send and receive online using a VPN — especially when on unsecured public Wi-Fi hotspots.