At MIT's Day of Action, Nathan Freitas of Guardian Project led a workshop on mobile security for activists, focusing on various secure messaging apps available today, touching on their benefits and risks for different kinds of activities and communities.
Common messaging apps (and their secure setting)
- Conversations (default, can also interface with other secure XMPP apps like ChatSecure and Zom)
- Facebook Messenger (secret conversations setting)
- iMessage (only for messages to another iPhone/iMessage users, i.e. "blue" messages)
- Signal (default)
- WhatsApp (default)
All of these apps transfer messages over the internet via your data plan. SMS messages are never encrypted and can additionally be seen by your telephone company, which is particularly insecure because metadata from phone companies can be acquired without a warrant. Instead, internet-based messaging apps can be secured using "end to end" encryption with their secure settings. This means that messages are encrypted and then conveyed over encrypted connections (HTTPS/TLS) between phones and servers.
It's important to understand what each service knows about its users and what it stores. This may include:
- When you are connected to the internet
- Your phone number for user identity purposes (thus, they can look up your name at the phone company)
- Your network of friends, IF you uploaded your contact book
Because of end to end encryption, these companies generally don't have access to your messages unless you are using them on an insecure setting like green messages on iMessage (actually sent by SMS) or non-secret Facebook Messengers messages. Because of this companies under subpoena can only provide metadata, not the messages themselves.