LuxSci

Encrypted Messaging App: A Comparison of the Top 7 Apps

Published: October 20th, 2017

An encrypted messaging app ensures that real-time communication is secure. Compare the security features of top apps and know your alternatives.

The need for encrypted messaging apps continues to climb, especially after the shocking revelations by Edward Snowden. Instant messaging (IM) offers a more convenient and more real-time mode of communication compared to email. Moreover, IM is better than SMS (regular texting) when it comes to security.

Encrypted Messaging Apps: How Secure Are They?

However, not all the messaging apps are created equal. In fact, the level of security varies significantly among the available apps. You ned to be able to differentiate a great encrypted messaging app from a merely good one. If you are looking for an encrypted messaging app for health information exchange, HIPAA-compliance should be your first priority.

This article compares the features, particularly the degree of security, among the top encrypted messaging apps. Also, you will learn what other options are available.

What is an Encrypted Messaging App?

An encrypted messaging app is a mobile application that ensures that the messages you exchange with employees, clients, and coworkers are safe and less vulnerable to attacks. It works by encrypting your messages before they are sent and decrypting them on arrival.

As a matter of fact, encrypted messages are undecipherable to anyone except the intended recipients. Such a security feature protects the messages from interception in case an unauthorized person intercepts the messages en route to the recipients.

Some apps also have a “self-destruct” functionality which destroys the messages shortly after they have been read.

Why Do You Need an Encrypted Messaging App?

The simplest answer is: good old SMS/texting is not secure. It is quite simple for an attacker anywhere in the world to read, modify, and send forged SMS messages.

The messages you send or receive via SMS are generally not encrypted, remain on the servers of telecommunication providers for an indefinite time, and can be stored by these providers forever. Similarly, the users’ phones retain copies of these messages until explicitly deleted.

Another reason for increased vulnerability to attacks is that you cannot be sure if the “right” recipient has read your message. All these factors make SMS an easy target for the hackers. Consequently, you will have to rely on an encrypted messaging app to ensure that the safety of the information.

How Do Top 7 IM Apps Perform on Security?

Security comes first, no matter which app you are using. “Encryption” is just one of general aspects of secure communication. In fact, other aspects such as the specific type of encryption used, the authentication protocol, identity verification, and self-destruction (of the messages) are also crucial to privacy and security.

Here, we look at the performance of the top IM apps based on the security parameters mentioned above.

IM App Type of Encryption Authentication Identity Verification Message Self-destruction?
Apple iMessage End-to-End Encryption Two-Factor Authentication Two-Step Verification Yes
What’s App End-to-end Encryption Two-Factor Authentication Two-Step Verification (Optional) Yes
Slack Encryption at rest and in transit Two-Factor Authentication  

Verification Code

 Yes
Facebook Messenger (Secret Conversation) End-to-end Encryption Two-Factor Authentication Instant Verification Yes
ClearChat End-to-end Encryption Multi-factor Authentication Verification Feature Yes
Signal (Previously TextSecure Private Messenger)  

End-to-end Encryption

 

Two-Factor Authentication

Verification Code  

Yes

Telegram (Secret Chat) Symmetric AES Encryption SMS-based single-factor authentication (Default)  

Two-Step Verification

 

Yes

 

End-to-End Encryption (E2EE) is a high-level security measure in which no one except the sender and receiver can read the message. Simply put, the information is encrypted during storage, transmission or elsewhere with virtually no chance of decryption. It uses asymmetric encryption, which means each communicating party has two keys: a public key and a private key. To decrypt a message, one needs the private key. However, the private key is not available to anyone except the owner. You may also call E2EE a “trust no one” approach, because you do not have to trust the application provider or the anyone else to protect the security of the data transmitted.

Note that end-to-end encryption can be a major hurdle in obtaining HIPAA compliance as HIPAA requires both emergency access to PHI and backups of messages sent containing PHI, which is not directly granted by this method of communication.

The separate encryption at rest and in transit used by Slack is another implementation in which the data is encrypted during storage in a device or network, and while being transferred from one network to another, but not when received/processed by Slack. The lack of end-to-end encryption often makes Slack more vulnerable to cyber-attacks.

In the Symmetric AES Encryption used by Telegram, a single key can encrypt and decrypt the data.

Two-factor authentication (2FA) requires an extra credential (apart from the username and password) to log in. It could be a code sent to you on your mobile phone, a fingerprint or voice print. Undoubtedly, 2FA adds another layer of security while logging in an app.

Different Apps for HIPAA and High Security

What about HIPAA Compliance for an Encrypted Messaging App?

HIPAA compliance is mandatory for any encrypted messaging app when it involves the storage or transmission of electronically protected health information (ePHI) in the USA. Unfortunately, not a single app listed above seems to fully comply with the HIPAA requirements.

In order to become HIPAA-compliant, the encrypted messaging app vendor needs to sign a HIPAA Business Associate Agreement (BAA) with you. The HIPAA Rules require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.  Additionally, many of these encrypted messaging apps fall short in terms of other requirements of HIPAA:

  • Visible audit trails of activity and access to PHI
  • Retention of records and logs
  • Administrative control panels for oversight, access control, and reporting
  • Remote logoff and auto-logoff
  • User-level logging and reporting rools
  • Backups of conversations for 6+years
  • Emergency administrative access to conversations

Clearly, the extreme privacy that many of these apps provide actually flies counter to the business requirements for medical privacy, accountability, and business continuity.  They are actually two completely different use cases — trust-no-one privacy on the one extreme and medical privacy and business continuity on the other.  For this reason, the most appropriate applications for each use case will likely always be very different.

Looking for a HIPAA-compliant Encrypted Messaging App?

Consider using LuxSci SecureChat. SecureChat offers unparalleled data security, complies with HIPAA requirements, and provides you with a HIPAA BAA. You can use it on your mobile phone or a computer without having to worry about stepping out of the bounds of compliance. Moreover, it is highly efficient and reduces doctor’s response times from hours to minutes. Read details here.

Sign up for a Free Trial of SecureChat.

2 Responses to “Encrypted Messaging App: A Comparison of the Top 7 Apps”

  1. Peter Douglas CAIA Says:

    Very useful, thanks. Would be really interesting to include the other major apps (WeChat, Line, and possibly Band). I’d have thought that WeChat and Line would for sure make it to the top 7, no?

  2. Erik Kangas Says:

    Thanks, Peter, for reading this blog. We may look into these apps for a future post.

Leave a Comment


You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.