How to compare the best private chat apps

In order to make a fair comparison, we're going to focus on five main points:

1. End-to-end encryption (E2EE)
2. Self-destructing messages
3. Types of data collected
4. Sign-up requirements
5. Data security track record

#1 End-to-end encryption

The first feature we're looking for in a secure messaging app is end-to-end encryption (E2EE). E2EE is a technology that protects private chat messages while in transit and at rest. It means that only the sender and the intended recipient(s) have the ability to read messages. Not even the service provider can access the content, which also means that no third-party, law enforcement, or authoritarian governments can either.

#2 Self-destructing messages

Disappearing messages might sound like a design flaw, but not if you're privacy-concerned. A message self-destruct function embedded into encrypted chat apps means that messages will disappear after a set period of time. This function won't just delete the messages from your device but also from any server or storage. Once they're gone, they're gone for everyone.

#3 Types of data collected

Secure messaging apps can still collect data about you even if it uses E2EE. How much data of course will vary from app to app. The data or “metadata“ can include information such as:

• Basic user information and account settings
• Phone number and email address
• Contact list
• IP addresses
• Messages' timestamp
• Users you've blocked
• Who you talk to and for how long

#4 Sign-up requirements

The next thing you need to consider when choosing the best private chat app is how much personal data it requires before you to use it. Does it allow you to sign up to the app anonymously or do you have to hand over your name and personal phone number?

#5 Data security track record

Before you sign up for a particular encrypted chat app, it pays to do a little research. What's their track record like when it comes to keeping customer data safe and secure? Have they ever experienced a data breach? How bad was it and how did they respond?

So now we know what to look for, let's compare the best private chat apps on the market.

Signal

Messaging app Signal is brought to you by the Signal Foundation, a non-profit organization dedicated to open-source privacy technology. The foundation was formed by entrepreneur Moxie Marlinspike and WhatsApp co-founder Brian Acton, who incidentally left the rival messaging app after it was bought over by Facebook.

Launched in 2015, Signal has long been the top choice of encrypted chat apps for activists, the hacker community, and the privacy concerned. But its popularity spiked in 2021 after WhatsApp announced changes to its privacy policy detailing its data-sharing intentions. In fact, that year Signal saw a 468% increase in downloads bringing them to approximately 40 million active users.

So, what brought all the users to the Signal yard?

Signal: End-to-end encryption?

With Signal, end-to-end encryption is not an option, it is part of its DNA. It is built on the Signal Protocol, which was developed by Marlinspike in 2013 and has since become the gold standard of encryption for messaging apps.

Signal Protocol uses Perfect Forward Secrecy (PFS), a feature that creates a new key for every message. This means that if one key is compromised, the only thing a hacker could see would be the last message you sent. They won't be able to use the compromised key to crack any past or future messages.

The other good thing about Signal's encryption is that its source code is publicly available. This means experts have been able to scrutinize it for years, strengthening it as they go.

Signal: Self-destructing messages?

With some other encrypted chat apps, you have to enable disappearing messages on individual chats, but Signal allows you to enable the function on all new chats by default.

Go to Settings > Privacy > Default Timer for New Chats.

Then select the time period for “self-destruct”.

The preset options range from 30 seconds to four weeks but you also have the option to customize it.

Signal: Type of data collected

One of the big selling points for Signal is that it is from a non-profit entity that has no incentive to track users for advertising. The encrypted chat app has been specifically designed not to collect or store any sensitive data. And what it can't collect, it can't sell, rent or monetize...which is why it has earned its place on our list of best private chat apps!

Signal: Sign-up requirements

However, Signal still needs some personal data to create an account. (BTW, Hoody doesn't. We will never ask for your name, email, or phone number EVER).

When downloading the Signal app, you'll be asked to register your phone number. They require this data to provide their service. After that, you can choose whether or not to add other information to your account, such as a profile name and profile picture.

Signal: Data breach track record

Of course, no encrypted chat app is completely invincible. There are always going to be weak links somewhere along the communication chain. For Signal that weak link came in the form of Twilio, the communications firm used by Signal to verify users' phone numbers and send the SMS registration codes.

In August 2022, almost 2000 Signal users had their phone numbers and SMS registration codes exposed when Twilio was breached by a successful phishing campaign. Although no other data was leaked, it was potentially enough to activate a victim's Signal account on another hacker-controlled device.

Session

Session is considered to be a “fork” of Signal and although there are foundational and functional similarities, there are also fundamental differences between the two.

Where Signal is a secure centralized messaging app, Session is described as an anonymous, private, and decentralized messaging app.

Session is built on the Oxen blockchain, utilizing a network of decentralized storage nodes and onion routing protocol (just like the TOR browser) to relay end-to-end encrypted messages. If you want to get all super technical about it, then you can check out the Session whitepaper.

But to keep it simple, Session is:

“...an end-to-end encrypted messenger that minimizes sensitive metadata, designed and built for people who want absolute privacy and freedom from any form of surveillance.” - Session

With 100,000 users, Session doesn't quite have the same user network as the options on our list of the best private chat apps. But it is still a popular choice for activists, journalists, human rights defenders, and regular users deeply concerned about surveillance and privacy.

Session: End-to-end encryption?

Session started out using the Signal Protocol and making it work for the decentralized network. But in 2020, they decided they needed a more purpose-built solution and in 2021, Session started to implement a bespoke blockchain-friendly protocol, the Session Protocol.

The Session Protocol is built using Libsodium, an open-source and highly tested, widely used, and highly-regarded crypto library.

In a nutshell, Session does use end-to-end encryption for its chat messages, audio messages, gifs, files, and photos (voice and video calls are still only in Beta).

Session: Self-destructing messages?

Session also has a disappearing messages function which can be turned on via the Settings tab. It will turn on this function for both you and the recipient.

Session: Type of data collected

In Session's case, this is a pretty easy section. They don't collect much of anything which is summed up in their brand slogan: Send (Encrypted) messages. Not Metadata.

Session's infrastructure is designed in such a way that it can't collect data such as IP address, geolocation data, metadata, or any other details about your device or network. Because Session uses onion requests to send messages instead of central servers, they are unable to know when messages were sent, or who to.

Session: Sign-up requirements?

Session's sign-up requirements, or lack thereof, secure them a place on the best private chat apps list. Session doesn't require or ask you for your email address or phone number in order to create an account. Instead, the encrypted chat app generates a random Session ID that is made up of pseudonymous public-private key pairs that have no connection to any personal information.

Session: Data security track record

This is not so much a past issue but a possible future one. Session is developed in Australia where the government has a particular anti-encryption stance and introduced a bill that could threaten Session, its users, and their privacy.

However, Session isn't worried...

Image Source: Session FAQs

WhatsApp

WhatsApp was founded in 2009 by two former Yahoo! employees and sold to Facebook (now Meta) ten years later for a whopping $19 billion.

With roughly 2 billion active users worldwide, Whatsapp is one of the most popular encrypted chat apps. Its popularity is also a plus point since most of your contacts are probably already using it.

That said, Facebook's less-than-stellar reputation with user data has raised concerns over how secure WhatsApp really is.

Let's take a look to see if they live up to their marketing slogan of “Message Privately. Speak Freely.”

WhatsApp: End-to-end encryption?

WhatsApp was one of the first messaging apps to offer end-to-end encryption as default, having implemented it in 2016. All of your content including messages (text or voice), photos, videos, status updates, and calls for both individual and group chats are all secured using the open-source Signal Protocol. WhatsApp also extends end-to-end encryption to backups. Users can add E2EE to their iCloud and Google Drive backups.

WhatsApp: Self-destructing messages?

WhatsApp allows users to enable disappearing messages with different time periods. You can choose to have messages disappear after 24 hours, 7 days, or 90 days after the sent time. Your selection will only control new messages in the chat.

To turn on disappearing messages for all new individual chats go to Settings > Account > Privacy > Default message timer. From there you can select a deletion duration.

Keep in mind that by default, media sent to your WhatsApp account is downloaded to your device's photos gallery. If you turn on disappearing messages, media in the chat will disappear but will still be saved on the phone if you still have auto-download on. You can turn this function off by going to WhatsApp Settings > Storage and Data.

WhatsApp: Type of data collected

If you want to know exactly what data WhatsApp knows about you, you can request a report. Go to WhatsApp Settings > Account > Request Account Info.

Your report will be available within approximately three days. But if you're pushed for time, then here is a summary of the details found in the report:

• Your phone number
• IP addresses used
• Your device details
• Your profile picture
• Contacts' phone numbers
• Any WhatsApp groups you're a member of
• Blocked contacts

But WhatsApp also collects information on your app usage. These performance logs store information on details like when you log in, how frequently, duration, and how you interact with others using the service.

For a full breakdown of what data WhatsApp collects, how it's used, and who they share it with, visit the WhatsApp Privacy Policy.

WhatsApp: Sign-up requirements?

Unfortunately, anonymous sign-up isn't possible with WhatsApp. In order to use WhatsApp services, you have to provide a mobile number and a profile name. Without these details, you can't create an account.

WhatsApp: Data security track record

WhatsApp holds a record for receiving the 2nd largest fine for breaching Europe's strict GDPR rules. The messaging service's Dublin-based subsidiary was fined €225m ($267 million) by Ireland's Data Protection Commission (DPC) in September 2021 for not being transparent enough about how it handled user data.

In 2019, WhatsApp discovered a vulnerability that allowed cyber-attackers to install spyware on certain WhatsApp users' devices. The attack targeted more than 100 human rights campaigners, pro-democracy activists, journalists, and academics.

Telegram

The last, but by no means least on our list of the best private chat apps, is Telegram. Telegram is a popular multi-platform messaging app with an estimated 550 million monthly active users. Founded by Russian entrepreneur Pavel Durov, Telegram was first rolled out on iOS and Android in 2013.

It has pretty much the same core functionality as most other encrypted chat apps on our list with the added benefit that it isn't controlled by any big tech entities. These are just some of the reasons why it's a favorite of security and privacy geeks. But what else is it about Telegram that tickles their fancy?

Telegram: End-to-end encryption?

Although Telegram claims to be an end-to-end encrypted messaging app, E2EE isn't on by default for all messages and is only available for Secret Chats.

Regular chats only use server-client encryption in transit. They are also encrypted in cloud storage but it does still mean that regular chat messages are technically visible to Telegram.

Secret Chats offer a much better level of protection— messages from Secret Chats can't be forwarded, screenshots are disabled, and disappearing messages can also be turned on.

To start a secret chat in Telegram, click on the contact you wish to start a conversation with. Open their profile and click on the three vertical dots on the right-hand side. Then select Start Secret Chat.

It's also worth mentioning that Telegram has developed its own encryption protocol called MTProto 2.0 which is open-source on the client side.

It brings to mind a popular phrase: Don't roll your own crypto.

Which basically means you don't write your own encryption algorithms. Homemade encryption is generally never as strong as one that has been seriously scrutinized by many other experts.

Telegram: Self-destructing messages?

As we've just seen, disappearing messages are only available in Telegram's Secret Chat function. Users can set a Self-Destruct Timer by tapping the clock icon located in the input field for iOS users or the top bar for Android.

Then select the desired time limit. The clock starts counting down from the moment the message gets its two tick points, meaning it has been displayed on the recipient's screen.

Telegram: Type of data collected

According to Telegram's Privacy Policy, the messaging app only collects your mobile number, and basic account data, such as your profile name, profile picture, and about information if you wish to include it. But it will also collect your email if you enable 2-step verification.

It has access to your contacts list but you can choose to stop syncing your contacts at any time via Settings.

Telegram also collects metadata such as IP address, the devices you use and Telegram apps, and groups you've joined. It keeps this data for a maximum of 12 months.

Other behavioral metadata is also collected to provide certain features like suggesting frequent contacts. You can turn this off via the Privacy & Security tab.

When it comes to cookies, Telegram only collects cookies necessary to operate and provide their services and not for profiling or advertising.

Telegram: Sign-up requirements

To create a Telegram account you need to provide a mobile number and basic account data such as a profile name...which by the way, doesn't have to be your real name. You also don't need to find age, gender, or provide any info on interests.

Telegram: Data breach track record

Telegram has long declared that they have never disclosed any data to third parties, including governments. However, a recent report by German news site Der Spiegel claims that they have, and on multiple occasions.

The data handovers are said to have been in response to data requests from Germany's Federal Criminal Police Office concerning terrorist activity and child abuse. However, Telegram's stance is complete denial and still standing by its zero bytes disclosure claim.

Summing up the best private chat apps

The best private chat app will depend on your personal circumstances and what is important to you. Here are the encrypted chat apps' pros and cons and our recommendation for who each messaging app is best for.

Safely use encrypted chat apps

Whether you're a political activist planning a protest, a journalist wanting to protect their sources, or a lover wanting to safely share some intimate texts, encrypted chat apps are key to private communication.

However, don't assume automatic privacy just from using a downloaded messaging app— no matter how good the encryption is. The best approach to privacy and security is always a multi-layered one.

So with that in mind, here are a few other safety precautions to take while using your chosen encrypted chat apps.

Use a VPN: Virtual private networks can hide your IP address which can help secure conversations on messaging apps that may collect it as part of their data stores.

Avoid public Wi-Fi: Public Wi-Fi networks are usually unsecured which makes it easy for bad actors to intercept your internet traffic including your private conversations.

Use two-factor authentication: Two-factor authentication (2FA) can give an extra layer of security to your messaging app account.

Keep software updated: Operating systems and apps should be kept up-to-date to avoid any security patches.

Use Hoody: Hoody app is designed so that it can't collect any user data and protects your data from all website tracking techniques, including digital fingerprinting.

To learn more about how you can keep your private data safe and secure check out more articles from the Hoody Privacy Hub.