Secure text messaging

The EFF (electronic frontier foundation) did a little research into how secure various texting apps are. They published the results today. Here’s a chart with all of the researccched apps and the seven points they looked into:

The accompanying article is here:

Thought this might be of interest to some of you


One of the few messaging apps that got all tags green is ChatSecure, directly available through F-Droid without G.Apps.
Installs fluently (seems to autolaunch at startup), not tested really for now.
Only uses the google chat account apparently…
(edit) From the same “all green tags” list, Redphone and Textsecure also can be installed, from the google app store. Trying, but not tested yet.

Thanks for the link! Did not see this before.

I’m using both TextSecure (mainly for SMS) and Threema, and both have a nice look and feel. Can recommend both. (However, you won’t find them on F-Droid, and both rely on Google Could Messaging, for now. At least, TextSecure is [audited][1] open source. Threema is closed source, but as far as I know their servers are not based in the US.)

Thanks for posting this. Really useful information. I’m going to have a look at textsecure.

The biggest issue in switching is a practical one: I’d need to convince all my friends and family to adopt something like TextSecure while they’re most likely using WhatsApp, Skype, Facebook messenger and regular SMS as well. Few people will see the advantage of installing yet another app just so they can communicate with one person, who happens to be available through those other messaging solutions as well.


ChatSecure (not to be confused with TextSecure) is a Jabber / XMPP-client with OTR encryption support. One large problem with XMPP is that it does not support asynchronous encrypted messaging. Both parties have to be “online” for an OTR session to be established. Especially in the mobile world, this is a showstopper.


I honestly don’t know how this fact could be relevant when choosing a messaging application. If you want secure messaging, I see two possibilities.

The first one is: You can trust the transport because it is physically under your control (e.g. you own the server).
This is clearly not the case for Threema: Their server code isn’t available, you can’t setup your own server - and even if you could, it would be of very limited use, because their protocol isn’t federated (your users would be unable to talk to other server’s users).
So: Regardless of where their servers are based, they are not under your control - unless you work as their server administrator.

The second possibility is: The protocol is designed in such a way that the transport, for example Google’s Could Messaging service, doesn’t have to be trusted for the messages to be secure (and the implementation of this protocol can be checked for correctness).

1 Like

US law allows government much more power in requesting data.

Hmm, some people just feel better because of this. That’s why dl numbers
went through the roof after PRISM hit the fan, and people heard of National
Security Letters and suchlike for the first time.

But let’s not derail this discussion further: what you said is perfectly
sensible. I did not intend to mislead anyone.

In Germany, all your servers can be seized for as little as some anonymous user posting something on your website. I don’t think this is actually compliant with german law, but you get the point. Having to trust some government and its institutions to 1) follow the law and 2) not to change the law in a way you don’t like at some point in the future is a suboptimal situation :wink:

Sorry if my post sounded too harsh. No offense meant!

This ain’t the case with any messaging services, unless you build your own (good luck getting people to use it).
100% secure is a pipe dream anyway. The best way to deal with this is to always be aware that the Internet is a wild west, and anything going over it cannot be protected or trusted entirely. Quite a few female celebrities have come to realize this recently :wink:

ChatSecure can use a custom XMPP server, not only Gtalk. Don’t fill the google account form and go to next step (drag left, if I remember well).

1 Like

I usw Xabber AS chat client. No need to convince anyone to change their networks, but still capeable of encryption (even OTR) And as I am not to force anyone to change his network, I insist in encryption for various types of exchanging information.

TextSecure has a quite clever approach towards this as it is a replacement for your SMS messenger. So even if you have no friends using TextSecure, you would still have a working SMS app.

I personally don’t trust any closed source Program with private information. That’s why Threema is no option for me. I also regard the location of their servers as irrelevant. If some of the data that are stored on the server would reveal more then what can easily be found out by just looking at your metadata, then the program in terms of privacy is seriously flawed.
Other than that I don’t trust any secret service be it in Switzerland, the US or elsewhere with having a decent idea of the protection of privacy and laws as well as basic human rights. But that’s just my 2 cents.

[ ][1]could also turn out to be interesting - currently in private beta, made by Peter Sunde (@brokep) among others, one of the founders of The Pirate Bay, Flattr, Ipredator and lots of other interesting stuff.
“Hemlis” means “secret” in Swedish.

Although, as @humorkritik pointed out to me, this is by no means a finished product (and who knows if it ever will be) and they don’t actually inspire that much faith in how secure it actually will be in the end. I thought I’d just mention it all the same as something maybe worth keeping an eye on for future developments.
[1]: is not yet open source :frowning: so, I cannot trust in it.

With a federated protocol like XMPP or the TextSecure V2 protocol, you can set up and run your own server that is part of a large network, just like everyone can host a mail server. There are for example many universities hosting XMPP servers.

Sure, but can you trust the software if you haven’t reviewed the code and compiled it yourself?

You can with both examples.