Secure Messaging#

Reference of end-to-end encrypted messaging applications, the underlying protocols, and the threat models they cover (and don’t). Operator concerns are usually metadata, key verification, multi-device sync, group MLS support, and forced-update / key-rotation behavior during account compromise.

For broader cryptographic context, see Cryptographic Primitives. For threat actors who target messaging compromise, see Hacker Groups.

End-to-end encrypted apps#

App

Protocol

Org

Notes

Signal

Signal

Signal Found.

Reference E2EE; X3DH + Double Ratchet; Sealed Sender; private contact discovery; phone-number-based; group MLS in progress.

WhatsApp

Signal Protocol

Meta

~3B users; metadata to Meta; backups optional E2EE; closed source.

iMessage

Apple

Apple

Per-device keys; 14B+ devices; iCloud backups + ADP = E2EE; PQ3 (post-quantum) since iOS 17.4 / Mar 2024.

Facebook Messenger

Signal Protocol

Meta

E2EE default since Dec 2023; rolled out gradually.

Google Messages

Signal Protocol

Google

RCS Universal Profile + Signal-derived E2EE for 1:1 + group; Messages app only; ad-supported.

Wire

Proteus / MLS

Wire

Signal-derived; multi-device; commercial enterprise tier.

Threema

NaCl

Threema

Anonymous IDs; Swiss; paid; OSS clients; Threema Work.

Element / Matrix

Olm / Megolm

Matrix.org

Federated; Element client; cross-signing; verified devices; bridges to Slack / Discord / IRC.

Session

Session Protocol

Oxen Privacy

No phone or email; Lokinet-onion routing; Loki-based.

Briar

Bramble

Briar Project

P2P over Bluetooth / WiFi / Tor; android-only historically; censorship-resilient.

SimpleX Chat

SimpleX

SimpleX Chat

No global IDs; per-conversation queues; XMPP / SMTP inspiration.

Status

Status Network

Status

Decentralised; Ethereum-based identity.

Berty

Berty

Berty

IPFS-based; offline-first.

Cwtch

Cwtch

OPS Privacy

Tor-based; metadata-resistant.

DeltaChat

OpenPGP / IMAP

Delta Chat

Email-as-transport; PGP keys.

Tutanota

n/a (Tutanota)

Tutanota Mail

Encrypted email; not classic chat.

Proton Mail / Wire

OpenPGP

Proton AG

Encrypted mail + chat (Proton Wallet / VPN bundle).

Skred

n/a

Skred

No-account encrypted messaging.

Wickr Pro / Me

Wickr Protocol

Wickr (AWS)

Originally enterprise; sunset for consumer.

Olvid

PSIM

Olvid

No identifier; QR-pairing; FR.

RetroShare

PGP / DH

RetroShare

F2F P2P with onion-style routing.

Mainstream non-E2EE-default#

App

Notes

Telegram

“Secret Chats” only are E2EE; default cloud chats are server-side encrypted but accessible to Telegram. MTProto v2; Russian origin; channels + bots; widely used for both legitimate broadcast + OPSEC-poor private chats.

Discord

TLS in transit; no E2EE; voice/video uses DTLS-SRTP; Discord can read messages.

Slack

TLS; KMS / EKM available; Slack can read messages.

Microsoft Teams

TLS; E2EE for 1:1 calls only.

Google Chat

TLS; no E2EE.

WeChat

Server-mediated; subject to Chinese regulation; limited in foreign use.

LINE

Letter Sealing E2EE optional; default not E2EE.

Viber

E2EE for 1:1; group chats not by default.

Snapchat

Snaps E2EE; Memories not.

Instagram DMs

E2EE on by default for 1:1 since Dec 2023.

KakaoTalk

KR; “Secret Chat” is E2EE; default not.

QQ

CN; not E2EE; subject to regulation.

Underlying protocols#

Protocol

Notes

Signal Protocol

X3DH (key agreement) + Double Ratchet (forward + post-compromise security); the de-facto standard.

MLS (RFC 9420)

Messaging Layer Security; IETF standard for E2EE groups; tree-based key derivation; scales to thousands.

OMEMO (XEP-0384)

XMPP E2EE based on Signal Protocol.

OTR / OTRv4

Off-The-Record (legacy); deniability + perfect forward secrecy.

OpenPGP

IETF RFC 9580 / RFC 4880; the email + file standard; weaker forward secrecy.

S/MIME

X.509 + CMS; enterprise email; no FS.

PQ3 (Apple)

iMessage post-quantum protocol; uses Kyber768 + ECDH (HPKE-style); hybrid; Mar 2024.

Proteus (Wire)

Signal-Protocol Rust port.

Olm / Megolm

Matrix’s Signal-derived 1:1 + group ratchets.

Bramble (Briar)

Custom transport over TCP / Tor / Bluetooth / WiFi.

Lokinet / Onion

Session uses Loki-based onion routing.

SimpleX

No long-lived IDs; per-message anonymous queues.

Key verification UX#

Mechanism

Notes

Safety numbers

Signal; per-pair fingerprint; QR or read-aloud.

Security numbers

WhatsApp; same idea.

Cross-signing

Matrix; sign your other devices once; trust transitively.

Verified devices

Wire / Threema; per-device keys.

Authentication ceremo ny

Generic IETF term for any out-of-band fingerprint exchange.

Trust on First Use

SSH-style; weak but common.

Web of trust

PGP; signed key exchanges in person.

Key transparency

Apple PQ3 + WhatsApp + Google; published log of (account → key) bindings; user can audit.

Threat models / adversary#

Property

Notes

Confidentiality

Only intended recipients can read. (Most apps above.)

Integrity

Cannot be tampered with by network attacker.

Authentication

Sender is who they say they are.

Forward secrecy

Past messages stay private if a key is compromised later.

Post-compromise sec

Future messages stay private if a key is compromised once.

Deniability

Recipient can’t prove who sent the message.

Metadata privacy

Server doesn’t see who talks to whom (Signal Sealed Sender, Session, SimpleX, Cwtch).

Censorship resistance

Works without central server (Briar, Cwtch, RetroShare).

Anonymity

No phone / email / persistent ID required (Session, SimpleX, Cwtch, Briar, Threema).

Multi-device

Fan-out and ratchet sync without breaking FS / PCS.

PQ-secure

Apple PQ3, Signal PQXDH (PQ-secure key agreement, Sept 2023).

Operational pitfalls#

  • Backups can leak everything. WhatsApp Google Drive backup, iMessage iCloud backup (without ADP), Signal cloud-save, review backup posture; ADP / E2EE backups must be enabled explicitly.

  • Multi-device complicates verification. Re-verify each new device.

  • Phone-number leakage. Signal / WhatsApp expose your number to everyone you message. Username support added in 2024.

  • Sealed Sender still leaks recipient to Signal server for delivery.

  • Telegram Secret Chats are device-bound, they don’t sync across devices. Group chats are never E2EE on Telegram.

  • Metadata is the win. Even E2EE leaves rich metadata (who, when, how often, group membership). Metadata- resistant designs (Session, SimpleX, Cwtch, Briar) trade UX for less-correlatable comms.

  • Force-add to groups is a known abuse vector (WhatsApp / Signal). Restrict who can add you to groups.

  • Disappearing messages trim retention but not server metadata or screenshots.

  • PQ migration, Signal PQXDH (Sept 2023) and Apple PQ3 (Mar 2024) are partial; full PQ secure key agreement is now the bar; long-lived ratchet keys still classical in many implementations.

Hardening#

  • Verify safety numbers / cross-signing for every contact who matters.

  • Disable cloud backups, or require a strong recovery key (Signal PIN, ADP, Wire passphrase).

  • Use disappearing messages (matched to mission needs).

  • Restrict screen sharing / clipboard managers when sensitive conversations are on screen.

  • Don’t bridge sensitive Matrix rooms to Slack / Discord unless every party agrees.

  • For source / handler pairs: SecureDrop / OnionShare > any consumer messenger.

  • Consider air-gapped + Faraday devices for top-tier sources.

  • Replace devices on suspected compromise; don’t migrate installs.

References#