Secure messaging apps are in the news these days, following a WikiLeaks dump of alleged CIA documents that showed how hackers might be able to circumvent smartphone privacy protections. The leak could discourage people from relying on these apps, but on balance they provide good security and are simple to use.

Consumers may have lots of reasons to want truly private communications with family, coworkers, and colleagues. Secure messaging apps such as WhatsApp and Signal are designed to help by using encryption to make sure only the people sending and receiving messages can read them. (All the people in the conversation need to be using the same app.)

The material on WikiLeaks discussed methods the CIA was developing to get around these apps.

For consumers interested in protecting their communications, it may have seemed as though hackers—whether they worked for a government or a criminal ring—could break through the encryption. Security experts quickly tried to debunk that idea, explaining that the apps themselves were secure, while the CIA had found ways to compromise smartphones, snooping out private messages before the secure messaging apps could do their work. 

The truth is a bit more complicated. Some messaging apps may have almost unbreakable encryption, but they also have potential blind spots that can compromise your security and privacy. That doesn't mean they are useless, any more than door locks are irrelevent just because they don't prevent all break-ins.

Here's what you should know about phone security in general and encrypted messaging apps in particular. The four options we describe are all well-known and can be used free of charge. 

First, a Phone Security Refresher

Imagine that you're typing a personal message on your phone before sending it to your spouse, Alcoholics Anonymous sponsor, accountant, or boss. And to do this you're using a messaging tool such as WhatsApp or Apple's iMessage.

If someone is literally looking over your shoulder, you don't expect the messaging app to keep them from reading it. The same idea applies if a piece of malware is doing something like taking screen shots or tracking your keystrokes—the messaging app isn't going to offer much protection in that situation.

That's why the first step in protecting your communications is to safeguard the whole phone. “Any and every app relies on secure hardware and a secure operating system,“ says Joseph Bonneau, a post-doctoral researcher at the Applied Cryptography Group at Stanford University. “There’s no way around that.”

Here's how you can protect your smartphone:

Update Your Operating System
After the CIA documents that allegedly described smartphone vulnerabilities were leaked, Apple released a statement saying that “many of the issues … were already patched in the latest iOS.” However, according to company figures, more than 20 percent of users had not yet installed that operating system. These users were missing out on the newest protections.

The situation with Android phones is similar. Most of the hacks, or exploits, described in the CIA documents affected phones running versions of Android 4.0. That’s several years old, but many phones still use it. Users should update their operating system, and if you can’t because your phone is too old, consider buying a new one.

Several security pros recommend the Google Pixel, which is likely to always have the latest OS updates from Google—phones from other brands have their own versions of Android, and these are updated less consistently.

“If you can afford it, any Google-branded phone is going to have updates available” whenever security improvements come along, Bonneau says. "Some of the carriers have been really behind with their updates” of other phones.

Set a Lock Screen
No pass code, no security. A lost or stolen phone with no lock screen can give a stranger open access to your Facebook and other social media accounts, along with your email account—and anyone with access to your email can probably change the passwords on everything else, from American Express to Zappos. 

Avoid USB Charging Stations
Don't use a data port (i.e., the USB port) to plug your phone into public charging stations or public computers. “It’s best to use a power [adapter] and plug it into an outlet,” says Richard Barnes, Firefox security lead at Mozilla. “But sometimes you have to charge your phone and you have no choice. You can buy a device called a USB filter—they’re also known by a more colorful name, USB condoms—which will make sure that only power goes through the USB connection and not data.”

And now, on to the secure messaging apps.


WhatsApp is one of the most widely used encrypted messaging options. Last year, the company added end-to-end encryption by default for all Android and iPhone users with the open-source protocol used by the Signal messaging app (see below). WhatsApp is easy to navigate, and chances are some of your friends already use it.

Getting Started
Once you download the app, you’ll be asked to provide your name and phone number, which you’ll then verify with a six-digit code texted to your phone. The app will also ask for permission to access your contacts. If you expect to use WhatsApp with just one or two people, you can deny the request and simply type in your contacts' phone numbers to text them.

Achilles' Heel
WhatsApp allows users to back up messages to cloud providers such Google Drive and Apple's iCloud, but these backups will not be encrypted. (If you back up your phone to a computer, your messages will remain secure as long as you enable full-disk encryption.) When setting up the app, users can choose whether to back up daily, weekly, monthly—or never, the most secure option. Keep in mind that your contacts might be backing up messages to the cloud. 

And then there's the fact that WhatsApp has been owned by Facebook since 2014, which may give pause to some users. Last August, WhatsApp announced that it would start sharing user data with its parent company. The content of messages isn't divulged—they're encrypted, after all—but other information is. 

According to a WhatsApp spokeswoman, "WhatsApp provides some account information people share at signup, along with things like device information and some metrics about when and how often people use WhatsApp." One way the data is used, she says, is to provide "more relevant ads on Facebook" to consumers who use the social network.


Founded in 2013, Confide recently made the news when it was found to be popular among political operatives and White House staffers. Confide says its app uses “military grade” encryption and boasts innovative features, notably one that lets messages get revealed bit by bit and disappear immediately after they’re read. The app was briefly in the headlines again when security researchers said they'd found it vulnerable to hacking; the developers say they've fixed the problem.

Getting Started
After downloading the app, you'll be asked to enter your first and last name and a phone number or email address. You'll also have to set a password. After verifying your number or email, Confide will ask for access to your contacts—you can say no, if you prefer, and enter phone numbers manually. After you view an offer to upgrade to a paid version of the service, you'll be able to send texts. 

Achilles' Heel
Security experts, including the cryptographers who work with encryption, have been raising doubts about this app for some time.

The first issue is that Confide’s encryption protocol is proprietary and its developers have not released detailed technical specifications. That's not the way WhatsApp or Signal operate, to give two examples.

Confide "came out of left field, and the people behind it weren’t well known in the crypto community,” Bonneau says. And because the software is a secret, he says, "you can’t review the code to verify claims or find flaws. [Encryption programs are] very brittle—the designs are very complicated, with thousands of lines of code—and it can take just a slight error for everything to break.”

Then, in early March, researchers from IOActive, a security firm, claimed that after reverse-engineering the app they found “numerous security vulnerabilities” that would allow hackers to impersonate users, decrypt messages, and get users’ contact information.

Confide says the security holes have been patched with the app’s latest update, and according to a company statement, “not only has this particular issue been resolved, but we also have no detection of it being exploited by any other party.” 


Signal uses an encryption protocol that has been available for review by outside experts since 2014, and its code has been examined and lauded by several leading cryptographers.

“Its crypto is pretty revolutionary” says Matt Mitchell, an info-security consultant and host of monthly cryptography-instruction gatherings in New York City. The company’s servers store very little user data, such as the last day the app was used.

Getting Started
After downloading the app, you’ll have to verify your phone number with a six-digit code that is sent via text message. The app will ask to access your phone’s contact list. (According to Signal, this data is quickly removed from its servers.)

Android users will also be asked whether they want to set Signal as their default messaging app.

Depending on what phone you’re using, Signal offers slightly different features on iOS and Android phones. “In iOS, for example, Signal can’t block messages or mute notifications,” Mitchell says, “so if you have your iPhone set to block someone, you will still get Signal messages from them.”

Achilles' Heel
Signal is favored by info-security pros we consulted, and the problems with it are considered small potatoes.

By default, Signal sends users an alert in the phone’s lock screen, displaying the sender’s name as well as the start of the text message.

If this troubles you, you can disable notifications completely via your phone’s settings. Better yet, open the Signal app, go to its settings, tap Notifications, and change “Show” to “No name or message.” You’ll still be notified when someone sends you a Signal text, but your phone lock screen won’t announce who it’s from or what they’re saying.

Signal is heavily used by people such as international aid workers and journalists but is less popular among ordinary consumers. This means you shouldn't assume your friends and family are already using the app. If you want to send them encrypted messages using Signal, you'll probably have to get them to sign up.


Apple’s proprietary built-in texting app seamlessly introduced end-to-end encryption to millions of iPhone users in 2011. Today, more than 1 billion devices use iMessage. That's an advantage because if you and a friend both have iPhones, you can enjoy encrypted text conversations without a visit to the App Store. 

Getting Started
There’s nothing to download—iMessage is preinstalled on every iPhone and iPad.

Achilles' Heel
It's difficult for security researchers to evaluate iMessage—that doesn't necessarily imply that it has weaknesses, but it does make some experts less eager to recommend the app.

Even if you are sending a message to another iPhone user, you don't know for sure if the communication is encrypted until you hit Send. It depends on what features you or the other user has turned on and off in the settings. If the message you send pops up on a blue background, the message is encrypted; if it's on a green background, the message has been sent as a conventional text message and is not encrypted.

Additionally, the app lacks a feature that security pros appreciate in Signal and WhatsApp. With both those messengers, the sender and recipient have a way to verify their encryption keys—though odds are good that most users have never done this.

Without going too far into the technical details, you can burrow down through a couple of menus to get a QR code and a long string of digits, then compare notes with the other participant in the conversation. This is a way to make sure that your messages are not being decrypted and read or otherwise tampered with en route.

That option isn't available for users of iMessage. Whether you care probably depends on just how much you worry about someone trying to intercept your communications.