Alternative chat apps for mobile phones

Alternatives to WhatsApp, Facebook messenger, Google Talk, Snapchat etc offer you more control over your data and keep this data out of the hands of large commercial companies.

What is an 'alternative' chat app?  

When we describe chat apps as 'mainstream' we're talking about WhatsApp, SnapChat, WeChat, Line, Facebook Messenger, Google Talk, and similar apps. These are:

  • closed source (proprietary). This means that the code can't be examined.
  • commercially-owned, with a business model that likely includes storing, analysing, and selling your data.

When we describe apps as 'alternative', we're talking about TextSecure, Signal, Surespot, Chatsecure, and Conversations, and others like them. These are:

  • free and open source. This means that the app's code is open for anyone to examine, and to check that the app is doing what it says it does. This often leads to individuals and groups doing an independent audit on the code.
  • designed to give you more control over your data - in this case, through the use of end-to-end encryption.
  • owned and managed by groups that do not sell your data.  
     

Why should you use an alternative?

You have more control over who can see your messages
Most mainstream apps currently don't offer end-to-end encryption. This means that the provider (the company that owns the app) has access to the content of your messages.

And where a mainstream app has claimed to have implemented end-to-end encryption (Whatsapp for Android, for example), we have to just take the company's word for it that the cryptography is working as it should, since the code is not available for independent security experts to check.

In contrast, formal independent audits have been carried out on the code (and cryptography) of many of the chat apps recomended below.
 

You have more control over your metadata
Regardless of what type of chat app you use, Metadata is inevitably created every time you send a message. This can include names, phone numbers, locations and timestamps.  Metadata is never encrypted.  

So there are some questions you need to ask:

  • Who would you prefer to trust with your metadata?
    Do you really want to put it in the hands of a company that's going to sell it for a profit?
     
  • Where is the company based?
    WeChat, for example, is a Chinese company and so your data will fall under Chinese laws. WhatsApp and Facebook Messenger are owned by Facebook, which is based in the U.S. And so on.
     
  • What is the minimum metadata needed for an app to function properly and securely?
    You don't actually need to provide an answer this, but be aware that some commercial apps will collect and store more metadata than they actually need for the app to function - for example, by asking you to register your mobile phone number.
     

Alternative apps: a selection

The apps featured below are free and open source; non-commercial; and offer end-to-end encryption. Some also have something called Perfect Forward Secrecy, which adds extra protection against your messages ever being decrypted in future.

Most have gone through one or more security audits (and for those that haven't yet - Surespot, for example - the code is still open to anyone who wants to see it.)

 

Signal (iPhone, Android)

Instant Messenger

Easy to use? Yes
End-to-end encryption? Yes, including between Signal and Textsecure.
Perfect forward secrecy? Yes
Increased anonymity? No - the app is linked to your phone number and has access to your address book.
Independently audited? Yes
Made by: Open Whisper Systems
 

SureSpot  (iPhone, Android)

Instant Messenger

Easy to use? Yes
End-to-end encryption? Yes
Perfect Forward Secrecy? No
Increased anonymity? Yes. You can create accounts using pseudonyms, and Surespot does not require your phone number or email address, or get access to your address book.   
Independently audited? Not yet
Made by: SureSpot
 

ChatSecure  (iPhone, Android)

Enables you to use an XMPP chat account on your mobile phone, with encryption.

Easy to use? Relatively easy to use, but you need to also have a pre-existing chat account with another provider.
End-to-end encryption? Yes, but you need to make sure to check the 'lock' box when you're using it.  
Perfect forward secrecy? Yes
Increased anonymity? Yes. Chatsecure allows you to use Tor on both iPhone and Android, and this will hide your IP address. You can also use Chatsecure with a pre-existing account that is anonymous (for how to set one up, go to the Increased Anonymity section below).
Independently audited? Yes
Note: On an iPhone, once your pre-existing chat account has been intalled, Chatsecure can be used as an ordinary chat account or as a chat account that runs over Tor. It's not recommended to run both at the same time.
Made by: The Guardian Project
 

Conversations (Android 4.0+)

Enables you to use an XMPP chat account on your mobile phone, with encryption.

Easy to use? Relatively easy to use, but you need to also install an encryption protocol called Off-the-Record (OTR) to encrypt messages. You also need to have a pre-existing chat account with another provider.
End-to-end encryption? Yes, if you have also installed OTR.  
Perfect Forward Secrecy? Yes, if you have also installed OTR.
Independently audited? Not yet.
Increased anonymity? Yes. You can use Conversations with a pre-existing anonymous account (for how to set one up, go to the Increased Anonymity section below).
Made by: siacs eu
 

End-to-end encryption & perfect forward secrecy

End-to-end encryption means your message is scrambled when it leaves your computer or mobile phone, and it stays that way until it reaches the person with whom you are communicating. This prevents others - your service provider, for example - from being able to read the content of the message you send and receive.  

Said another way - with end-to-end encryption, the encryption happens on your device, and is decrypted on the recipient's device. All the encryption keys are kept on your phone, and not on the system of the chat app provider. There's no way your messages can be decrypted, unless someone gets access to the phones themselves.

Perfect forward secrecy adds extra protection against your messages ever being decrypted in future, in case your secret keys get stolen (if you don't know what this means, don't worry about it; but if you're interested, these animations explain how encryption works)

Read more about these on Tactical Tech's security toolkit Security in-a-box: Does Encryption Still Work

 

Anonymity

Anonymity is a difficult thing to do on your phone, but different chat apps offer different ways of increasing your anonymity.

There are a number of ways your chat account can be linked to you.  

Downloading the app onto your phone
Both the iStore and Google Play store require an account (an Apple ID and Gmail account respectively) and all apps downloaded are identified with this account.

For Android you can swap apps with other phones. This might require some skills. F-Droid is an easy to use alternative to the Google Play store and offers apps which are all free-of-charge, free and open-source.

Registering your account with your phone number or email address
All mainstream apps require this. From the alternative apps mentioned above, however:

  • Surespot does not require a phone number or email address, and you can use a random name or pseudonym.
  • Chatsecure and Conversations both allow you to connect pre-existing chat accounts to your phone.
    If your pre-existing chat account is a mainstream one, then you will have already registered your email address or phone number. For anonymity, you'll need to create a new chat account with a different service. Those provided by Jit.si are a good place to start. Once you've set up your account, you can then use Chatsecure or Conversations to connect it to your phone.

If the app requires access to your phone's address book
Chat apps usually ask permission for access to your phone's address book, to see who of your friends also uses the app. This means that the app has access not just to your own phone number but also the names and numbers of all the people in your network.

  • SurespotChatsecure and Conversations do not require access to your phone book, but rather lets you find other users by searching for each person individually.

 

Metadata
Using a proxy or Tor hides part of your messages metadata, your location (IP address) and unique fingerprints of your device, from your internet service provider and others who have access your communication. Unfortunatey, if a chat app does not support a proxy or Tor, it can be more complex to set it up. A VPN is another solution to obfuscate your location, but most VPN services are for pay services.

Read more about how Tor changes your digital traces on EFF: Tor and HTTPS.

 

Networks

When a chat app has access to your phone book, the app has access to your networks, and can connect names with phone numbers of those within your networks.

  • Surespot operates independently of your phone book, allowing you to keep your networks completey private. The same applies to Chatsecure and Conversations if you use a non-commercial chat account.

 

Learn more

Tactical Tech's Security in-a-box toolkit:

EFF's Secure Messaging Scorecard