Revealed: The six 'secure messaging' apps that actually are secure

Summary: The most popular secure messaging apps fall well short of ensuring users are protected from government surveillance.
 
Which six messaging apps actually live up to the claim that they're verifiably 'safe and secure'? Hint: none that have millions of users, though Apple's messaging products do perform well.
 
In a bid to improve messaging product security, the Electronic Frontier Foundation (EFF) has published a scorecard of 39 apps, which decodes the seven basic requirements they must meet in order to live up to the claim of being 'secure'.
 
The EFF's scorecard draws attention to the fact that messaging apps like Google Hangouts, Facebook Chat, SnapChat, WhatsApp, Apple's email products, Yahoo's web and mobile chat, and Secret "lack the end-to-end encryption that is necessary to protect against disclosure by the service provider".
 
As the EFF notes, end-to-end encryption has become more important in light of the surveillance techniques used by government agencies, including either forcing providers to hand over keys to decrypt protected messages, or by hacking the providers themselves.
 
"The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren't protected by encryption," said EFF technology projects director Peter Eckersley.
 

Just a handful of apps meet all seven of the EFF's criteria: ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure.
 
The criteria assessed the apps as to whether content is encrypted in transit; whether the provider can read encrypted messages; and whether they've implemented 'perfect forward secrecy', which ensures that past communications that were encrypted remain secure even if the keys are stolen in the future.
 
The last three criteria assess whether claims to being secure can be verified, such as whether the source code has been published to facilitate an independent check for bugs and backdoors; whether documentation of the cryptography used has been published; and whether there has been an independent security audit.
 
While Apple's mail products didn't fare well, iMessage and FaceTime were the best mass-market options, according to the EFF. Meanwhile, some popular apps such as Tencent's QQ, Mxit, and the desktop version of Yahoo Messenger had no encryption at all.
 
The main aim of the scorecard is to drag app makers towards better security for end users, according to the EFF. "We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography," said EFF staff attorney Nate Cardozo.
 
~ Liam Tung