How Secure Is Your Messaging App? The EFF’s Secure Messaging Scoreboard Can Tell You

Between Edward Snowden’s reveal about the NSA, Heartbleed, the iCloud celebrity photo hack, and the issues surrounding Apple Pay rival CurrentC, it’s no wonder that our sense of security regarding our Internet usage has been eroding over the past year — and unfortunately, this little tidbit probably won’t make you feel much better about it: The Electronic Frontier Foundation’s Secure Messaging Scorecard just ranked the security of more than 30 popular messaging apps… and found most of them lacking. I mean, I don’t want to freak you guys out or anything — but if you’re already thinking of tightening up your online security, you’re going to want to read this.

The Electronic Frontier Foundation, or EFF, teamed up with Julia Angwin of ProPublica and Joseph Bonneau of the Princeton Center for Information Technology Policy in order to launch a campaign for “secure and usable crypto.” Part of this campaign is the Secure Messaging Scorecare, which examined a range of messaging, texting, email, and video chat apps and services and ranked them on their security best practices. The practices in question were formulated as questions, which each app either passed or failed:

  1. Are messages encrypted in transit?
  2. Are communications encrypted so the provider can’t read it?
  3. Can you verify contacts’ identities?
  4. Are past communications secure if your keys are stolen?
  5. Is the code open to independent review?
  6. Is security design properly documented?
  7. Has the code been audited?

The results are both kind of surprising and a little disheartening; most of the services that were graded turned out to be not nearly as secure as you probably think they are. You can read more about the methodology and see the entire scorecard over at the EFF’s website — but in the meantime, if you’re curious about how many of the tests your favorite messaging app passed, read the short version below. Here’s how 10 of the most popular apps stack up:

1. AIM: One out of seven tests

The only test AIM passed was “are messages encrypted in transit?”; it failed the other six. But hey, at least it didn’t score as badly as Mxit, an app that’s popular in South Africa, or QQ, which has 1 billion users in China — both of which failed all seven tests.

2. Yahoo! Messenger: One out of seven

Like AIM, Yahoo! Messenger only checked off the “are messages encrypted in transit?” box. And while we’re on the subject, let’s look at…

3. BlackBerry Messenger: One out of seven

…Which also only passed the transit encryption test. BlackBerry protected did slightly better, though, also checking off the “encrypted so the provider can’t read it” and “security design properly documented” boxes.

4. Facebook Chat: Two out of seven

Facebook’s chat program is both encrypted in transit and has audited code; it failed the other five tests, however.

5. Google Hangouts/Chat “off the record”: Two out of seven

The same is true of Google Hangouts/Chat when it’s set to “off the record” mode…

6. Snapchat: Two out of seven

And of Snapchat

7. WhatsApp: Two out of seven

…And of WhatsApp.

8. Skype: Two out of seven

Skype also scored two out of seven, but a different two: Yes, it’s encrypted in transit, but its code isn’t audited. The second test it passed was the “encrypted so the provider can’t read it” one.

9. iMessage: Five out of seven

Apple’s services seem to be the most secure of the mainstream apps; it passed five of the tests. The only two it didn’t pass were the “can you verify contacts’ identities?” and the “is the code open to independent review?” ones.

10. FaceTime: Five out of seven

The same was true of FaceTime.

The good news is that there are a few options that passed all seven tests with flying colors; you may not have heard of them, depending on how well-versed you are with computers and crypto, but hey, at least they’re out there. CryptoCat, Silent Phone, Silent Text, and Text Secure are a few of them; find out more over at the EFF’s scorecard website.

Now if you’ll excuse me, I have some security tests to run…

Images: Wade Morgan, teamstickergiant, unpoquitodetodo, CR Artist, DownloadsourceES, Carlos Luna, jessycat_techie, tecnomovida, Patrick Haney, Maggie Osterberg, rafael-castillo/Flickr