Choosing a secure IM for Android
I decided to look for some secure messenger, to see what people have done in all this time. Tested more than 20 instant messengers of varying degrees of readiness. Only messengers with "their" protocol were interested, because in the XMPP world, everything is fine and expected.
I was mainly interested in instant messengers for text communication with encryption in any form. The search was performed on Google Play for the phrases: “secure chat”, “secure IM”, “secure communication”, “secure messaging”.
Tested only free solutions.
tl; dr: Skype is still no replacement.
Actually, here are all my finds:
1. TextSecure
2. TigerText
3. Chiffry
4. Vipole
5. Unseen
6. Sicher
7. Whistle.im
8. Surespot
9. Wickr
10. Antox
11. Seecrypt SC3
12. Telegram
Everything is somewhat sad. Pleased Chiffry, but he is still raw and proprietary; Surespot pleased with the description and openness, somewhat interested Vipole. But everyone else is not comfortable or unpleasant to use. We continue to use XMPP + OTR / SIP + ZRTP.
I was mainly interested in instant messengers for text communication with encryption in any form. The search was performed on Google Play for the phrases: “secure chat”, “secure IM”, “secure communication”, “secure messaging”.
Tested only free solutions.
tl; dr: Skype is still no replacement.
Actually, here are all my finds:
1. TextSecure
- It works both via the Internet and via SMS. Uses encryption without authentication of the interlocutor, there is not even a fingerprint. You need to follow the key icon in the messages. Does not notify about the text
- To register, you need a phone number. Registration is optional (but only works via SMS)
- Messages only
- Android only
- Open source
2. TigerText
- More enterprise option. It can work on the Internet with both a phone number and mail ("for domain" mode)
- All sent and sent self-destructs after a maximum of 30 days (default is 5)
- There is no verification of the interlocutor, even a key snapshot
- Messages, photos, audio recordings
- To register, you need either a phone number or mail
- Android / iOS
3. Chiffry
- Keys are generated on first start. Nice interface
- There are fingerprints of keys
- Messages, calls, sending files and contacts. Group chats
- To register, you need a phone number
- The description on Google Play says that AES256-CGM + 512-bit (?) ECDH keys are used
- Android / BlackBerry
4. Vipole
- Tied to Vipole services. To generate a key, you need to drive with your finger. Not only IM, but also other VIPole services - notes, password manager
- It requires money for a lot, for example, to encrypt a local history
- You can set a password for the account and a password for the key. You can set a fake password for a key that will either crash the program or crash and delete data
- No fingerprint check
- For registration you need mail
- Messages, calls, video calls, file transfers, group chats and calls
- Looks like a great business solution.
- AES-256, RSA-3072
- Android / Windows / MacOS / Linux
5. Unseen
- No interlocutor verification, no key stamp
- Messages / Audio Video Calls / Group Audio Video Calls / Files
- A free account allows you to make audio conferences for up to 5 people. There are no video conferencing in the free version
- Login Registration
- 4096-bit NTRU
- Android / MacOS / Linux / Windows
6. Sicher
- IM from the creators of IM +
- Messages, group chats and files
- Messages self destruct
- There is no verification of the interlocutor, even the fingerprint of the key
- Registration by phone
- Android / iOS / WinPhone
7. Whistle.im
- Messages only. To register, you do not need either a phone or mail, only a username and password. Key stamp user confirmation
- Android / Browser
- Encryption library source code available
8. Surespot
- Registration only using login / password. Used by PGP and its keyserver
- Fingerprints not checked
- Messages, voice messages (paid), pictures
- 521-bit ECDH + AES256-GCM
- OpenSource Client and Server
- The website details encryption
- Android / iOS
9. Wickr
- Fingerprints are not checked.
- Messages self-destruct for a maximum of 6 days.
- Messages, photos, audio recordings.
- To register, you only need to come up with a username. No mail.
- AES256, ECDH521 TLS
- Android / iOS
10. Antox
- Well, about Tox you already know everything, I guess. Somewhere NAT failed and communication failed at all. This is the biggest trouble of P2P communications without a server
- Open source
- Cross platform
11. Seecrypt SC3
- AES 256 & RC4 384
- Messages / audio calls / files
- Android only
12. Telegram
- Pretty convenient messenger with visual fingerprint. No fingerprint checks. Two modes of operation: protected and unprotected chats.
- AES-IGE + SHA1
- Messages / Files
- Open protocol, OpenSource client, but not server
- Android / iOS / Windows / MacOS / Linux / Browser
conclusions
Everything is somewhat sad. Pleased Chiffry, but he is still raw and proprietary; Surespot pleased with the description and openness, somewhat interested Vipole. But everyone else is not comfortable or unpleasant to use. We continue to use XMPP + OTR / SIP + ZRTP.