Messenger
As of: 08.11.2021 (blue)
16.01.2022 (purple)
Briar Conversations (XMPP) (f) Cwtch Delta Chat (f) Discord Element (Matrix) (f) Facebook Messenger Gajim ginlo iMessage Jami Session Signal SimpleX Chat Siskin (XMPP) Skype Telegram Threema aTox (Tox) Viber WhatsApp Wickr Me Wire
Price free paid free free free free free free free free free free free free free free free paid free free free free free / paid
Environment
Android yes yes yes yes yes yes yes no yes no yes yes yes yes (in termux) no (see Conversations) yes yes yes yes yes yes yes yes
iOS no no (see Siskin) no yes yes yes yes no yes yes yes yes yes no yes yes yes yes no yes yes yes yes
Web/Desktop only Linux yes (various clients) yes yes yes yes (various clients) yes yes yes only macOS yes yes yes yes (Linux/Mac/Win) yes (various clients) yes yes yes yes
(
various clients)
yes yes yes yes
Security & Privacy
Open Source licence GPLv3 GPLv3 MIT GPL no Apache 2.0 no GPLv3 Apache 2.0 no GPLv3 GPLv3 GPLv3 AGPLv3 GPLv3 no GPLv2
(only Client)
AGPLv3
(only Client)
GPLv3 no no no GPL
Repo GitLab GitHub Open Privacy Gitea GitHub GitHub GitLab GitHub GitLab GitHub GitHub GitHub GitHub GitHub GitHub GitHub GitHub
Comes without proprietary libraries yes yes yes no yes no no yes no no yes yes no yes
(only F-Droid
version)
no yes no no
Encryption protocol / library Bramble OMEMO
(Signal Protocol)
Tor hidden services/TLS OpenPGP
with Autocrypt
Olm / Megolm (Signal Protocol) Signal Protocol (unverifable) proprietary, unknown RSA-Keys (4096-Bit) Session Protocol Signal Protocol Double ratchet (aka signal), NaCl Crypto_box OMEMO
(Signal Protocol)
proprietary / Signal Protocol MTProto 2.0 NaCI (no PFS) NaCI (no PFS) Signal Protocol (unverifable) Wickr Messaging Protocol Proteus (Signal Protocol)
Cryptographic primitives Curve25519 / XSalsa20-Poly1305 / Blake2  Curve25519 /
AES-256 /
HMAC-SHA256
Curve25519 /
AES-128
Curve25519 /
 AES-256 /
HMAC-SHA256
Curve25519 /
 AES-256 /
HMAC-SHA256
RSA-1280 / ECDSA 256 (signing) /
AES 128 /
SHA-1
RSA 4096 PKI /
AES-256
Double Ratchet, 3XDH handshake, using Curve25519, AES-256, and HMAC-SHA256 primitives, Session IDs are X25519 Key pairs, and Onion requests X25519 with HMAC-SHA-256 for deriving symmetric key, then AES-256 with that key Curve25519 /
AES-256 /
 HMAC-SHA256
Ed448 /
Curve448 / Curve25519 / XSalsa20 256 / Poly1305 / AES-GCM AEAD / SHA512 based HKDF / SHA256
RSA-1536 & 2048 /
 AES 256 /
 SHA-1
RSA 2048 /
 AES 256 /
 SHA-256
Curve25519 256 / XSalsa20 256 / Poly1305-AES 128 Curve25519 256 /
 Salsa20 128 /
 HMAC-SHA256
Curve25519 / AES-256 / HMAC-SHA256 ECDH512 /
 AES-256 /
 HMAC-SHA256
Curve25519 / ChaCha20 /
 HMAC-SHA256
End-to-end encryption yes yes yes only Delta Chat contacts no yes yes yes yes yes yes yes yes yes (two-layer) yes only individual chats (optional) only individual chats (optional) yes yes yes yes yes yes
End-to-end encrypted
2-user chat
yes yes yes yes no yes yes yes yes yes yes yes yes yes only in "Private Conversation" only in "Secret Chat" yes yes yes yes yes
End-to-end encrypted group chat yes yes yes yes no yes no only with plugin yes yes no yes yes yes no no yes yes yes yes yes
E2EE is turned on by default yes yes yes  yes for DC contacts / No for normal emails no yes no yes yes yes yes yes yes no no yes yes yes yes yes
Local message encryption yes no no no yes yes no yes yes no no no no yes no yes yes
Perfect forward secrecy is enforced yes yes no yes yes no yes no yes yes yes no no yes yes yes yes
Does the app use certificate pinning? N/A (no servers) no no yes (>=iOS 9.3) yes yes yes yes yes yes yes yes
Could the directory service be modified to enable a MITM attack? no
(no directory service)
no
(no directory service)
N/A
 (no directory service)
yes yes yes no
(no directory service)
yes no
(no directory service)
yes yes yes yes yes yes yes
Contact verification possible yes yes yes no yes no yes yes yes N/A, there are no identities, the contacts are verified out-of-band
- we do not have identities in the network
yes no only in "Secret Chats" yes yes yes yes yes yes
Contact can be added without needing to trust a directory server yes yes yes no no no Yes, once connected to the network encrypted messages can be sent to new Session IDs without needing to query any resolving server no yes no no yes yes no no no
Notification if contact's fingerprint changes yes yes
(if previously verified)
only in verified group chats no yes no yes yes N/A, there are no permanent identities yes
(if previously verified)
no no yes no yes must be
enabled
yes yes
(if previously verified)
Can you manually verify contacts' fingerprints? no no no yes yes no Yes, by contacting the user you suspect you are talking to out of band and comparing their Session ID with the Session ID you are talking to. If they match then you know you are speaking with the real person. yes Key exchange happens out of band, via QR code, so MITM attack is not possible and key integrity is preserved in a non-optional way, unlike how it happens with fingerprint verification no no yes yes yes yes yes
Native Tor support yes no yes Experimental socks5 proxy feature no no no onion routing supported by default Servers can be accessed via Tor, but clients do not natively support it yet - it is planned no no no no no
Mesh networking yes no no no no   no no no no no no no no no no no
Last security audit 2017 2016 2016 2016 2021 2017 2017 2020 2014 2018
Tracker integration (Exodus) 0 0 1 6 0 5 1 0 0 0 0 0 2 1 0 12 1 3 0
Use without phone number possible yes yes yes yes yes yes yes yes yes yes yes no yes yes yes required for registration yes yes no no, forwarding to Facebook yes yes
Works without google play services yes yes yes yes yes yes works but gives a warning yes yes yes yes yes yes yes yes works but gives a warning
Avoids / Protects metadata during use yes via onion routing no no no no no partially Yes, we use sealed sender for all sent messages. Sending and retrieval of messages is all done using onion routing. This means that no central server knows your IP address, who you are sending to and who you receive messages from. Other metadata like mobile phone numbers is removed through the usage of public key pairs. partially yes no no no partially partially no no
Reasonably useful without sharing the contact list yes yes yes yes yes no no yes yes yes yes - there is no need to share contact lists yes yes yes yes yes no yes
Advertising-free yes yes yes no yes yes yes yes yes yes yes yes no yes yes yes no yes
Sustainability
Centralized / Federated / Decentralized decentralized
 Peer-to-peer
federated decentralized
Peer-to-peer
federated centralized federated centralized federated centralized decentralized
 Peer-to-peer
decentralized
Peer-to-peer
centralized client centric network based on the platform that consists of cheap redundant server nodes providing unidirectional queues, that do not talk to each other, without any central catalogue federated centralized centralized centralized decentralized Peer-to-peer centralized centralized centralized centralized
Infrastructure hosting N/A (no servers) distributed server distributed server Google and Cloudflare distributed server / Google (Opt-In) Facebook Apple decentralized Amazon, Microsoft, Google & Cloudflare Anybody can host the servers, open-source code is available, with one-click deployment on Digital Ocean and Linode distributed server Microsoft Amazon, Google and others Server in Switzerland Facebook Amazon Amazon
Open Source server N/A (no servers) yes depends on the server no no no N/A (decentralized) yes yes yes no no no no no no yes
Client available since 2017 2014 2017 2015 2016 2011 2004 2011 2018 2020 2014 early 2021 2016 2003 2013 2012 2020 2010 2009 2012 2014
Transparency / Financing (Including donations) transparent clear funding transparent non- transparent partially non- transparent non- transparent fee-based offers transparent partially non- transparent community project clear funding non-transparent non-transparent clear funding community project non-transparent non- transparent
Transparency report no Not required. Client only no yes yes yes yes no yes no yes   no yes yes yes
Funding Small Media, Open Internet Tools Project, Access, Open Technology Fund, Prototype Fund, Internews, NLnet Foundation, EU Next Generation Internet programme, ISC Project NLNet, User pays NEXTLEAP EU project, Open Technology Fund, NLnet foundation New Vector Limited, Community Facebook Apple LAG Foundation Ltd,
OPTF Foundation
Freedom of the Press Foundation, the Knight Foundation, the Shuttleworth Foundation, and the Open Technology Fund, Signal Foundation (Brian Acton) SimpleX Chat Microsoft Pavel Durov User pays,
Afinum Management AG
Rakuten / friends and family of Talmon Marco Facebook Amazon / CIA Janus Friis,
Iconical,
 Zeta Holdings (Luxembourg), Morpheus Ventures (Los Angeles)
Availability Play Store,
 F-Droid
Play Store,
 F-Droid
Website Website, Play Store, F-Droid, App Store Play Store, App Store Play Store,
F-Droid, App Store
Website, Play Store, App Store Website Website, Play Store, App Store App Store Play Store,
 F-Droid, App Store
GitHub, Website, Play Store,
 F-Droid, App Store
Website, Play Store, App Store Github App Store Play Store, App Store Play Store,
F-Droid, App Store
Website, Play Store, App Store Wesite,
F-Droid
Website, Play Store, App Store Website, Play Store, App Store Website, Play Store, App Store Website, Play Store, App Store
Legal jurisdiction depending on server location depending on server location USA depending on server location USA Germany USA depending on server location USA depending on server location USA Dubai (alternating) Switzerland USA Germany
Jurisdiction of the devs/company UK Germany Germany UK USA Germany USA Australia USA UK USA USA / UK / Belize / UAE Switzerland Luxembourg / Japan USA USA USA
Functions
Visible if contacts are online yes yes yes no yes no yes yes yes no yes no no no yes yes no yes yes yes no
Voice messages no yes no yes yes yes yes no yes yes yes yes yes no yes yes yes yes no yes yes yes yes
Audio-/Video-chats no yes (depending on server) no no yes yes yes no yes seperate
app
yes yes yes no yes (depending on server) yes yes yes no yes yes yes yes
Group chats yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes no yes yes yes yes
File exchange yes (images only) yes no yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes
Self-destructing messages yes no yes no no partially (depending on server) yes yes no no yes yes no no no only in secret chats no no yes yes yes yes
Read receipts yes yes yes yes no yes yes yes yes yes yes yes yes no yes yes yes yes yes yes yes
Deleting sent messages locally yes yes but not individually no yes yes yes yes yes yes no yes yes yes, manually yes yes yes yes yes yes
Deleting sent messages for both
(2 user chat)
no no no no yes yes yes no no no yes yes no no yes yes yes yes
Editing sent messages no yes no no yes yes no yes no no no no no yes yes no yes no yes yes
Synchronization between multiple devices no yes yes yes yes yes yes yes (with
Swarms)
yes solely desktop, smartphone or tablet no yes yes only unencrypted chats no no no up to eight
Backup
Storage location no locally locally no locally and /
or Cloud
locally and /
or Cloud
locally and /
or Cloud
locally locally locally locally no locally Cloud
(except secret
chats)
locally and /
 or (own) Server
no locally and Cloud locally
Automated no no partially, after setup after setup after setup (only cloud) no no after setup no no yes partially, after setup after setup no
Encrypted yes no yes yes yes (local) no yes yes no no key with the provider yes key with the provider only iOS
Information are validated by the devs
Date 12/23/2021 12/22/2021 denied 1/16/2022 1/13/2022 1/11/2022 denied
Kuketz-Blog [Translated by nussfell, thure and theobär]
Link to review Link Link Link Link Link Link Link Link
Operability / Target group Nerd, Activist, Journalist Advanced Advanced Beginner Advanced Beginner Advanced Beginner Advanced Beginner Beginner Beginner Nerd, Developer Beginner Advanced
Recommendation yes yes limited no yes no limited   yes yes no no yes no no limited
More background knowledge on the assessment/recommendation: »Die verrückte Welt der Messenger« and »Messenger-Matrix« Blog: www.kuketz-blog.de | Forum: forum.kuketz-blog.de
Notes
Categories that were modified or added by me are marked purple.
Ideas for new categories
-form of long term user identities
-non-optional key exchange
-specification of the centralised component
-can online visibility indication be turned off
-deniability
-links with crypto/nfts (Session, Signal)
Ideas for new messengers
-Berty
Archive links
archive.org
archive.today