In today's connected world, a significant proportion of our personal, professional and sensitive exchanges take place via electronic messaging. However, the confidentiality of these communications varies greatly depending on the protocols used.

In this chapter, we will attempt to understand the technical and practical issues involved in using digital communication tools, in order to choose and use those that provide real protection against eavesdropping and surveillance.

SMS (Short Message Service) has historically been very popular for text exchanges, but it is based on an obsolete protocol dating back to the late 1980s. This protocol, integrated into GSM (Global System for Mobile communications) standards, provides no end-to-end encryption mechanism. In practice, every SMS sent is transmitted in clear text over mobile operator networks (sometimes encrypted only on interface radio, but never end-to-end). This means that message content can be intercepted at several levels:

The fact that SMS messages are stored on operators' central servers, and the weakness of the authentication system (the telephone number as a unique identifier), make messages easily intercepted and vulnerable to attack. SMS is therefore totally unsuitable for transmitting information, whether in a personal, professional or critical context.

These limitations also apply to MMS (Multimedia Messaging Service), which is based on the same technical foundations, with the addition of multimedia content (photos, videos).

In recent years, some operators and manufacturers have introduced RCS (Rich Communication Services), a technical evolution of SMS. RCS enables the sending of enriched messages (images, videos, acknowledgements of receipt, etc.) and integrates transit encryption (TLS), but this remains dependent on operator servers and does not guarantee end-to-end encryption in all cases. What's more, the fragmentation of its implementation between operators and manufacturers (between Android and iOS, for example) limits its adoption and real reliability.

Since 2021, Google Messages has adopted the Signal protocol to guarantee end-to-end encryption, but this feature is only accessible if both parties are using Google Messages.

In March 2025, the GSM Association published Universal Profile 3.0 (UP 3.0), which finally establishes an interoperability standard for end-to-end encryption (E2EE) in RCS. As a result, when an exchange takes place via a UP 3.0-compliant RCS client, the content becomes unreadable for both the operator and an IMSI-catcher. Google and Apple have announced their intention to support this technology (it remains to be seen whether this will be interoperable). However, if one of the devices is not RCS UP 3.0 compatible, or if there is no IP connectivity, communication automatically switches to conventional, unencrypted SMS, making interception trivial.

On the Apple side, iMessage (launched in 2011) offers native end-to-end encryption between Apple users, but this protocol remains closed and limited to the iOS/macOS ecosystem. When exchanging messages with users outside this ecosystem, the message reverts to the classic protocol, losing all confidentiality. Encryption can also be broken if you or your counterpart saves your messages in iCloud without the Advanced Data Protection option.

In short, neither conventional SMS, nor MMS, nor even standard RCS can be considered reliable, universal solutions for preserving the confidentiality of exchanges. Only the use of Google Messages, iMessage or the future RCS UP 3.0 protocol can guarantee satisfactory confidentiality, provided that both parties adopt the same encryption protocol. And this is precisely where the main pitfall of SMS in the broadest sense lies: This messaging application, pre-installed on the majority of phones, brings together radically different protocols, and if the other party only supports the SMS protocol, your message will be transmitted in the clear, without you necessarily realizing it. This is why, until a universal and robust end-to-end encryption standard is established, I strongly advise against using conventional messages, as you remain far too dependent on your counterpart's choice of protocol to guarantee your own security.

Instead of SMS, I'd advise you to use dedicated messaging applications that use robust, transparent end-to-end encryption, enabling truly secure and private communication.

Faced with the limitations of SMS, a number of modern applications have emerged, some with end-to-end encryption. Here's a comparative overview of the main applications available today, to help you identify those that best meet your security and confidentiality needs.

Signal is an instant messaging application designed from the outset to offer maximum confidentiality and security. It is based on the Signal Protocol, which ensures systematic end-to-end encryption for every message, voice or video call, as well as for file sharing. This protocol is reused by many other messaging services, such as WhatsApp, Facebook Messenger, Skype and Google Messages (in its RCS implementations).

Technically, every conversation inside Signal is protected by an asymmetrical and ephemeral encryption mechanism: Session keys are dynamically negotiated and destroyed after use, thus limiting the risk of compromise. The transparency of the application, whose code is entirely open-source on both the client and server sides, means that any security expert or researcher can check its integrity and compliance with the stated cryptographic standards.

However, Signal has a weak point when it comes to anonymity: the application requires a valid telephone number for user registration and identification. Although this number is not systematically visible to your contacts (it can be hidden under a pseudonym), this requirement introduces a dependency on the telephone infrastructure, and therefore a potential traceability loophole.

In short, Signal is a very good messaging solution, but unfortunately it requires a connection from a telephone number.

WhatsApp, owned by Meta (formerly Facebook), also uses Signal Protocol for its end-to-end encryption. So, in theory, your WhatsApp conversations are effectively protected against interception. However, it's not necessarily the best in terms of real confidentiality: the application collects a huge amount of metadata (numbers, frequency of exchanges, approximate location, contacts...), which can be commercially exploited by Meta for advertising or analytical purposes.

Also, the encryption applied by WathsApp cannot be verified, as its source code is proprietary. That's why I don't recommend using WhatsApp in a context where the confidentiality and security of your exchanges are important.

Telegram is a very popular messaging service thanks to its ergonomics and features (public channels, bots, large groups...). However, its security is much more limited by default: only "secret exchanges" benefit from end-to-end encryption. All other conversations (the majority of users' daily exchanges) are stored unencrypted on Telegram's servers.

Telegram can therefore technically access the content of the majority of conversations that are not explicitly protected. Even if the company takes a firm stance towards government authorities, Telegram is not an optimal solution for confidential or sensitive exchanges, unless you explicitly use its "secret exchanges", which are far less practical on a day-to-day basis.

Threema, launched in Switzerland in 2012, stands out from most other secure messaging services thanks to its privacy-by-design approach. Unlike Signal, WhatsApp or Telegram, no phone number is required to create an account. The user is assigned a unique random identifier, enabling completely anonymous registration with no direct link to a real identity.

Technically, Threema offers end-to-end encryption on all communications: messages, calls, files, groups, and other functionalities. Since 2020, the source code for mobile applications has been open-source, enabling independent auditing. On the other hand, the server infrastructure remains proprietary, although it is located exclusively in Switzerland, a country whose legislation is favorable to the protection of personal data.

The application is compatible with Android and iOS, and also offers a secure interface web, as well as a native client for Windows, Linux and macOS. Initial activation, however, requires a smartphone.

Another important aspect of Threema is its business model: the application is not free but to be purchased (around €5.99). This choice avoids dependence on a model based on data collection or advertising. To preserve anonymity when purchasing, activation keys can be purchased in bitcoins or cash directly on the Threema Shop for Android.

I think this messaging solution is excellent, but its main drawback is that the source code for its servers remains proprietary.

SimpleX Chat, launched in 2021, completely eliminates the notion of a user ID: no telephone number, no public pseudonym, no visible public key. Each user is identified solely by links or ephemeral QR codes. This architecture makes correlation between users virtually impossible, guaranteeing a high level of confidentiality.

Technically, messages are encrypted from end to end and pass through relay servers. These relays have no knowledge of the sender, recipient or their keys. Once a message has been transmitted, it is immediately deleted from the server. SimpleX adopts an unfederated, decentralized architecture: servers share no global directory, and each user can install his or her own relay. This contrasts with solutions such as Matrix, where federated servers keep track of exchanges.

The protocol is entirely open-source: clients, servers and protocols are publicly accessible and audited. SimpleX is available on Android, iOS, Linux, Windows and macOS, with encrypted, portable local storage, so profiles can be transferred without a central server. Each user can also manage several isolated profiles, each with its own settings, nickname and photo. This flexibility makes it possible to clearly separate private life, professional life and pseudonymity.

Contacts are added via temporary links or static addresses (permanent but revocable identifiers). You can also choose between ephemeral exchange or a more classic mode, with fine-grained controls on visibility and authorizations (for example, hiding your real name behind a random, unique pseudonym for each contact).

In terms of security and confidentiality, SimpleX goes further than most existing messaging systems, limiting metadata to a minimum and eliminating any dependence on a central directory or unique identifier. However, this architecture imposes a number of compromises in terms of user-friendliness: sometimes less intuitive ergonomics, the need for a slight initial learning curve, and dependence on the availability of relay servers.

Session, launched in 2020 by the Oxen Privacy Tech Foundation, is a messaging app designed to offer enhanced privacy and resilience in the face of surveillance. Session requires no personal information on registration: no phone number, no e-mail, just a pair of locally generated cryptographic keys. This enables anonymous authentication.

Technically, Session implements end-to-end encryption for messages, files, audio and calls, as well as for groups (up to 100 members). Messages are routed via a decentralized network based on node servers inspired by Tor's onion architecture. This mechanism offers advanced protection against network surveillance, including by ISPs and state actors.

The Session client and server are open-source. The software is available on Android, iOS, Windows, macOS and Linux, with an option to synchronize between devices via the mnemonic phrase similar to that used in Bitcoin wallets. This phrase gives the user exclusive control over his or her data, but also imposes a significant responsibility in terms of backup.

Keet, launched in 2022 by Holepunch (a company backed by Tether and Bitfinex), stands out for its radically decentralized approach: All communications (messages, audio and video calls, file transfers, etc.) take place directly between users, without passing through any central server. This P2P architecture eliminates intermediaries and considerably enhances the system's confidentiality and resilience.

Keet encrypts all communications end-to-end. Registration is completely anonymous: no telephone number, e-mail address or identifier is required. This ensures enhanced confidentiality from the moment the service is activated. Video calls are of the highest quality, and file transfers are unlimited in size, making it suitable for both professional and personal use.

On the other hand, although some components (cryptography and networking) are published as open-source on GitHub, Keet's interface client was not fully open at the time of writing SCU-202 (May 2025). However, Holepunch has announced its intention to publish the entire code in the future.

Keet is available on Android, iOS, Windows, macOS and Linux, and can be synchronized between devices using a mnemonic phrase.

Olvid, launched in 2019, is a French encrypted messaging service. Its strong point: Registration without any personal data. Identification is based on a direct exchange of cryptographic keys between users.

Technically, messages on Olvid are encrypted from end to end, using a proprietary protocol specifically designed to protect not only message content, but also metadata: No one, including the central server, can know who is communicating with whom, or when. This model significantly reduces the risks of espionage and surveillance.

However, the server infrastructure remains proprietary and centralized, hosted on AWS (Amazon Web Services). The client code has been open-source for several years, but the server code is not published, which limits the technical transparency of the system.

Olvid's security model is based on an important principle: The total absence of a trusted third party in the establishment of digital identities. Unlike most encrypted messaging systems, which rely on a centralized directory to manage user identities, Olvid does not depend on any centralized infrastructure to guarantee the integrity of communications. This architecture eliminates the risks associated with directory compromise.

Olvid does use a central message distribution server, but its role is strictly logistical: It handles the asynchronous transmission of encrypted messages. This server is not involved in any stage of the encryption process, and knows neither the real identity of users, nor the content or metadata of messages (with the exception of the recipient's public key, which is required for routing). It can therefore be considered hostile by default, without compromising overall security. Even if it were compromised, it would not allow any access to the content of communications. Olvid therefore assumes centralized message distribution (for reasons of efficiency and quality of service), while guaranteeing security independent of this infrastructure.

Olvid offers two versions:

The application is certified by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information).

Olvid is compatible with Android, iOS, Windows, macOS and Linux. Its ergonomics remain simple and accessible. The application also features an encrypted backup system for keys and contacts, so you can restore an account on a new device.

Popular messaging applications such as WhatsApp, WeChat, Facebook Messenger, Instagram Direct Message, Snapchat and LINE are widely used on a daily basis. However, from a technical point of view, these platforms do not meet modern security standards suitable for private communications.

Generally speaking, the two fundamental criteria to consider when choosing a messaging service are: Does it provide end-to-end encryption, and is its code open-source? Then there are other features that may be of interest, such as anonymous registration or the use of a decentralized network architecture, but these first two elements are the basics. Encryption guarantees the confidentiality of your exchanges, while opening up the source code allows you to check that the encryption has been implemented securely.

Using services that fail to meet these two prerequisites are tantamount to entirely delegating the protection of your exchanges to commercial players whose economic interests often depend on exploiting them.

Here's a summary table of the main existing messaging applications and their features, as it stands at the time of writing (May 2025):

The security of your electronic communications depends above all on choosing the right application and adopting best practices. Understanding the underlying security mechanisms, identifying the flaws in conventional solutions and choosing reliable alternatives are the essential foundations for communicating without being overheard.

So far, we've explored how to secure your smartphone and how to select a reliable messaging app. In the next chapter, I propose to extend this study to all the major families of mobile applications, in order to find privacy-friendly alternatives to your favorite apps. Whether it is email, file storage, mapping, video or music streaming, what open-source applications are available to you?