Access Now Digital Security Helpline

Tips – Secure IM Apps

Last updated: November 2019

Please consider this date when evaluating the accuracy and security of the following guide.

This is a series of tips to use your IM apps as securely as possible.

WhatsApp

These settings are a reasonable middle ground for reducing the amount of data that the app creates locally, and minimizing what is exposed as clear text on iCloud/Google Drive.

  1. Go to: Settings -> Account -> Privacy

    Tweak the following settings:

    • Last Seen: My Contacts

    • Profile Photo: My Contacts

    • Status: My Contacts

    • Read Receipts: OFF

  2. Go to: Settings -> Account -> Security

    Tweak the following settings:

    • Show Security Notifications: ON
  3. Go to: Settings -> Chats

    Tweak the following settings:

    • Save Incoming Media: OFF

    • Chat Backup -> Auto Backup: OFF

  4. Go to: Settings -> Notifications

    Tweak the following settings:

    • Show Preview: OFF (unfortunately, this still displays the sender’s name)
  5. Disappearing messages (Beta version - it might not work on some devices yet and is only active on group chats):

    • Go to the group in WhatsApp where you want to set disappearing messages, then tap the subject of the group.

      Alternatively, tap and hold the group in the CHATS tab. Then tap Menu -> Group info.

    • Tap Group settings -> Disappearing Messages

    • Select one of the available time choices. At the moment the choices are limited: 5 seconds or one hour.

Telegram

  1. Enable 2-factor authentication:

  2. Use username and share it instead of the phone number.

    • Username can be changed. Phone numbers can’t.
    • However any usernames are searchable and anyone can send you a messages via t.me/username.
  3. Telegram provides groups and user-to-user chat.

    • User-to-user chat is not end-to-end encrypted by default. To encrypt it, you need to enable a feature called Secret Chats:

      • More information: https://telegram.org/faq#secret-chats
      • The Secret Chats feature encrypts communication between two users.
      • The admins of Telegram can’t read it.
      • If you delete a message, the copy on the other side will be deleted too.
      • You can set a timer after which a message will be deleted.
      • These two features are useful in case the device is seized or stolen.
      • You can enable notifications to learn if the other side takes screenshots. But this is not available on all platforms (especially Android).
      • Secret Chat can be started as follows:
        • iOS: Start a new message (tap the icon in the top-right corner in Messages). Then tap “New secret chat”.
        • Android: Swipe right to open the menu, then ‘New secret chat’.
  4. If you are managing a Group on Telegram:

    • Groups are not end-to-end encrypted. Encryption for groups is only client to server.
    • Groups can be made public
    • Group Permissions: It is useful to restrict all members from posting specific kinds of content if inappropriate.
    • The administrator can delete inappropriate content.

For more information on the basics of Telegram, you can read this post by Daniel Weibel: https://medium.com/@weibeld/telegram-basics-7c566d6d35c1#add7.

Facebook Messenger

Facebook Messenger can also be used for end-to-end encrypted communications, but this feature is not the default. Secret messages can be used for sending messages, pictures, stickers, videos, and voice messages. This feature cannot be used for group messages and voice or video calls.

To start a so called Secret Conversation:

  1. Tap the button to write a message in the top right of the app.
  2. Tap “Secret” in the top right.
  3. Select who you want to message.
  4. If you want, tap the timer icon in the text box and set a timer to make the messages disappear.

Secret conversations are currently only available in the Messenger app on iOS and Android, so they won’t appear on Facebook chat or messenger.com.

More information on secret conversations: https://www.facebook.com/help/messenger-app/1084673321594605/

Signal

Wire

Wire can be registered with a phone number or an email address. Instructions for registering a Wire account with an email address can be found here: https://support.wire.com/hc/en-us/articles/360000165369-How-can-I-register-with-an-email-

Features: