Is your messaging app private and secure?

It’s hard to imagine a life without being able to send a message to a friend, family member, or coworker at a moment's notice. However, while we send hundreds of messages every day, most of us never think about who else might be reading them. We trust that our private chats stay private, but is that trust justified?

Surfshark's study takes a close look at the most popular messaging apps to see how well each one actually protects your privacy and keeps your data secure. By examining encryption, data collection and usage, tracking practices, and AI features, this research identifies which apps prioritize your privacy and which fall short. The results may change how you think about the apps you use every day.

Key insights

• End-to-end encryption is provided by 9 out of the 10 most popular messaging apps. Signal and iMessage both offer quantum-secure cryptography, providing an even higher level of security.¹ However, for Apple's Messages app, end-to-end encryption is only effective between Apple devices. When messages are sent to Android devices, they are converted to SMS/MMS — which aren't end-to-end encrypted — meaning they're vulnerable to third parties potentially intercepting and reading them during transmission.² Notably, Discord is the only messaging app among those analyzed that does not provide end-to-end encryption for text-based messages.
• However, 90% of the analyzed messaging apps offer AI features, which could potentially increase privacy risks. Researchers from New York University and Cornell University have noted that “AI features are being developed at a rapid pace, raising significant security risks for users of E2EE applications”.³ For example, AI might be used to summarize private conversations or translate personal messages. While these features may offer benefits, they also raise concerns about granting access to information that should be private and visible only to the sender and receiver. Additionally, users can integrate AI assistants into ongoing conversations with others or even engage with AI as a friend. However, it's crucial to understand that users aren't just sharing information with a virtual friend — they're actually providing data to the company that owns the app or the AI service.
• On average, the analyzed messaging apps collect 17 out of the 35 data types listed in the Apple App Store. Exceeding this average are four apps: Meta Platforms’ Messenger (32), LINE (26), WeChat (22), and Rakuten Viber Messenger (18). The data collected may be exploited for purposes beyond app functionality. When considering the number of data types linked to users that can be exploited for advertising, product personalization, analytics, or other purposes, Meta Platforms’ Messenger (30) and LINE (21) are at the forefront. In contrast, Signal and Telegram Messenger assert that their data collection is strictly for app functionality, such as user authentication, feature enablement, fraud prevention, security measures, server uptime, minimizing app crashes, enhancing scalability and performance, and customer support.
• Considering all analyzed factors, Signal ranks at the top for its commitment to minimizing user privacy risks, with a score of 0.99. As one of the most downloaded messaging apps in 2025, it stands out by collecting minimal data — just phone numbers, which are used solely for app functionality, as noted in the Apple App Store. Furthermore, Signal completely avoids user tracking. By employing quantum-secure cryptography to protect communications and avoiding AI features that could potentially compromise privacy if misused, Signal ensures that users’ conversations remain as private and secure as possible. Despite its robust privacy measures, the FBI and CISA recently warned about phishing campaigns targeting commercial messaging apps, specifically Signal.⁴ Once an account is compromised, attackers can access messages, contact lists, and launch further phishing attacks. This highlights that technology alone isn't enough; users remain the weakest link.
• LINE ranks at the bottom with the lowest score, followed by Discord, Rakuten Viber Messenger, and Meta Platforms’ Messenger — all of which fall below the average score of 0.52 for the analyzed apps. According to information in the Apple App Store, LINE, Discord, and Rakuten Viber Messenger are the only apps that may collect data for user tracking. Meanwhile, Meta Platforms’ Messenger is notable for declaring that it may collect an extensive range of data types — 32 out of 35 listed in the Apple App Store — and use most of them for purposes beyond app functionality.

Methodology and sources

For this study, 10 iOS messaging apps were examined: the pre-installed Apple Messages App — which is likely used by most Apple device owners due to its default presence — and the top nine most downloaded apps in 2025, according to data provided by AppMagic.⁵ MAX was excluded from the analysis because it is not available in the US Apple App Store, which is used to review app privacy practices. The selection criteria from AppMagic included the category (Social Networking), tag (Messenger), geography (Worldwide), store (iPhone App Store), and year (2025).

To evaluate the privacy practices of these apps, five criteria were selected. First, we examined the type of encryption employed, whether quantum-secure or not. This indicator delves into encryption, prioritizing whether cryptography is quantum-secure rather than just checking for end-to-end encryption. The default layer isn't enough, as quantum threats could potentially break through other encryption methods. That's why only those with quantum-secure levels of security earn the highest score.

Second, we looked at the number of data types the app may collect. This indicator assesses the data collection practices of analyzed apps, scoring them based on how many of the 35 data types listed in the Apple App Store they may collect. Collecting more data types increases privacy risks, for example, in the case of a data breach, which is why a higher number of collected data types leads to a lower score.

However, the total score for the app also includes two additional indicators: one for data collected for tracking purposes and another for data collected that is not related to app functionality. This approach provides a balanced view of data collection practices by not focusing solely on the number of data types collected, acknowledging that some are essential to the app's functionality. And fifth, we evaluated whether the app integrates AI features.

These factors illustrate each app's privacy-related activities and contribute equally to the final score. The scores of each analyzed app were then categorized into five levels, ranging from high to low, to indicate their commitment to user privacy and security.

Data was collected from:

References: