Quantum security in popular messaging apps

Quantum computing has significantly elevated the threat of hacking, highlighting the critical importance of implementing quantum-level security measures in application algorithms. Surfshark has assessed 12 widely used messaging apps to determine their quantum security status, identifying those capable of withstanding quantum hacking attempts. This assessment is based on known quantum threats, and the emergence of new threats remains a possibility. Consequently, apps deemed quantum-secure today may need to adjust their defenses in the future. Nonetheless, those currently recognized as quantum-secure are demonstrating proactive measures, while those relying on traditional encryption or lacking encryption altogether are falling behind.

Key insights

• Only two messaging applications are currently prepared for the quantum computing era: Signal and iMessage. Signal's recently announced Post-Quantum Extended Diffie-Hellman (PQXDH) encryption protocol¹ may not be as advanced as Apple's PQ3², but it is nonetheless equipped to defend against the present quantum computing threats.
• Half of the most popular analyzed applications provide End-to-End (E2E) encryption by default, which protects against conventional threats. However, classical cryptography is not secure against quantum computing threats. Notably, even though Skype encrypts messages, when a Skype call is made to a mobile or landline phone, the segment of the call transmitted via the Public Switched Telephone Network (PSTN) is not encrypted by Skype.
• Are big tech companies lagging behind? Facebook only introduced default encryption of messages a few months ago³ – seemingly a delayed reaction, especially since Apple has recently introduced its quantum-secure messaging encryption protocols². Another major player, Google, has had encrypted messages in its pre-installed Android messenger (Google Messages) by default for about half a year⁴, slightly earlier than Facebook Messenger. Nevertheless, both of these tech giants' messaging applications significantly trail behind Apple in terms of security.
• Some messaging applications are not only vulnerable to quantum threats but also fail to provide default protection against current dangers. Telegram, WeChat, and QQ do not have encryption enabled as the standard setting. Snapchat encrypts images but not text messages. The absence of E2E encryption leaves a conversation vulnerable to interception by hackers, governments, or private entities. And the results of such interception can be dire — even a seemingly innocent joke shared in a private conversation can result in arrest⁵.
• Messaging apps developed in authoritarian countries often lack straightforward default encryption. WeChat and QQ (both lacking encryption) originate from China, while Telegram (also without default encryption) was founded by brothers with Russian origins and is headquartered in the United Arab Emirates. The same brothers also founded the widely-used platform VK, which was later acquired by the Russian state⁶.
• At least one in six people worldwide could be subject to surveillance through unencrypted messaging. WeChat boasts over 1.3 billion users, with around half a billion residing outside China⁷. Telegram recently reached 900 million users⁸. To be on the safe side, we’ve assumed that all Telegram users use WeChat as well, which most likely is not true and would mean that even more people are vulnerable to unencrypted message peaking.

Methodology and sources

We analyzed ten popular messaging apps chosen from the AppMagic platform⁹ with the highest number of downloads in 2023. In addition, we examined the pre-installed messaging apps from Apple and Google, as Android and iOS are the two most popular smartphone operating systems¹⁰. The country of origin for each app was obtained from the AppMagic platform, while the encryption levels for each app were compiled from various articles listed in the research materials spreadsheet linked below.

References: