How secure Relevant Products/Services is your favorite messaging app? In all probability, not very. According to the Electronic Frontier Foundation, only six applications were able to pass its security Relevant Products/Services test. That's out of a total of 39 services (including those from Apple, Google, Facebook, BlackBerry, Microsoft, and Yahoo) that EFF examined.

EFF looked at seven issues:

  • Is data Relevant Products/Services encrypted in transit?
  • Is it encrypted so the provider can't read it?
  • Can the service verify contacts' identities?
  • Are past communications secure if keys are stolen?
  • Is the code open to independent review?
  • Is security design properly documented?
  • Has the code been audited?
Each of the 39 apps tested encrypted content in transit, but only six satisfied all of the EFF's requirements on its Secure Messaging Scorecard. Those apps were ChatSecure + Orbot, Cryptocat, RedPhone, Silent Phone, Silent Text and TextSecure.

Apple actually fared well, hitting five out of the seven requirements. It lost points for not verifying contacts' identities or opening its code to independent review.

Most other popular services only checked off two boxes (WhatsApp, Snapchat, Skype, Google Hangouts, Facebook chat) -- usually encrypted in transit and having code audited. AIM only satisfied the encrypted in transit bit.

"In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers," the EFF's report said. "Many companies offer 'secure messaging' products -- but are these systems actually secure?"

Will Anyone Notice?

We reached out to Rick Holland, principal security and risk management analyst for Forrester, about the study's significance. Holland suggested the results will be of greater interest to industry insiders and observers than to the man or woman on the street.

"Unfortunately, consumers have a short memory," he told us. "I think this will have a minimal impact to non-techie/tinfoil-hat consumers. Tech-savvy individuals will certainly change their behavior based on the performance."

The report is part a campaign that EFF ran with Julia Angwin at ProPublica and Joseph Bonneau from the Princeton Center for IT Policy. The idea is to promote technologies that are both secure and easy to use.

"Our campaign is focused on communication technologies -- including chat clients, text messaging apps, e-mail applications, and video calling technologies," EFF said. "These are the tools everyday users need to communicate with friends, family members, and colleagues, and we need secure solutions for them."

Making Inroads

At least one tech giant is taking visible steps to step up its security game. Google's Android Security Team recently offered the nogotofail tool, which lets users confirm that devices or apps are safe against known TLS/SSL vulnerabilities.

Forrester's Holland cautioned users to do their homework so that they are using genuinely secure services rather than those that are heavily promoted.

"Consumers should be aware that the marketing of privacy is very different than the reality of privacy," he said. "The mainstream media coverage of the iCloud celebrity hacking raised general consumer awareness around security and privacy of messaging apps."

The EFF's Secure Messaging Scorecard is available online for more details.