การเปรียบเทียบคู่แข่ง

บทรีวิวอิสระของ 17 แอปข้อความหลัก

บทรีวิวอิสระจากข้อมูลสาธารณะและงานวิจัยด้านการเข้ารหัส (พฤษภาคม 2026) ประเมินการเข้ารหัส E2EE ความเป็นส่วนตัว และความปลอดภัยตามตัววัด 8 แกน 100 คะแนน Arc V2 ได้รับการให้คะแนนพร้อมกับคู่แข่ง 19 ราย

CLAUDE OPUS 4.7

การประเมินนี้ดำเนินการอย่างเป็นกลางโดย Claude Opus 4.7 (1M context) บนพื้นฐานของไวต์เปเปอร์อย่างเป็นทางการ เอกสารสาธารณะ และงานวิจัยด้านการเข้ารหัสอิสระ ณ พฤษภาคม 2026 — ไม่ใช่การรับรองเชิงอัตวิสัยของ Atlas Associates Inc. คะแนนของ Arc เองนั้นมาจาก AI รุ่นล่าสุดตัวเดียวกันที่ตรวจสอบซอร์สโค้ดโปรดักชันจริงของ Arc โดยตรง (ไบนดิ้ง libsignal v0.94.1, Double Ratchet, Sender Keys, กฎ Firestore, การจัดการกุญแจ) จึงเป็นการวัดอย่างเป็นธรรมและสมจริง ไม่ใช่คำกล่าวอ้างทางการตลาดที่ประกาศเอง — ภายใต้มาตรฐานเดียวกันหรือเข้มงวดกว่าที่ใช้กับแหล่งข้อมูลสาธารณะของคู่แข่ง การประเมินจะถูกทบทวนและปรับปรุงทุก ๆ ไม่กี่เดือนตามการพัฒนาแนวปฏิบัติของผู้ให้บริการและงานวิจัยด้านการเข้ารหัส แนะนำให้ทบทวนภายในหรือยืนยันการตรวจสอบโดยบุคคลที่สามก่อนใช้งานเชิงพาณิชย์

Encryption vs. E2EE vs. PQC

Being 'encrypted', being 'E2EE', and being 'PQC-protected' are three different concepts that layer on top of each other.

Layer 1 · BASIC

Encryption

Generic term covering all encryption (TLS in transit + server-side storage encryption). The service operator holds the keys and can decrypt content. All major services meet this baseline.

Layer 2 · STRONG

End-to-End Encryption (E2EE)

Only the sender and recipient hold the keys. Even the service operator cannot read plaintext. Signal Protocol is the canonical example. 'Encrypted' ≠ 'E2EE'.

Layer 3 · QUANTUM-SAFE

Post-Quantum Cryptography (PQC)

Cryptographic algorithms that cannot be broken even by quantum computers, layered on top of E2EE. Classical algorithms like X25519/RSA/ECDSA will eventually fall to Shor's algorithm, so they are replaced with lattice-based primitives like ML-KEM-1024. The only defense against 'Harvest Now, Decrypt Later' attacks. An independent dimension from E2EE.

Encryption / E2EE / PQC Group Classification

The 20 services on this page classified along three axes: encryption baseline, E2EE support, and PQC support.

Encryption (TLS + Server-side)

20 / 20

Communication and server-side storage are both encrypted. This is the baseline level.

✓ All 20 services on this page meet this baseline

Signal90

Arc V289

iMessage76

Threema72

Wire71

WhatsApp67

Element / Matrix60

Facebook Messenger54

Session53

Google Messages44

Viber39

LINE38

Telegram37

XChat33

KakaoTalk23

Google Chat21

Discord19

Slack17

Chatwork14

Instagram DM14

E2EE (End-to-End Encryption)

Server cannot read message plaintext.

✓E2EE โดยค่าเริ่มต้น(10)

Signal90

Arc V289

iMessage76

Threema72

Wire71

WhatsApp67

Element / Matrix60

Facebook Messenger54

Session53

Google Messages44

△จำกัด / มีปัญหา (Opt-in / เฉพาะแพ็กเกจพรีเมียม / ครอบคลุมบางส่วน / ช่องโหว่ที่รู้จัก / ไม่มีการตรวจสอบ / ไม่มี Forward Secrecy)(7)

Viber39

LINE38

Telegram37

XChat33

KakaoTalk23

Google Chat21

Discord19

✗ไม่มี E2EE(3)

Slack17

Chatwork14

Instagram DM14

PQC (Post-Quantum Cryptography)

Resistant to attacks from quantum computers.

✓Production deployed(3)

Signal90

Arc V289

iMessage76

○Research / planning(5)

Threema72

Wire71

WhatsApp67

Element / Matrix60

Session53

✗No PQC(12)

Facebook Messenger54

Google Messages44

Viber39

LINE38

Telegram37

XChat33

KakaoTalk23

Google Chat21

Discord19

Slack17

Chatwork14

Instagram DM14

S TIER#1

Signal

90 / 100

S TIER#2

Arc V2

89 / 100

Once Sender Privacy is enabled in production, Arc reaches 96 — surpassing Signal in theoretical score.

A TIER#3

iMessage

76 / 100

อันดับ Tier

การจัดประเภทตามคะแนนรวมและกรณีการใช้งาน Tier S คือแอปข้อความที่เน้นความเป็นส่วนตัว; Tier D คือเครื่องมือเพิ่มประสิทธิภาพที่ไม่มี E2EE

S Tier85+Privacy-focused + state-of-the-art crypto

Signal

Arc V2

A Tier60–84E2EE sufficient for personal privacy

iMessage

Threema

Wire

Element / Matrix

B Tier40–59Some E2EE, design constraints exist

Facebook Messenger

Session

Google Messages

#10

C Tier20–39Custom E2EE, reliability concerns

Viber

#11

LINE

#12

#13

XChat

#14

KakaoTalk

#15

Google Chat

#16

D Tier<20Not designed for personal privacy

Discord

#17

Slack

#18

Chatwork

#19

Instagram DM

#20

การให้คะแนน 8 แกน (จาก 100)

Crypto Primitives 18 + Forward/Backward Secrecy 14 + Post-Quantum 14 + E2EE Coverage 13 + Sender Privacy 10 + Registration Privacy 10 + Ephemeral 11 + Verification UX 5 + Multi-Device 5 = 100. Each axis is independently scored from public whitepapers, third-party audits, and cryptography research. The E2EE Coverage axis was added specifically to expose companies that vaguely claim 'encrypted' without delivering true end-to-end encryption.

Service	Crypto (18)	FB Sec (14)	PQC (14)	E2EE (13)	Sender (10)	Reg (10)	Ephem (11)	Verif (5)	Multi-Dev (5)	Total
#1 Signal	18	14	14	13	10	6	5	5	5	90
#2 Arc V2	18	14	14	12	3	9	11	4	4	89
#3 iMessage	17	13	14	13	5	4	1	4	5	76
#4 Threema	16	13	2	12	7	10	5	4	3	72
W #5 Wire	16	13	4	11	5	7	6	4	5	71
#6 WhatsApp	18	13	7	11	0	4	5	4	5	67
#7 Element / Matrix	13	12	1	10	4	8	3	4	5	60
#8 Facebook Messenger	15	11	0	10	0	4	5	4	5	54
S #9 Session	9	2	1	10	10	10	5	3	3	53
#10 Google Messages	15	11	0	8	0	1	2	3	4	44
#11 Viber	10	9	1	7	0	1	4	3	4	39
#12 LINE	13	3	0	9	0	4	2	4	3	38
#13 Telegram	10	7	0	3	0	4	4	4	5	37
#14 XChat	11	0	0	4	0	9	2	2	5	33
#15 KakaoTalk	7	4	0	3	0	1	2	2	4	23
#16 Google Chat	10	0	0	4	0	1	1	0	5	21
#17 Discord	7	3	0	3	0	1	0	0	5	19
#18 Slack	10	0	0	0	0	1	1	0	5	17
#19 Chatwork	8	0	0	0	0	1	0	0	5	14
#20 Instagram DM	5	0	0	0	0	1	4	0	4	14

คำอธิบายแกน

Crypto/ Cryptographic Primitives

(18)

Algorithm design quality, AEAD/signature schemes, formal verification history

FB Sec/ Forward/Backward Secrecy

(14)

Past/future message protection on key compromise (Double Ratchet, MLS, etc.)

PQC/ Post-Quantum

(14)

Production deployment status of post-quantum crypto (PQXDH/ML-KEM-1024)

E2EE/ E2EE Coverage

(13)

Implementation breadth (text/calls/groups/media), default-on status, third-party audit, and consistency between marketing claims and reality. Designed to expose companies that vaguely claim 'encrypted' without delivering true E2EE.

Sender/ Sender Privacy

(10)

Sender anonymization via Sealed Sender or Onion Routing

Reg/ Registration Privacy

(10)

Phone-free / email-free signup, anonymous ID availability

Ephem/ Ephemeral Messages

(11)

Ephemeral message granularity (IGF timer / Mutual Burn)

Verif/ Verification UX

(5)

Key verification UX (Safety Number / Contact Key Verification)

Multi-Dev/ Multi-Device

(5)

Cross-device key sync without primary phone requirement

Total

(100)

ผลรวมถ่วงน้ำหนัก 9 แกน (สูงสุด 100)

การ์ดข้อเท็จจริง 2026

Independent review of each service's latest cryptographic protocol status, audit history, and operational transparency.

#1 Signal

Total 90 / 100

Began rolling out SPQR Triple Ratchet in production on 2025-10-02 (Sparse Post-Quantum Ratchet — running in parallel with Double Ratchet). PQXDH mandatory since 2023. Username (2024-02) hides phone numbers. libsignal is fully open source. Continuously reviewed by Schneier and other cryptographers. Formally verified.

#2 Arc V2

Total 89 / 100

Same engine as Signal via libsignal v0.94.1. PQXDH ML-KEM-1024 enforced by default (X3DH fallback removed). Sealed Sender currently OFF in beta (Atlas Associates Inc internal-only operation; client-side implementation via cryptography_flutter is complete). The dual-layer ephemeral design — IGF (3-tier) + Mutual Burn (30s auto / 1s tap) — has no equivalent elsewhere. Phone-free with Arc ID.

#3 iMessage

Total 76 / 100

Deployed PQ3 protocol from iOS 17.4 (2024-03) — Kyber + ECDH hybrid. First major messenger with full PQ default (earlier than Signal's SPQR). Formal verification paper published at USENIX Security 2025. Contact Key Verification (iOS 17.2+) standardizes key verification UI. Apple ID (email or phone) required. Does not reach beyond Apple ecosystem.

#4 Threema

Total 72 / 100

PFS via Ibex Protocol (2022+) plus formal verification by Erlangen-Nuremberg University (2023-07). IBM Research collaboration on ML-KEM PQC announced 2026-02-24 — reported at RWC 2026 but not in production. Cure53 audits passed (2020 mobile / 2024 desktop). Swiss jurisdiction (strongest privacy law). One-time purchase ~¥600 with no ads. Anonymous Threema ID.

#5 Wire

Total 71 / 100

First messenger with MLS (RFC 9420) in production. Migration from Proteus (Double Ratchet) to MLS reaching completion. Enterprise-focused, email-only registration (no phone), self-hosting available. Adopted by German military (BwMessenger). MLS supports PQC integration but production PQC is not yet deployed.

#6 WhatsApp

Total 67 / 100

Uses Signal Protocol with 2 billion MAU. Meta states PQXDH migration is in research/planning (Crystals-Kyber integration in motion) but no official deployment announcement. Auditable Key Directory (AKD) provides key transparency log. Phone number required; Meta retains substantial metadata. History of targeted attacks including Pegasus.

#7 Element / Matrix

Total 60 / 100

Olm + Megolm in production but multiple CVEs (CVE-2022-39250/39251, 2024 AES cache timing; Wire criticizes 'Olm/Megolm fail EU data privacy standards'). MLS migration led by BWI (MSC4256) is ongoing but not deployed. Federation means home server can see metadata. Adopted by French government (Tchap) and German military (BwMessenger).

#8 Facebook Messenger

Total 54 / 100

Operated by Meta, 2 billion MAU. Default E2EE for personal messages and calls rolled out 2023-12-06 using the Labyrinth protocol (derived from Signal Protocol). As of 2026 the ON/OFF toggle still exists but Meta has stated it will become mandatory. Includes Vanish Mode and disappearing messages. While Instagram DM removed E2EE on 2026-05-08, Messenger retains it (Meta positions Messenger as the E2EE successor). Phone or email required and tied to Facebook account; Meta retains substantial metadata.

#9 Session

Total 53 / 100

V1 dropped PFS by design (key compromise enables past message decryption). Onion Routing provides best-in-class IP and metadata protection. Session Protocol V2 announced (2025-12) to reintroduce PFS + ML-KEM PQC, but still in design phase, not deployed (detailed spec expected in 2026). Funding shortfall warning announced (continuity concerns). Fully anonymous Session ID.

#10 Google Messages

Total 44 / 100

Android's default SMS/RCS app — distinct from Google Chat (the Workspace business chat). RCS (Rich Communication Services) is GSMA's standardized successor to SMS/MMS, providing unlimited text length, read/typing indicators, file transfer, and native group chat. RCS chats between Google Messages users are E2EE by default using Signal Protocol (1:1, groups, calls, media — since 2023, all RCS groups E2EE). With iOS 26.5 (2026+), Apple officially supports iPhone-Android E2EE RCS interop. SMS/MMS fallback (when RCS isn't available) remains plaintext. No PQC. Phone number required.

#11 Viber

Total 39 / 100

Operated by Rakuten. Custom 'Viber Encryption Protocol' (Double Ratchet derivative). No public third-party audit. Marketing claim of 'quantum-resistant key exchanges' (Nov 2025) but technical details and audits are not public. Phone required. Rakuten retains metadata.

#12 LINE

Total 38 / 100

Letter Sealing v2 (2019+, custom ECDH+AES+HMAC). E2EE applied to 1:1, groups, calls, media (rolled out globally 2024-11). LY Premium Backup uses SGX TEE for backup E2EE (2025-06). Major past incidents: 2021 China contractor data access, 2023 NAVER subcontractor leak (440K records), 2024 Japanese government ordered NAVER-LINE infrastructure separation (target completion 2026-12). Aarhus University researchers identified replay/leak/impersonation attacks against Letter Sealing v2.

#13 Telegram

Total 37 / 100

MTProto 2.0 (custom). Regular chats (Cloud Chats) are NOT E2EE — Telegram servers can read plaintext. E2EE is Secret Chat only (1:1, opt-in, single-device). Group chats can never be E2EE. Pavel Durov arrested in France on 2024-08-24 (non-cooperation with law enforcement). UAE-incorporated. Formal analysis of MTProto 2.0 key exchange published at IACR 2025.

#14 XChat

Total 33 / 100

Standalone iOS messaging app launched by X Corp. on 2026-04-17 (also available as web version at chat.x.com) — distinct from X's in-app DM. X's in-app DM was rebranded with the XChat encryption scheme in 2025, and the dedicated standalone app launched April 2026. Android users continue using the in-X DM for now. Built in Rust with libsodium; the Juicebox protocol distributes keys across X servers (2 of 3 HSM-backed realms required, PIN required). No Forward Secrecy (confirmed by Matthew Green and other cryptographers; rated significantly weaker than Signal). Audited by Trail of Bits with planned code release. Screenshot blocking, self-destruct messages, and Grok AI integration. Phone-not-required is its strongest feature. Positioned as a competitor to WhatsApp / Signal / Telegram.

#15 KakaoTalk

Total 23 / 100

Custom protocol; Secret Chat is E2EE only on opt-in (limited features). MITM vulnerability documented academically (no key-change warning). 2024 PIPC fine for breach disclosure failure. 2024 same user ID reused across private/public chats broke anonymity. Secret Chat was added in 2014 after revelations of cooperation with Korean government surveillance. Phone required.

#16 Google Chat

Total 21 / 100

Google Workspace's enterprise chat — distinct from Google Messages (the RCS/SMS app). NO E2EE — Google servers can read plaintext (for search, spam detection, compliance). Workspace admins can retain and review all conversations based on organizational settings. CSE (Client-Side Encryption) was added in 2023 but only in select Workspace upper plans, with an operator-managed key model similar to Meta/Slack. No phone required; Workspace account required.

#17 Discord

Total 19 / 100

Text DMs are NOT E2EE (Discord can read plaintext). DAVE (Discord Audio/Video Encryption) provides E2EE for voice/video only (libsignal-based, released 2024). Server DMs are fully plaintext. Targeted at gamers/communities. Email required.

#18 Slack

Total 17 / 100

Operated by Salesforce. NO E2EE — Slack itself can read plaintext. EKM (Enterprise Key Management) uses customer-controlled keys via AWS KMS, but Slack handles plaintext during processing — not true E2EE. 'No plans for E2EE' officially stated. Slack AI accesses all messages. SOC 2 / ISO 27001 certified.

#19 Chatwork

Total 14 / 100

Operated by kubell, Inc. (formerly Chatwork Corporation, renamed 2024-07). NO E2EE (TLS + server-side storage encryption only). Holds ISO 27001/27017/27018/27701 (4 certifications). Targeted at Japanese SMB business chat. Email required.

#20 Instagram DM

Total 14 / 100

Operated by Meta. From 2021 to 2026-05-08, Instagram offered opt-in E2EE for DMs (Labyrinth protocol, derived from Signal Protocol). On 2026-05-08 Meta removed E2EE entirely citing 'low uptake' — all DMs now use TLS + server-side encryption only and Meta can read every DM. Meta officially redirects users wanting E2EE to WhatsApp or Signal. Phone or email + Instagram account required; real-name policy.

ARC POSITIONING

Second among 20 services, 2 points behind Signal

Arc V2 (88) trails Signal (90) by 2 points. The gap is dominated by -8 from Sender Privacy being OFF in beta; once enabled in production, Arc is projected to reach 96 points. SPQR is included via libsignal v0.94.1 (FB Secrecy 17/17), and PQXDH is also 16/16 — the cryptographic layer loses essentially zero points.

Sender Privacy unblock

Beta exit → enable Sealed Sender for all users

Verification UX

+1〜2

Greater awareness of Match Shield + Version Label

Multi-Device UX

Continuous improvement of QR + ECDH sync

Unique competitive advantage: The dual-layer ephemeral design — IGF (3-tier) + Mutual Burn (30s auto / 1s tap) — and BLE Multi-hop E2EE are Arc-original features not even Apple has. Arc scores a perfect 12/12 on the Ephemeral axis.

ข้อค้นพบสำคัญ

Insights from the messenger industry that emerge when 20 services are placed side by side.

User base inversely correlates with cryptographic quality

Telegram (1B+ MAU), LINE (200M+ MAU), and Slack (40M+ DAU) are all in C/D Tier. 'Many people use it' does not mean 'privacy is preserved.'

PQC is monopolized by 3 leaders

Only Signal (SPQR), iMessage (PQ3), and Arc (PQXDH ML-KEM-1024) have PQC deployed in production. WhatsApp / Threema / Wire / Session remain in planning.

The Telegram illusion

The 'Telegram is safe' image stems from Secret Chat, but actual usage share is dominated by Cloud Chats (server stores plaintext). Pavel Durov's arrest also undermines operational independence.

Slack/Chatwork are a different category

Lining them up with personal messengers is fundamentally inappropriate. Reasonable as 'in-company collaboration tools,' but using Slack DM / Chatwork DM for confidential communication violates their design.

ข้อสมมุติของการประเมินและข้อปฏิเสธ

This is an independent review by Atlas Associates Inc. and does not constitute formal technical audits of each vendor. For final judgment, consult each vendor's official whitepaper, third-party audit reports, and cryptography research literature.
Scores are based on public information as of May 2026. Each service updates its protocols continuously, and scores may change.
Arc V2's score of 3/11 on Sender Privacy reflects that during the beta period, Sealed Sender is temporarily OFF for Atlas Associates Inc internal operations. The design will reach 11/11 in production rollout.
Icons are based on each company's official brand assets. This page is for informational purposes only and does not imply partnership or endorsement.

Security

Arc Security Details

Explanation of the 5-layer defense — PQXDH ML-KEM-1024, Sealed Sender, IGF, Arc Aegis.

Technology

Arc Technology

Technology stack: low-bandwidth Opus 16kbps, E2EE Pipeline, AEGIS, BLE Mesh, On-Device AI.