Instant messaging applications promise their users a secure and private way to communicate. The validity of these promises rests on the design of the underlying protocol, the cryptographic primitives used and the quality of the implementation. Though secure messaging designs exist in the literature, for various reasons developers of messaging applications often opt to design their own protocols, creating a gap between cryptography as understood by academic research and cryptography as implemented in practice. This thesis contributes to bridging this gap by approaching it from both sides: by looking for flaws in the protocols underlying real-world messaging applications, as well as by performing a rigorous analysis of their security guarantees in a provable security model.Secure messaging can provide a host of different, sometimes conflicting, security and privacy guarantees. It is thus important to judge applications based on the concrete security expectations of their users. This is particularly significant for higher-risk users such as activists or civil rights protesters. To position our work, we first studied the security practices of protesters in the context of the 2019 Anti-ELAB protests in Hong Kong using in-depth, semi-structured interviews with participants of these protests. We report how they organised on different chat platforms based on their perceived security, and how they developed tactics and strategies to enable pseudonymity and detect compromise.Then, we analysed two messaging applications relevant in the protest context: Bridgefy and Telegram. Bridgefy is a mobile mesh messaging application, allowing users in relative proximity to communicate without the Internet. It was being promoted as a secure communication tool for use in areas experiencing large-scale protests. We showed that Bridgefy permitted its users to be tracked, offered no authenticity, no effective confidentiality protections and lacked resilience against adversarially crafted messages. We verified these vulnerabilities by demonstrating a series of practical attacks.Telegram is a messaging platform with over 500 million users, yet prior to this work its bespoke protocol, MTProto, had received little attention from the cryptographic community. We provided the first comprehensive study of the MTProto symmetric channel as implemented in cloud chats. We gave both positive and negative results. First, we found two attacks on the existing protocol, and two attacks on its implementation in official clients which exploit timing side channels and uncover a vulnerability in the key exchange protocol. Second, we proved that a fixed version of the symmetric MTProto protocol achieves security in a suitable bidirectional secure channel model, albeit under unstudied assumptions. Our model itself advances the state-of-the-art for secure channels
