Most of the world’s leading banking, shopping, messaging and social media apps have not yet introduced security designed to withstand future quantum-computer attacks, according to a new analysis.
The study found that only 8% of the 40 popular apps examined currently use post-quantum cryptography. That means fewer than one in every 12 apps studied has publicly confirmed that quantum-resistant protection is already operating within its service.
Researchers warn that the slow transition could eventually place private messages, financial information, login credentials and other sensitive data at risk as quantum computers become more powerful.
Most Popular Apps Are Not Quantum-Ready
The study, published by cybersecurity company Surfshark, examined 40 widely used applications across four major categories. These included 11 messaging apps, 10 banking apps, 10 shopping apps and nine social media platforms.
Only three of the 40 apps were identified as already using post-quantum cryptography. Another 30% were classified as researching the technology or publicly preparing plans for future adoption.
The remaining 63% had no publicly available information showing that their developers had introduced post-quantum protection or announced plans to do so. The complete findings are available in Surfshark’s quantum-readiness analysis of popular apps.
The research was based on publicly available company announcements and media reports. Therefore, an app placed in the “not quantum-resistant” category may have conducted private research that has not been publicly disclosed. The results still show that confirmed, consumer-facing adoption remains extremely limited.
Why Quantum Computers Could Threaten Today’s Encryption
Current online security depends heavily on mathematical problems that are extremely difficult for conventional computers to solve. These systems protect internet traffic, account logins, financial transactions, private communications and digital signatures.
A sufficiently powerful quantum computer could process certain mathematical problems far more efficiently. This could weaken widely used public-key systems, including RSA and elliptic-curve cryptography, that currently protect many online services.
Post-quantum cryptography replaces these vulnerable methods with algorithms based on mathematical problems that are believed to resist both traditional and quantum-computer attacks.
The US National Institute of Standards and Technology finalized its first three major post-quantum cryptography standards in August 2024. NIST encouraged system administrators and technology companies to begin integrating the standards immediately because a complete migration may take years.
Messaging Apps Are Leading the Transition
Messaging services showed the highest level of confirmed adoption among the categories examined.
Approximately 18% of the messaging apps in the study had already introduced some form of post-quantum protection. Signal and Apple’s iMessage were identified as two services that had implemented quantum-resistant features.
Signal introduced its PQXDH protocol to strengthen the initial process used to establish encrypted conversations. Apple later introduced PQ3 for iMessage, combining traditional encryption with post-quantum protection.
A separate Surfshark explanation of how post-quantum encryption protects online privacy states that Signal and iMessage were the only two apps among 12 major messaging platforms previously examined that had introduced these protections.
However, quantum-resistant messaging does not necessarily mean that every part of an app’s infrastructure is protected. An app may secure message exchanges while still relying on traditional cryptography for account authentication, cloud storage, backups or other services.
TikTok Was the Only Social Platform With Confirmed Protection
TikTok was identified as the only social media app in the study already using quantum-resistant cryptography.
The parent companies behind Facebook, Instagram, Threads, YouTube and LinkedIn had publicly discussed or developed plans involving post-quantum security. However, the study did not classify those individual apps as already quantum-resistant.
The report also said it found no specific public plans from X, Reddit or Quora concerning the implementation of post-quantum cryptography.
This does not necessarily mean that quantum hackers could immediately access these platforms. Large-scale quantum computers capable of defeating today’s strongest encryption are not currently known to exist. The concern involves how well these services are preparing for a future security environment.
Banking Apps Showed No Confirmed Adoption
None of the 10 popular banking apps examined had publicly confirmed that post-quantum cryptography was already operating in the app.
Only 20% of the banking-app providers were identified as researching or planning quantum-resistant security. The other 80% had no public information showing meaningful preparation.
The study highlighted JPMorgan Chase and Wells Fargo as examples of financial institutions researching the issue. JPMorgan Chase has worked on a quantum-secured network demonstration, while Wells Fargo has discussed plans to prepare its security systems for quantum computing.
Banks manage information that can remain sensitive for years, including identity records, transaction histories and customer communications. This makes early preparation particularly important, even when a practical encryption-breaking quantum computer may still be years away.
Shopping Apps Are Also Falling Behind
The study found no confirmed post-quantum cryptography implementation among the 10 shopping apps examined.
Only two of the shopping-app providers had publicly discussed research or preparation. Amazon was described as the most proactive company in this category because Amazon Web Services has published a detailed post-quantum migration plan.
Walmart had also acknowledged the potential threat, although the researchers found less detailed public information concerning its plans.
Shopping platforms may hold payment information, home addresses, purchase histories, phone numbers and saved account credentials. Even when payment data is handled by a separate processor, compromised customer records could still support identity theft, phishing or targeted fraud.
Criminals Could Steal Encrypted Data Today
One reason experts are encouraging early adoption is the threat known as “harvest now, decrypt later.”
Under this strategy, attackers steal or intercept encrypted information even though they cannot currently read it. They then store that data until more powerful computers or new decryption techniques become available.
Information that loses its value quickly may not create a major long-term risk. However, medical information, government records, trade secrets, personal communications and identity data may remain sensitive for decades.
Surfshark’s post-quantum encryption guidance explains that this possibility is one reason organizations should begin upgrading before quantum computers are capable of breaking existing systems.
Consumers Cannot Fix the Problem Alone
There is no phone setting that can transform an ordinary app into a fully quantum-resistant service. The app developer, cloud provider and infrastructure operators must update their security systems.
Consumers can still reduce their exposure by keeping apps and operating systems updated, using unique passwords and enabling multi-factor authentication. Choosing encrypted messaging services that have introduced post-quantum features may also provide stronger protection for communications intended to remain private for many years.
Users should remember that quantum-resistant encryption does not protect against every threat. Phishing, malware, weak passwords, stolen devices and compromised cloud backups can still expose information without breaking encryption.
The Transition Has Already Started, but Progress Is Slow
The study does not show that 92% of popular apps are currently unsafe to use. Traditional encryption remains effective against known attacks when it is implemented correctly.
Instead, the findings reveal a significant preparedness gap. Only 8% of the apps examined have publicly confirmed that they are already using post-quantum cryptography, while nearly two-thirds have disclosed no clear adoption plans.
Technology companies may have years to complete the transition, but replacing encryption across large apps, servers, databases and communication systems is a complicated process. Waiting until a powerful quantum computer arrives could leave organizations without enough time to protect data that has already been collected.