“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

Ever since National Security Agency whistleblower Edward Snowden uttered that quotable truism in 2013, companies have raced to compete in a new marketplace of privacy-conscious consumers. Practically every month, yet another privacy app is pitched to tech journalists, promising to protect users’ communications with strong encryption and revolutionary ease of use.

That’s a big change from the pre-Snowden days. Encryption is now more accessible than ever before, and it’s ultimately a good thing for the public that companies are competing on privacy and security. But not all privacy apps are created equal. The truth is that cryptography is hard, and consumers should be wary of startups offering magic solutions to some of its oldest and most intractable problems.

Over the past few weeks, security experts have been calling shenanigans on some of the most egregious claims made by this new batch of encryption apps. The latest is Zendo, a messaging app profiled breathlesslyby TechCrunch last week, which claims to use an old, uncrackable encryption method known as one time pads. On paper, it works like this: Every time a message is sent, the sender and receiver use a large key of random numbers they’ve previously shared (traditionally on a pad of paper) to obfuscate the message in transit. After the recipient decrypts the message, the key is destroyed, making it impossible for eavesdroppers to break the code.

Zendo’s creators describe one time pads as “the unicorns of cryptography,” but just like in folklore, people who claim they’ve befriended crypto unicorns tend to be met with skepticism. As cryptographer Joseph Bonneau explains on his blog, making uncrackable one time pads requires that you generate a ton of purely random data — an impossible task for the processor on your iPhone or Android; for Zendo to send messages quickly, it has to generate numbers pseudo-randomly — i.e., less securely — using math functions that can be cracked and are therefore not suitable for one time pads. More important, like many mass-market apps such as Apple’s iMessage, Zendo is not open source, meaning there’s no way for experts to verify how secure it really is.

That opacity is a red flag for many security experts, and it should alarm consumers too. Companies have financial incentives to protect intellectual property, but obscuring the innards of their apps can have dire consequences for users’ security. On the other hand, keeping code open can give an advantage to attackers if there aren’t enough people hunting down bugs.

Even when an app’s code is publicly available, hype can sometimes drown out security concerns. A recent profile of Pavel Durov, a former CEO of the Russian social network VKontakte, describes his popular messaging app Telegram as a revolutionary product that eschews commercial incentives and uses "hard-core encryption" to fight government surveillance.

“Secure messaging should be free for everyone. Displaying ads alongside your private communication seems out of place, even immoral,” he told Wired UK, mentioning “end-to-end encryption, self-destructing messages and self-destructing user accounts” as some of his app’s main features.