Is WhatsApp secure, and which messaging apps are most secure?

Writing that “security becomes more important every year” has become so obvious that it feels almost passé. Every governing body that measures cybercrime has stats that prove it increases year-on-year, and most of us likely feel this fact inherently as we watch the (sometimes) unnerving explosion of AI.

When we think of data that could be weaponised against us, we immediately think of our credit card details, medical records, and even addresses — but we seldom think of our chat history. And yet, open the chats with your closest friends, and I guarantee they will contain some, if not all, of those personal details.

Once you open Pandora’s box, you quickly wonder whether you’re putting your trust in the right apps. After all, there’s a reason fringe apps like Telegram proliferated in the early 2020s. But we’re getting ahead of ourselves. Let’s start by taking a closer look at the biggest fish, WhatsApp.

Who doesn’t love WhatsApp?

WhatsApp. The sheer scale of it is mind-boggling.

It’s the only app I can think of that tried — and succeeded — in replacing the text message as our go-to. Over time, there were a few contenders (BlackBerry’s BBM, anyone?), and some would argue that, even today, iMessage gives it a run for its money…

But show me someone with iMessage, and I’ll guarantee they also have WhatsApp installed. Because WhatsApp doesn’t discriminate by platform. Its universal nature is likely what saw WhatsApp capture the SMS market in a relatively short space of time. Indeed, ‘I’ll WhatsApp you’ is now almost as ubiquitous as ‘text’ was before it.

But, is it secure?

It depends on how you define “secure”. Privacy has many facets, especially when it involves something as nuanced as chats. Let’s break down a few of the key elements, and then circle back to the question.

WhatsApp’s encryption

WhatsApp boasts end-to-end encryption using the Signal Protocol. It makes sense to explore this first, as it might be their most talked-about security feature, then meander back to the main question.

WhatsApp has used the Signal Protocol since 2014 (and had it fully rolled out by 2016). Its collaboration with Signal (more on them later) was driven, even back in 2014, by a need for greater security in their app.

The fact WhatsApp chose a third-party protocol perhaps proves they were, at least in part, dedicated to doing better with security. Signal Protocol essentially means messages, data, and even video/voice calls are encrypted from the moment they leave your phone, and they can only be decrypted by the recipient’s phone.

Not even WhatsApp themselves have the decryption key. What’s more, they don’t store the messages (beyond the temporary storage of messages that can’t be delivered immediately). In a nutshell, your messages remain as unreadable blobs of ciphertext as far as WhatsApp is concerned.

But, as great as this sounds, as we’ve examined before, it comes with a few fairly major caveats. Firstly, if a user reports a message, it will be sent to WhatsApp’s moderators, along with several leading up to it (presumably for context). So, while they have to be invited in, WhatsApp can still see messages you might prefer to remain private.

Wait… I got a new phone, and my entire message history was there

This is perhaps the biggest flaw of all. If you use WhatsApp on Android or iPhone, you will be encouraged to back up your messages. But these backups may not be encrypted. If they aren’t, WhatsApp, or even Apple/Google, could access these records if subpoenaed by a court or government.

It’s easy enough to remedy:

1. Head to your device’s WhatsApp settings.

2. Go to Chats > Chat Backups

3. Tap End-to-end Encrypted Backup

And if you can, make sure your friends do this as well — it only takes one unencrypted backup.

Advanced chat privacy

Earlier this year, WhatsApp began to roll out Advanced Chat Privacy. Described as being ‘for your most sensitive conversations’, it’s meant to ‘help prevent others from taking content outside of WhatsApp’ — whatever that means. It’s mainly targeted at larger group conversations (which makes sense), and prevents people from both exporting the conversation and auto-downloading attachments.

Having tested this feature myself, it appears to still allow for screenshots and the copying and pasting of messages, so I’m not entirely sure what it remedies. If you’re worried about group chats, disappearing messages might still be a safer (if slightly pedantic) option for extra peace of mind.

2021’s metadata crisis

As I mentioned in the opening, the early 2020s saw a mass exodus from WhatsApp to alternatives like Telegram. None more prominent than in 2021, when WhatsApp changed its privacy policy.

The changes allowed WhatsApp to share its metadata with its parent company, Meta (AKA: Facebook). This change was met with much hostility, partly because of the way it was rolled out (a simple app notification, the gist of which was ‘Agree or leave’), and of course, the implications of the data sharing.

WhatsApp was believed to use this extra data to monetise its users further. It also allowed business users to store their conversations with customers with third parties, which many saw as slightly undoing its previous ironclad stance on encryption. The businesses could (theoretically) sell this data for ad targeting and analytics.

What is metadata?

In the case of WhatsApp, it’s essentially phone numbers, device info, IP addresses, contacts, and usage patterns. Individually, these might not seem that interesting, but together, they can paint some fairly detailed insights if crunched correctly.

Jamie, Male, 34

• Spends time in Exeter, UK.

• Interacts with Penhaligons Ltd frequently.

• Has a significant proportion of friends in London.

• Is usually active from 8AM to 10PM (is definitely not what it would say, but I can dream).

In this hypothetical, we quickly see how WhatsApp can use the odd tidbits from my metadata to build a mini-profile for me. Ignoring any data they can collect from Facebook and Instagram, they could already target me with ads:

• When I’m most likely to be active.

• That are related to fragrances or soaps.

• That are local to Exeter.

• That seed the idea of a visit to London, including travel, places to stay, and things to do.

And these are all very surface-level ideas. It isn’t hard to imagine them feeding me to a complex algorithm that rinses every last piece of monetary value out of what limited data they’ve collected from WhatsApp. And this is what many realised in 2021.

Other WhatsApp concerns

Payments and transactions

If you use WhatsApp to process payments, it’s possible those transactions are not end-to-end encrypted in the same way as they are for conversations.

This throws up a couple of issues. The payments themselves are not end-to-end encrypted, and are instead dealt with by third-party banks. While this in itself is not an issue per se, if your device is compromised by spyware or malware, Meta’s encryption won’t protect you. There are also concerns that the purchase metadata could be used by Meta to further bolster the personal profile we already mentioned.

Group data

While group data isn’t inherently an ‘issue’, there are fewer options on WhatsApp than on other platforms to hide your personal data. If participating in a large group chat where you’d rather your name, number, and photo weren’t viewable, this is a drawback of WhatsApp.

Government and law enforcement corruption

While many turned away from WhatsApp due to the metadata privacy concerns, for others, that’s only part of the story. For some, a more secure app is a necessity rather than a nicety, and choosing the right one could make a lot of difference.

Some governments are corrupt and may use nefarious means to obtain, or even just monitor, more data than they’re entitled to on their citizens. Of the 5 billion people with access to the Internet, 79% live in countries where individuals were arrested or imprisoned for posting content on political, social, or religious issues.

A recent article suggests even America’s FBI can get considerably more from WhatsApp and iMessage than Telegram and Signal. It’s an interesting piece, but take it with a pinch of salt as it’s heavily reliant on one source.

With this in mind, let’s take a look at some of the other apps, and why people with more to lose might choose them. A quick spoiler alert: all the messengers we’re about to mention (except Telegram) have end-to-end encryption by default. As the benchmark in message security, this is unsurprising, so we’ll take that as read and focus on the other features.

Theoretically, no messenger app is safer than another due to encryption alone. Most of this comes down to metadata, and how it is used. So the differentiating security is mainly about their metadata monitoring, but more accurately, it comes down to belief — whether users believe these companies would work with corrupt law enforcement to hand over data they need not.

Telegram

When we think of alternative apps, Telegram probably tops the list. Yet, this is an interesting case of perception vs reality. Because if you were paying attention above, you’ll have noticed that Telegram is actually the only one we’re about to look at that’s not end-to-end encrypted, relying instead on a client-server encryption method. This means that Telegram actually can decrypt them, unlike other platforms.

Only Secret Chats on Telegram boast full encryption. So, why would it have gained a reputation for being more secure (even if the reality may not stack up)?

Much of it is about marketing. Telegram’s founders have often emphasised it’s not for profit, but this is not the same as non-profit, which is a crucial distinction.

It does, though, have more ‘granular’ controls concerning privacy that WhatsApp doesn’t. For example, you can hide your phone number, and choose who sees profile data — like your picture. There’s also an anonymous admin mode you can use to post without revealing your identity. So there are ways to make Telegram more secure, but it’s less automatic than you might expect from a name so synonymous with security.

Also, like WhatsApp, it is tied to a phone number. This means at a deeper level, your communications are traceable back to you. Which is bad if you really need to be incognito. This is something that will become less common as we move down the list.

Perhaps, beneath the security veneer, Telegram has succeeded more because of the communities it fosters, and the idea of being able to talk freely with like-minded people. But it still earns its place as an alternative to WhatsApp.

Signal

We’ve already mentioned Signal, as their end-to-end encryption protocol is what secures WhatsApp. It was once endorsed by Edward Snowden, which speaks volumes about its levels of security. As with WhatsApp, the encryption makes server-level access to messages impossible.

With Signal, you need a mobile number to sign up, but after this, you can opt for a username, which makes it more difficult to trace. Signal’s ethos around security is strong, and while it’s not impossible to trace messages back to you, it is designed to be challenging.

What they retain is also famously minimal. They know your number, the date you registered your account, when you last connected, and if you’re currently online. They keep no other metadata, and even encrypt the details of who you’re writing to using Sealed Sender. The server knows where to deliver it, but not who sent it.

One slight drawback is that Signal can be more easily blocked by countries and jurisdictions due to how it functions behind the scenes. For example, it faced blocks in some countries, including Iran and Egypt.

This is becauseSignal relies on centralised servers for message delivery and registration, which means governments can identify and block those specific IP addresses. Secondly, Signal requires SMS or voice verification during setup, giving telecom providers a chance to intercept or block the registration process entirely.

But Signal is a strong choice in most territories, and unlike Telegram, Signal is non-profit, which gives some reassurance about their financial motivations.

Session

Session is like Signal on steroids. It holds no metadata, and unlike the apps mentioned so far, it also doesn’t need a phone number or email address to sign up.

Instead, it assigns your device an ID using a clever combination of cookies and behind-the-scenes methods of identification, meaning you can remain truly anonymous (terms and conditions apply). Similarly, it gets rid of the servers that the other apps use to physically transfer and process the message data, instead opting for a decentralised structure that uses nodes, in a similar way to the TOR browser.

This means there is no central computer processing the data, making things a lot harder to trace back.

So why don’t we just all use Session? Well, there are some drawbacks. The lack of central servers (and reliance on nodes) creates speed issues, for both calls and text messages.

The unique identifiers can pose risks. Anonymity cuts both ways, and Session makes it easy for impersonation, or masking other malicious activity. Not only this, they are slightly cumbersome in most ordinary settings. You have to manually share your 66-digit alphanumeric session ID, which can lead to errors.

Like them or loathe them, phone numbers and their associated risks come with benefits — like easily being able to find friends (via links to your other accounts), or just the simplicity of handing over a number.

All in all, Session is great if true anonymity is what you require due to imminent threat, but is quite impractical for day-to-day use. That is the price of true anonymity.

Thunderbolt

Thunderbolt is a security-focused communication app that puts privacy first in a similar, but not identical, way to Session and Signal.

In a way similar to Session, it seeks to remove your personal details, but in a way that’s somewhat less impractical. Rather than simply replacing a phone number or email with an infinitely long code, it instead uses a domain as your identifier. This is markedly different from an email address, both in terms of how it looks, and how it functions. Looks-wise, it’s the part you enter into an address bar, without the name and @ symbol. Functionally, it allows for better security, while remaining useful and practical whenever you want to share it.

In this way, Thunderbolt is also decentralised. While it doesn’t use the completely independent ‘nodes’ that Session utilises (instead opting for more reliable centralised servers), it does lean on decentralised identity via domain ownership. By utilising DNS, Thunderbolt is also slightly more difficult for countries to ban.

DNS-based identity means users verify themselves through domain ownership, which is decentralised, and so, harder to regulate (than centralised phone number systems). Blocking DNS infrastructure also risks collateral damage — governments would need to interfere with domain resolution itself, which could disrupt unrelated services and websites. Not really worth the risk.

Greater levels of anonymity can be achieved with Thunderbolt if you opt for a Handshake or ENS domain. This uses a decentralised blockchain-style network that puts anonymity at the heart of the domain registration process. Unlike Session, you can be ex-directory, and still share your domain (identifier) with ease.

An added benefit of this method that isn’t comparable to the other apps, is that DNS also makes it harder for you to be impersonated. Phone numbers and email addresses are both notoriously easy to spoof. Because a domain account will usually be protected by Two-factor Authentication (2FA), and a strong password, it makes it inherently more secure, and difficult to hack or spoof.

Thunderbolt couples this unique ID system with core values in security and privacy. It could, therefore, be seen as a “best-of-both-worlds” scenario, offering the best of anonymity, while also being accessible, and having speedy delivery.

While Thunderbolt keeps similar levels of metadata to Signal, it states clearly that this data will never be monetised or otherwise used.

Presented as a table

That was a lot to unpack, so we’ve condensed the main points into a helpful table.

Which app is most secure?

When you boil it down, most apps boast a degree of privacy, and the rest comes down to the individual trust you have in the company. The extent to which you’d believe they might co-operate with corrupt law enforcement or governments.

All of us proudly clutching our degrees in True Crime from Netflix will know that even the strongest encryption in the world doesn’t protect you if someone has hacked your device, or simply takes it from you. In these situations, it’s often far more than messages that are scrutinised. So communication apps, and their security benefits, are always relative to the wider world you inhabit, and only part of the equation.

For most of us, it’s more about our data being monetised than weaponised, and making a simple switch to something like Signal or Thunderbolt can bolster your security without the drawbacks of more locked-down messaging apps.