Encrypted Messaging Showdown: WhatsApp vs Signal vs Telegram Security
Have you ever been creeped out by an advertisement showing up in your social media feed about a product you recently mentioned in a chat?
Not long ago, I was chatting with a friend on Facebook Messenger about which wireless earbuds to buy. Didn’t Google it. Didn’t say it out loud. Just casually discussed it with someone via Messenger.
Then an ad for earbuds pops up on my Instagram a few days later.
Could this just be my brain looking for patterns in everything, connecting it to a past conversation? Or is this a modern urban myth? Or just micro-targeted advertisements? After all, it is 2020 and Big Tech is looking for all kinds of creative ways to use all your data.
Either way, we can all agree that our conversations aren’t as private as we think they are.
If this is true, what stops your organization’s confidential information from being leaked through these conversations? Things we say and send to each other can hold immense value to us as a business, as an organization, or as a private citizen.
You could be discussing confidential client data, a new business strategy, trade secrets, negotiation tactics, legal strategies with your executives, clients and/or contractors. If hackers gain access to this information, you could find yourself dealing with a serious issue. A costly data theft or exposure would not only result in negative publicity and recovery costs but also damage your relationships with customers and business partners.
Why end to end encrypted messaging?
Sending a quick text is so convenient: just skip the formal greeting and make your point in a few words.
SMSs (simple message services) have been around for as long as I can remember. The content in your SMS messages, however, is easily viewable by your mobile carrier and government officials and is highly susceptible to hackers.
Sharing sensitive data requires careful consideration. Ungoverned text messaging exposes your organization to massive risks. Not only is SMS archaic, but it also leaks metadata and can be spoofed. Without end-to-end (e2e) encryption, your conversations could easily get into the hands of cybercriminals and other malicious actors focused on stealing them.
End to end encryption will protect data against tampering, surveillance and cybercriminals while transmitted and stored. For improved protection, encrypted messaging apps will store the encryption keys locally. So, no one else except the people engaged in the communication can read the messages. Not even the Internet Service Providers, the app publisher, the government, or anyone else!
The best secure messaging service for your company in 2020: WhatsApp vs Signal vs Telegram security
There is no shortage of encrypted messaging apps and services that claim to be secure, and the field is narrowed down somewhat given the developer’s privacy and security concerns.
But which is the most secure app to use for your organization?
In this article, I’m going to discuss the security and privacy provided by three apps: WhatsApp (Business), Telegram, and Signal. All three provide encryption, voice, and video (Telegram plans to add video in 2020) call options and also let you share files and photos. They all support cross-platform messaging (iOS, macOS, Android, Windows, Linux), allow group chats, and provide Multi-Factor Authentication.
It is important to note that regardless of which platform you use, the conversations are between the two users and the organization does not have control of the content. There is no way to know what is being talked about (that is the point of using such apps) or disable accounts if someone leaves the organization, they still have access to the messages.
Let’s look into encryption protocols, backup strategies, data that they collect on users and other security features offered for WhatsApp vs Signal vs Telegram security.
WhatsApp Security
When Facebook is your parent company, it seems like a bad start for any app trying to sell security and privacy. (Though Facebook claims that they don’t monitor WhatsApp). WhatsApp Business does have great features tailored for small businesses, such as the ability to use two accounts on the same phone, have predefined replies, label conversations. And yes, the logo — the logo is different. It is, however, not very different from WhatsApp when it comes to security.
From a security perspective, it is not as secure as you’d think. It is very easy to use (just like WhatsApp), which explains WhatsApp’s popularity — it is the world’s largest social messaging app! But this also invites a lot of attention from criminals.
Their most hyped feature is the end to end encryption. While it is based on the open-source Signal Protocol , experts say there are significant differences between them. WhatsApp closely guards its code, and while there has been no evidence that WhatsApp’s encryption has been cracked, the truth is, its technology cannot be examined so easily.
Since there is no way to independently verify it, just trust Facebook, I guess. *says sarcastically*
They also collect the user’s information in order to use it. Data includes your address book and other metadata such as IP addresses, connection details, and, because it’s part of the Facebook family data is shared between the app and its parent company. This seriously makes me question their security practices, especially since data is linked to Facebook profiles to improve Facebook ads and product experiences.
Take it from WhatsApp-
It may appear to the user that they have the freedom to opt-out of these backups, but there is little room for choice here. Even if your company policy is to opt-out, people you chat with (your customers, suppliers, and literally anyone outside the company) most likely won’t.
You have zero transparency on what really is e2e encrypted and what is backed up. Simply put, your company would rely on e2e encryption and trust the “no third party can access our messages” mantra — but in reality, your data is in fact vulnerable to hackers that can get access to it via the cloud storage.
Telegram Security
Telegram is one of the leaders among other secure messaging apps, and as of April 2020, has reached 400 million monthly active users . Telegram, however, has received a lot of criticism since its launch.
Telegram provides e2e encryption using its own proprietary messaging protocol called “MTProto”. It is worth noting that it is not entirely open-source and lacks scrutiny from outside cryptographers. Remember, the first rule of cryptography is “Don’t Roll Your Own Crypto”.
Cloud Chat is the default messaging method and does not provide e2e encryption. All chats are stored on Telegram’s servers and are backed up to an in-built cloud backup. This means Telegram holds the encryption keys and can read any such conversation. The only positive to Cloud Chat is that it lets you sync between devices.
While Telegram does not offer e2e encryption by default, they offer “Secret Chats”. Secret Chats can only be read on the device from which the message was sent and the device that received it. Even using the same accounts, it is not possible to read the messages on any other device. You can also send self-destructing messages that automatically disappear after a predefined time. Secret Chats on Telegram are truly e2e encrypted and do not get backed up and no keys are held by the company.
Secret Chats also provide screen security to block screenshots of the chat.
Telegram also copies your address book to their servers, which is how you receive notifications when someone joins the platform. It also does not thoroughly encrypt all metadata. Moreover, researchers at MIT found that a hacker could pinpoint down to the second when a user goes online or offline.
(The sync can be turned off by going into Settings > Privacy and Security > Contacts)
Telegram also boasts of being able to support 200,000 members each on Group chats and an unlimited audience on channels. Group chats and channels are essentially a Cloud Chat and don’t offer any of the cool features like self-destructing messages or screen security.
The fact that the company regularly changes its headquarters (Berlin, London, Dubai) also makes me a little nervous, as this makes it difficult to assign it to a specific jurisdiction.
Signal Security
Finally, there’s Signal, a company to which Edward Snowden gave a valuable endorsement . In another endorsement, the European Commission has told its staff to switch to Signal for external communications with people outside the organization.
Signal uses Open Whisper System to e2e encrypt all conversations by default. Not only is it an open-source (hence, open to scrutiny) encryption algorithm, but it is also recommended by crypto expert and author of standard reference “Applied Cryptography”, Bruce Schneier.
With Signal, encryption keys are stored on users’ phones and computers, never on servers. To avoid the potential risk (albeit a very small one) of spoofing, you’ll be warned if the security key of anyone you are talking with happens to change.
Signal’s verification method beats every other messenger app. Users can verify each other’s profile by verifying Safety Numbers or scanning QR codes that contain this unique set of numbers and mark the profile as verified.
The service is designed to minimize the data retained about Signal users. Signal collects as little metadata as possible and does not store metadata, logs, or information on its users. It does not store a record of your user contacts, social graph, conversation list, location, user avatar, profile name, group memberships, group titles.
Users may also opt in to discover contacts in their address book. In that case, contacts are hashed and transmitted to the server.
Their backup approach is not only more secure, but simplified because chats don’t get backed up to cloud by default. You can, however, enable backups to external storage through Settings > Chats and media.
Under Settings > Privacy > Sealed Sender, you can enable “Allow from Anyone” to receive ‘sealed sender’ messages from non-contacts and people with whom you have not shared your profile or delivery token.
Under Settings > Privacy > Communication, you can enable “always relay calls so that all calls would go through the Signal server and not reveal your IP address to your contact.
You can even create self-destruct messages that would be rendered completely inaccessible by anyone after the period of time specified by the sender.
Signal also offers screen security to block screenshots in the recent chat list and inside the app that also blocks other apps on your phone (or even from the user) from taking screenshots of your chats on Signal. The catch here, however, is this setting does not stop the receiver from taking screenshots.
Recently, Signal also rolled out a face blurring feature to help its users stay anonymous. It can be used not only to blur faces but also to blur any other sensitive information in the picture. This is just one example of how seriously they take user’s security and privacy.
The worst critique I have for Signal is that it requires you to hand over your phone number to the company while setting up an account. I know it sounds unappealing that you could be locked out of your account simply by losing the right to that phone number. Good news, though: Signal is introducing Signal PINs for recovery, so the government or your mobile phone company can’t lock you out.
WhatsApp vs Signal vs Telegram Security Conclusion
Every business has different needs, wants, and requirements. The choice of an encrypted messaging app depends on what your business does, who you are, what your job is, and who you talk to.
Here’s my overall thoughts on the three encrypted messaging apps – WhatsApp vs Signal vs Telegram security:
WhatsApp is easy to use and popular, but their security is not really trustworthy, especially given their history. Still, it’s better to send messages using WhatsApp than no encryption at all. Most WhatsApp users use it for personal communication with family and friends. However, I would not recommend using it for conversations your company would consider as secret or confidential.
Telegram is capable of some genuinely cool stuff. It is flexible and arguably easy to use. The highest level of security is not available by default (unlike Signal) and it takes a little extra work to maximize security, which might not be everyone’s cup of tea. It definitely is secure enough — after all, it’s the messenger of choice for ISIS militants and Hong Kong protestors .
Signal might be the favorite app for people who mean business. It is a little harder to use than WhatsApp, but if it’s harder to use then not everyone will use it. If you see security as a trade-off against usability, Signal sure throws the dial all the way to the security side which makes it ideal for high-risk, secret communications.
I’ve highlighted each platform’s various features in a handy chart for your reference.
So when you are evaluating WhatsApp vs Signal vs Telegram Security you know what to look at in 2020!
To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/