Home Did you know ? WhatsApp vs Telegram vs Signal – Which One Is More Secure?

WhatsApp vs Telegram vs Signal – Which One Is More Secure?

by Abeerah Hashim
WhatsApp Telegram Signal comparison

Following the changes in WhatsApp privacy policy, the other two rival apps, Signal and Telegram, have experienced a surge in their customer base. According to Sensor Tower, after WhatsApp’s recent update, Signal received 100,000 new customers. Whereas, Telegram attracted 2.2 million new downloads within two days.

So, what was the exact thing that compelled people to switch to other platforms? Here’s we quickly compare WhatsApp vs. Telegram vs Signal regarding their prominent security and privacy features.

WhatsApp vs Telegram vs Signal – Quick Privacy Comparison

For those who don’t know much about the background of these encrypted messaging apps, here’s a quick overview before moving on to the comparison.

WhatsApp: An American free messaging app for Android and iOS devices. The app also has a web version to support desktop use. However, using it requires the phone version to be connected to WiFi. A separate business app, WhatsApp Business, also exists (since 2018) to let businesses connect with their customers. The app basically started off in 2009 as a standalone platform by Brian Acton and Jan Koum. However, in 2014, Facebook acquired it for US$19 billion.

Telegram: Launched in 2013 in Russia by Nikolai and Pavel Durov, Telegram is also a freeware messaging and VoIP app. It presently supports multiple platforms such as Android, iOS, Windows, Linux, and macOS. Users can seamlessly integrate multiple devices with their accounts to communicate via any device of their choice.

Signal: Signal app is the successor of the previous messaging apps TextSecure and RedPhone, which formally started off in 2015. However, the app started to gain traction in 2018 after Brian Acton, WhatsApp’s co-founder, started the non-profit Signal Foundation and invested heavily in the development of the Signal app. Presently, Signal exists as a standalone, free, and open-source platform offering Android, iOS, and desktop app versions.

End-to-end encryption

WhatsApp, Telegram, and Signal, all three are popular for their robust end-to-end-encryption. But what makes the three different is the way they implement this e2e encryption for the users (by default).

WhatsApp: communications and data remain e2e encrypted during transit by default. WhatsApp basically uses the Signal encryption protocol.

Telegram: offers optional e2e encryption not active by default. The app uses MTProto encryption protocol based on 256-bit symmetric AES encryption, 2048-bit RSA encryption, and Diffie–Hellman key exchange.

Signal: Signal protocol (or the TextSecure Protocol) uses AES-256, Curve25519, and HMAC-SHA256 as primitives and combines Double Ratchet Algorithm, prekeys, and an Extended Triple Diffie–Hellman (X3DH) handshake. Other apps like WhatsApp, Facebook Messenger, Skype, and Google Allo use this encryption protocol to offer e2e encryption to their customers (either optional or default). On Signal app, e2e encryption for all communications is available by default.

Data backup

While all three apps, WhatsApp, Telegram, and Signal, offer data encryption during transit, the same isn’t the case with backups alike.

WhatsApp: Local (on device) and third-party cloud backups. On clouds (such as Google Drive or iCloud), backup remains unencrypted.

Telegram: Cloud backups on its own servers. The servers also store the decryption keys. Backup, however, doesn’t apply to secret chats. The local database can be (optionally) encrypted via a passphrase.

Signal: Local backup only with SQLCipher. The SQLite database also stores the decryption keys. In case of non-encrypted cloud backup (optional), Signal removes users’ messages from backup by default.

Data retention

WhatsApp: The app applies “store and forward” mechanism, deleting the message as soon as it is delivered. If undelivered, the message remains for 30 days on its own servers as the app attempts to deliver it. The data is deleted after 30 days.

Telegram: Data retained on Telegram’s own servers in “heavily encrypted” form for an undefined time.

Signal: No explicit data retention on its servers besides technical information necessary to operate the services. Besides, it may temporarily store e2e encrypted messages on its servers if undelivered.

Advertising policy

Details about the type of data collected and used for advertising purposes are available in the privacy policy of WhatsApp, Telegram, and Signal. Below is a brief overview.

WhatsApp: Can share collected data with Facebook for advertising purposes as needed.

Telegram: No data use for ad targeting. Telegram plans to launch its own ad platform.

Signal: No ads.

Access to user data

Although, iOS users would now know it better as the latest iOS alerts users about the kind of data apps access. However, here’s a quick breakdown of data access and collection by WhatsApp, Telegram, and Signal.

WhatsApp: After the updates, starting February 8, 2021, WhatsApp will have access to users’ detailed personal information such as contacts, status, location, time logs, usage stats, device identifiers, and other sensitive data.

Telegram: Collects user ID, contact information, and users’ contacts (numbers).

Signal: Collects and stores users’ own number, also accesses users’ contacts to detect Signal users (by matching the hashed versions).

Which One Is The Best?

WhatsApp is very popular and very easy to use. Telegram has gained popularity during the past few years, yet, it’s not ubiquitously known like WhatsApp. Whereas, Signal still remains somewhat unpopular, though it gained traction very recently.

However, comparing the security of WhatsApp, Telegram and Signal reveals that WhatsApp does not remain secure anymore. Perhaps, that’s why people have started leaving the platform.

Nonetheless, labeling any of these apps as the “best” depends on users’ preferences and feasibility. So we leave it up to our readers to decide which app suits them best.

You may also like

3 comments

Desipien January 17, 2021 - 7:35 pm

Signal is not E2E on any of their services. Don’t fall for their commercial.
Easy test:
– install Win Signal app
– chat with a friend on Signal (Win) while your mobile is network OFF (Android or IOS) data & WiFi.
– turn off your network on Win and start your Signal app on your mobile and the messages will sync.
The messages use their servers to communicate and not E2E.
On the other hand the “secret chats” on Telegram don’t sync on Win; but Telegram doesn’t have E2E for groups (neither does Signal, despite their intent).

Reply
randomgenerator January 15, 2021 - 1:01 am

“However, comparing the security of WhatsApp, Telegram and Signal reveals that WhatsApp does not remain secure anymore. ”

The sentence is not correct. Whatsapp is still secure but it asks for a lot of user information (privacy violation).

Reply
Nathan Michell January 13, 2021 - 1:06 pm

Started using telegram instead. So far so good. Didn’t know they had so many good features.

Reply

Leave a Comment

Do NOT follow this link or you will be banned from the site!

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid