When we talk about secure messaging apps, the names that sound louder are Signal, Telegram, and WhatsApp. Today we face them face to face to see what is the safest messaging application for Android.
Therefore, we will leave in the background design, functionalities, number of users, and other important factors when comparing messaging applications to focus solely on the security and privacy of these three applications. Which will be the best stop?
The first thing you should consider when installing an application if you are concerned about your privacy is the permissions they require although it is true that this has changed a lot since Marshmallow and its permissions at runtime arrived. With them, the permissions are only asked if they are necessary, and you are free not to grant them if you don’t want to use that function.
Telegram and WhatsApp have almost the same permissions except that of access to SMS (used for account verification), which is no longer necessary in Telegram but is still present in WhatsApp. Signal has the same Telegram permissions but adds one more: the calendar one. This permission is used to share your calendar events with other people in Signal.
All three apps make reasonable use of permissions
All three applications make reasonable use of permissions, asking for them only when necessary. Thus, you only need to grant the camera permission to send photos, or the storage permission to send files and photos saved on the mobile. In this regard, all applications behave the same.
Where there are some differences are in what permissions are really necessary for the basic use of the application. Telegram insists enough during the initial setup to grant you access to the call log, though you can use it without granting single permission. The same with Signal: your life will be easier if you add permission to contacts, although technically you can do it without them, adding by username in Telegram or by phone number in Signal.
WhatsApp is the only one that “forces” you to grant access permission to contacts. Without it, you can’t start a conversation with the app on its own, although you could use this method to talk to someone with their phone number. In summary, the three applications handle permissions with sanity, although WhatsApp makes it a little more difficult for you. Point for Telegram and Signal.
Access protection (PIN, fingerprint)
Before worrying about what happens to your data in transit from your mobile to the receiver (i.e. encryption), you should also take into account the security of your data on the phone itself. What if someone has physical access, even if momentary, to your phone?
I am sure that if you are concerned about the privacy of your data you will have established an unlock protection for your mobile, but perhaps Smart Unlock or other technology relaxes security. If a person has access to your phone, can they read your chats from Telegram, WhatsApp, and Signal?
Fortunately, all three applications include a native function for protecting chats from outside eyes, after WhatsApp added fingerprint protection. In none of the cases, the protection comes active from home, but it is you who must activate it from the settings.
There are some differences between the available options, however. Signal uses the Android lock and can be activated automatically after a period of time, while on Telegram you have a little more control, being able to use a PIN or password and block the application at any time with the padlock icon. WhatsApp has the protection with fewer options since it can only be through a fingerprint. More options, more points. Point for Telegram.
All three applications use end-to-end encryption (WhatsApp is signed by the creators of Signal, to be exact) although I already anticipate that Telegram will not take any point in this section. Not because your home-cooked MTProto encryption is insecure, but because not activated in all chats by default (normal chats are encrypted, but not end-to-end).
While WhatsApp and Signal use end-to-end encryption for all communications, in Telegram it is only used in secret chats, which add other extra security features like protection against screenshots and self-destructing messages.
Without secret chats, Telegram continues to encrypt messages between the client and cloud and there is only evidence of a vulnerability in the implementation, which dates from 2013. Although the experts are not very enthusiastic about the fact that Telegram uses its own implementation, on paper, it seems that in terms of security it has everything tied and well tied.
However, it is obvious that those who care about their safety prefer that encryption occurs entirely on the sender and receiver, without servers in between. Although all three applications can potentially do it, only WhatsApp and Signal do it in a transparent way for the user, who should not take any additional steps.
Given that WhatsApp and Signal share encryption technology, it stands to reason that they share encryption scores as well. Point for Signal and WhatsApp and none for Telegram until it at least includes the option for all chats to be end-to-end encrypted by default, without having to choose each time.
Ensuring that your messages are transmitted safely and without anyone being able to intercept them is important, but the content of the message is as important as its metadata. Metadata in this context refers to all additional information that accompanies a message, not including its own content.
For example, someone calls a pizzeria and orders a pizza, whoever listens to the conversation will know what has happened, but the same can also be deduced through metadata. This person called this phone that belongs to a pizzeria at lunchtime … he will have ordered a pizza. Something similar happens with our conversations.
With encryption, nobody can read your messages, but they can know who you are talking to and from where, by the metadata
WhatsApp collects a good amount of metadata of your users such as IP addresses, dates of use, phone and model, network operator, phone number, unique device identifier, location, and contacts. By crossing this information, even without being able to read the content of the messages, you can make pretty rough assumptions about who you’re talking to and in some cases what.
Telegram It is based on the cloud so technically all your messages, photos, and files sent in non-private conversations are stored (encrypted, yes) on their servers, although in terms of metadata it is not very clear what other data they collect besides your contacts, devices and IP addresses. These data are stored for a maximum period of one year.
The signal is the only app on our list that minimizes metadata that saves. It only archives the last time you connected (the day, not even the time) and the phone number of your account. So, point for Signal.
Extra privacy/security features
Now that we have covered the most important thing is time to assess the additional merits of each of the applications. Do they have added functions for improving your privacy and security that others do not have?
In the case of WhatsApp, the most relevant are the privacy options with which you can hide profile picture, connection time, info, and status of some or all people, who can add you to groups and verification in two steps. There really isn’t much else to catch the attention of privacy lovers.
Telegram It includes two-step privacy and verification controls similar to WhatsApp, and adds self-destructing messages, incognito keyboard support (note, you need a compatible keyboard app like Gboard or SwiftKey) and the protection against screenshots, although only in secret chats. You can also configure Telegram so that the account is destroyed after a certain period of activity, as well as prevent the text of a new message from being displayed in the notification.
Extra Telegram options
Signal it does not let you choose who can see your name and profile photo (it is shown to all the contacts you have in your account) but otherwise, it also includes two-step verification (call here with more success) Registration lock PIN), self-destructing messages, notifications without messages, incognito keyboard and blocking (optional) against screenshots.
Signal adds to this the possibility of masking your IP address in calls and the self-deletion of old messages after exceeding a certain amount. With the advantage that all of the above is available in all conversations.
Signal privacy options
Considering that Signal was born as a secure messaging app, it should come as no surprise to anyone that it brings quite a few privacy options as standard. It has some more than Telegram, although in exchange Telegram gives you more control over who can and cannot contact you or see your information. The last point is shared for Signal and Telegram.
Final result and comparative table
We have reached the end of the comparison and the time has come to count the votes. In case you don’t feel like going back over your steps to add up the points of each application, here is a summary table.
So that, Signal is the best messaging application in terms of privacy and security, scoring a point against WhatsApp and Telegram on practically all the fronts that we have analyzed previously. The only thing he doesn’t take home about is access protection that, although it has it, it is not as complete as that of Telegram.
WhatsApp only excels in encryption, at a point that it shares with Signal as it is powered by the same Open Whisper encryption. By last, Telegram is in the second position with three points thanks to its padlock to protect chats, the precision of its privacy options, and the fact that you can technically use it without granting single permission.
|Chat protection||Yes, by footprint||PIN and password (fingerprint compatible)||Android lock (fingerprint compatible)|
|End-to-end encryption||Yes, all chats.||Only in secret chats.||Yes, all chats.|
|Collection of metadata||IP addresses, dates of use, phone and model, network operator, phone number, unique device identifier, location and contacts||Unknown, but being cloud-based, everything you do on Telegram is registered on their servers.||Only phone number and last day of connection|
|Protection against screenshots||No||Yes, optional.||Yes optional|
|Self-destructing messages||No||Yes, in secret chats||Yes|
|Notifications without content||No||Yes, optional.||Yes, optional.|
|Keyboard in incognito mode||No||Yes, in secret chats||Yes optional|
|Mask IP in video calls||No||No||Yes, optional.|
|Account self-destruction due to inactivity||No||Yes, optional.||No|
|Delete messages after a certain limit||No||No||Yes optional|