Currently, WhatsApp is the instant messaging service with the most users in the world, it has more than 2,000 million monthly active users. Telegram has about 500 million users and Signal has approximately 20 million active users.
If we stick to the figures, it is clear that WhatsApp is the most popular app and will be installed on almost all the mobile phones of our contacts and friends. Telegram is quite popular, but it still has a lot to recover so that we can uninstall WhatsApp from our phone. And Signal is nothing more than a baby next to these two monsters.
However, on January 7, 2021, Elon Musk posted a tweet encouraging people to use Signal and the subsequent surge in users caused the app’s phone number verification system to temporarily crash. A few days later, Signal was among the most downloaded apps on the App Store.
WhatsApp has new terms and conditions of service that all users must accept before February 8 to continue using the application; and that, if you do not accept it, your account will be deleted.
According to Facebook, owner of WhatsApp, the new terms do not affect users in the European Union. However, the Chief Competition Economist of the European Commission (EC) between 2016 and 2019, Tommaso Valletti, disagrees that the new privacy policy does not affect users in Member States and considers that it “does not comply” with European regulations data protection as it affects the exchange of metadata, that is, the telephone number, operations data, information on how the user interacts with others (including companies), the device they use or the IP address.
Security and encryption
The first thing we are going to analyze is the security of the applications since it is one of the most controversial characteristics.
In the past, WhatsApp had no encryption, but since 2016 the application uses end-to-end encryption in each and every one of the communication modes that the app has. This means that all your messages, video calls, voice calls, photos, and anything else you share will be sent encrypted and only you and the recipient can see the information. WhatsApp cannot even, even if it wanted to, decrypt the content of messages, calls, photos, etc., thus guaranteeing your security and privacy.
WhatsApp uses the E2E protocol developed by Open Whisper Systems, which is the name behind Signal Messenger. This is good, because the Signal protocol is open source, widely reviewed by analysts, and is considered one of the best protocols for implementing end-to-end encryption on messaging platforms.
It should also be noted that, although all its communication on WhatsApp uses E2E encryption, the company does not encrypt the backups (in the cloud and local) and does not encrypt the metadata used to achieve communication between two endpoints. This is one of the main criticisms of the WhatsApp security model. In the metadata, you can know who and when has sent a message to someone, and for how long.
In addition to that, WhatsApp offers biometric locking for both Android and iOS and supports two-step authentication (2FA).
In general, WhatsApp does a good job of ensuring the safety of its users, although it has had significant problems such as indexing in Google search of links in group chats or the multiple accusations that the company has broken encryption to create back doors for government agencies.
Telegram
Telegram has a lot of lights and shadows when it comes to security. For starters, although Telegram supports end-to-end (E2E) encryption, it is not used throughout the application, only in secret chats and calls.
The downside is that normal chats don’t have E2E encryption. This means that the messages are encrypted on your device and then decrypted on the Telegram server. The messages are encrypted again on the server and sent to the recipient’s device for final decryption. As you can see, in this process, Telegram has the encryption keys on the server-side and can, in theory, access your normal chats.
Also, the Telegram desktop client does not support E2E encryption on any platform other than MacOS.
Telegram has always claimed that it protects the privacy of users and that it will never violate their trust. Additionally, it protects your encryption keys very strictly and court orders from multiple legal systems around the world would be required to access any of your data. In fact, the company says it has shared 0 bytes of data with third parties and governments to date.
Another opaque point in Telegram security is that it uses its own proprietary encryption protocol, MTProto, to encrypt your messages. The protocol seems robust and no one has been able to break it, even with substantial rewards in between. However, it is a closed source protocol and cannot be verified by security researchers. Therefore, security researchers believe that using a widely trusted and open-source protocol, such as the Signal protocol, would have been better than using a proprietary closed source encryption protocol such as Telegrams.
As for apps, Telegram, like WhatsApp, also offers app locks.
Signal
Signal has always stood out for its level of security and is by far the best service in this regard. Both on the server-side and on the user side. In fact, Edward Snowden and Julian Assange have recommended Signal numerous times.
As I already mentioned, Signal uses the open-source Signal Protocol, also known as TextSecure Protocol, to implement end-to-end encryption. And, like WhatsApp, E2E encryption covers all forms of Signal communication. ref
Recently the company Cellebrite reported that it had found a security flaw in the Signal protocol, however, it has been discredited by Signal and they have claimed that Cellebrite only wanted headlines; a clickbait.
The good news is that, while WhatsApp encrypts messages and calls, Signal goes a step further and encrypts metadata as well. The system is called Sealed Sender (sealed sender) and allows to protect the privacy of the user as much as possible since nobody, not even Signal, knows who is communicating with whom. ref
Of course, Signal has an in-app lock key, 2FA authentication, and an option to lock in-app screenshots and recent apps. Signal also encrypts all local files and you can create an encrypted local backup. Other exciting new features are encrypted group calls and a feature that allows faces to automatically blur before sending images.
Owners and monetization
Next, we will see who owns each service and how they intend to monetize them.
WhatsApp was bought in 2014 by Facebook, which spent about $ 19 billion for it. At first, Facebook stayed a bit on the sidelines and let the company go its way, however, little by little Facebook has been positioning itself in a more intrusive way in its evolution.
In fact, WhatsApp now has a very aggressive new privacy policy that basically says that WhatsApp will be able to share its data with the rest of Facebook applications to show more targeted advertising to each user.
Most downloaded apps
There are also many rumors that advertising can directly reach WhatsApp. That gives Facebook an even bigger incentive to monetize your WhatsApp data. Additionally, since WhatsApp does not encrypt the metadata, Facebook can easily use it to track user behavior.
Unfortunately, we are talking about Facebook and I do not think it is necessary to point out the unwillingness, as has been demonstrated many times, of Facebook to protect user data or to offer any kind of privacy protection.
Telegram
Telegram was launched in 2013 by Nikolai Durov and his younger brother, Pavel Durov. They are both Russians but live in exile. Pavel Durov was fired as CEO of VK (the Russian Facebook) for refusing to hand over the data of the Ukrainian protesters to the Russian security agencies.
Apart from that, Pavel Durov has positioned himself on many occasions in favor of protecting the privacy of users and against censorship. For that reason, Telegram is banned in both Russia and Iran.
At the moment, Telegram has been financed solely through Pavel Durov money, but since that model is not sustainable forever, Telegram recently announced that it will begin to offer extra functions at a cost to companies and in this way achieve stable self-financing.
Signal
Signal is owned by the nonprofit Signal Foundation, led by computer security experts Moxie Marlinspike and Brian Acton. Moxie Marlinspike ran Open Whisper Systems, the company that gave birth to the Signal encryption protocol. After meeting Brian Acton in 2018, they formed a new alliance called the Signal Foundation.
Notably, Brian Acton was the co-founder of WhatsApp. However, he left the company 3 years after Facebook acquired it. Now, he oversees the development of Signal which is funded by donations and grants.
As we have seen before, Signal is recommended by many of the IT security experts like Edward Snowden or Jack Dorsey, the CEO of Twitter.
Features and Functions
Everyone knows the functions that WhatsApp has, but we are going to review them.
Chats
WhatsApp has group chats of up to 256 members
We can send messages to several contacts at the same time
You have a voice and video calls. Group video calls are restricted to 8 simultaneous users
WhatsApp has the Status or Stories function, something that neither Telegram nor Signal has
We can share photos, videos, and audio files with a maximum size of 16 MB, however, documents can be up to 100 MB
Real location can be shared with your contacts
WhatsApp chats can be backed up using Google Drive and iCloud
Telegram
Chats
Secret chats with self-destruct messages
Group chats with a capacity of up to 200,000 members
Channels
Bots, polls, contests, hashtags
Editing and deleting sent messages
Message scheduling
Uncompressed photos and videos can be sent, in addition, storage is unlimited and the maximum file size is 2 GB
We can use Telegram from several devices simultaneously (multi-device)
Calls and video calls
Chat with yourself to point or save things
Signal
Although Signal beats Telegram and WhatsApp in terms of security, it does not have as many functions:
Messenger service
Voice and video calls
Groups and group calls
Message self-destruction
Ability to send a viewable image only once
Chat with yourself to point or save things
Signal allows to relay voice calls to its servers so that your identity remains hidden (something similar to a VPN)
Can hide your IP address
Enable incognito keyboard by default while typing in Signal
Blur faces and private information from images with its powerful photo editor
These are the most outstanding functions, however, here is a detailed list.
Conclusions
WhatsApp is a much more secure application than the gossips say (it is also true that it took a long time to encrypt conversations from end to end and that reputation is difficult to overcome).
Telegram is the most complete instant messaging service, however, its security could be better. So far it has not suffered any serious problem, but it can be improved.
Signal is the most secure application, but it is the one with the fewest users.