Are messaging apps like WhatsApp, Signal, Telegram or Threema really secure?
Is WhatsApp secure? Does WhatsApp read my messages? What is end-to-end encryption? Will my data be sold? Which messaging app is really secure? Where is the difference to Telegram? These are questions that I am asked again and again. In contrast, Telegram, Signal or Threema are generally considered to be secure. That this is far from being the case is what I would like to show in this article. In addition to my experience as CMO, MessengerPeople, this analysis also includes the comments of various experts, researchers, hackers and lawyers who have assessed the topic from the perspective of their respective areas of expertise.
Messaging apps are by far the most popular communication medium of our time. Whether Signal App, Facebook Messenger, Telegram, Threema or WhatsApp – messaging apps are used more than any other app. When it comes to security, however, there are major prejudices and rigid views instead of facts. The two messaging apps from Facebook Inc. – WhatsApp and Facebook Messenger – are particularly divisive.
Telegram, Signal, Threema, WhatsApp in comparison: privacy, GDPR, encryption data storage
- Is WhatsApp more secure than Signal app?!
- Security is more than just data protection
- Can messaging apps like WhatsApp read my chats?
- Which messaging app has the most secure encryption?
- How does end-to-end encryption work?
- Where do messenger companies like WhatsApp store my data?
- Metadata: What can WhatsApp read?
- Even more secure: WhatsApp Business API
- Is my data being sold? Do governments have access to WhatsApp?
- Security vs. hackers
- Is Telegram secure?
“EU Parliament prohibits the installation of the messaging app Signal by Members of the European Parliament (MEP) “: This headline at netzpolitik.org caused quite a stir. The security of messaging apps – especially WhatsApp vs. Signal – was quickly discussed in insider circles. But what does secure actually mean?
Incidentally, anyone who read the article and the justification more closely quickly understood that the parliament’s directorate did not reject Signal because of security shortcomings, but because Signal is “not a standard software” in the European Parliament. The messaging tool cannot be installed by MEPs and staff “without being tested and approved by the security service and the standard configuration team,” according to the EU Parliament’s IT support.
Many people throw “data protection” and “security” – two completely different topics – into the same pot of the rumor mill. Of these, only a few have fundamentally dealt with the European General Data Protection Regulation (GDPR). This essentially regulates the handling of data – in other words, what data a company is allowed to process from its customers/users, etc., and to what extent. All messaging apps deal with this issue differently.
However, as attorney Dr. Carsten Ulbricht (“Rechtzweinull”), who specializes in IT and social media law, assured me, all messaging apps from WhatsApp to Threema are now GDPR-compliant. How companies can communicate via messaging apps in compliance with the GDPR (requirements include: Information and declaration of consent of the user, clean opt-in and opt-out).
Another common misunderstanding is that the private use of messaging apps is in the scope of GDPR. Private use of messaging apps is in no way affected by the scope of the GDPR – the GDPR only applies to legal entities.
💡 Tip: If you want to learn more about data privacy and WhatsApp, I recommend our editorial WhatsApp and data privacy in customer communication – Everything you need to know!
A second point that is repeatedly criticized is the assumption that chats between private individuals – just like those between companies and customers – can be “read” by the messaging app operator, the authority and / or a hacker. But is this true? That essentially depends on the quality of the encryption of a messenger service. “Encryption” describes many possibilities, which differ significantly in quality: How much effort do attackers have to expend to gain access to the chats?
Figuratively speaking: Strong encryption means that an attack requires a computational effort of several billion years. “Weak encryption, on the other hand, enables attackers to reduce this time period so drastically that the attack becomes viable,” explains Frieder Steinmetz, who researches messenger security at the Technical University Hamburg.
WhatsApp, Threema and Signal use end-to-end encryption, which means that the data to be transmitted is encrypted on the sender’s side and only decrypted again on the recipient’s side. All experts agree (for once) that this technology is the most secure encryption method today.
If you don’t believe WhatsApp / Facebook, you are welcome to read the statement of the State Data Protection Commissioner of Saarland (Germany):
In our opinion, the end-to-end encryption used, which is described in more detail by WhatsApp in a security whitepaper, was state of the art. As per our assessment, it can be assumed that it is technically ensured that WhatsApp does not obtain knowledge of the content of the communication between the citizen and the municipality.
WhatsApp cannot read the user’s chats either – even if the company wanted to (incidentally, this is also because the data is not stored by WhatsApp at all; see “Data storage”).
The Signal protocol is only slightly different. Threema has its own protocol, which is not entirely bad in my opinion, but which does not guarantee “perfect forward secrecy”, for example. This technique prevents someone from stealing my secret key from my phone in the future and using it to decrypt all of my encrypted communications that I’ve made through the phone. “Signal and WhatsApp have this,” says expert Frieder Steinmetz. “Telegram combines cryptographic items in an unusual way and doesn’t exactly inspire trust.”
WHICH MESSENGER SCORES WHERE? PICTURE: SABRINA SCHRÖDL / MOTHERBOARD / German Source: Vice
The English term for encryption is “End-to-End Encryption” (E2E) and refers to the encryption of data across all transmission stations up to the recipient. Encryption and decryption therefore only take place at the end points of the transmission. Therefore, the security of this type of encryption is very high, because no ciphertext can be decrypted without the secret key.
With Facebook Messenger and Telegram, users can log in from anywhere in the world and access their chats. This is possible because Telegram and Facebook store the data centrally on their servers. According to the provider, these are of course encrypted – but theoretically the companies have access to them. Since user logs and data are thus accessible to the operators in principle, the services are also attractive to state actors. In order to force access, Telegram, for example, has been blocked in Russia for two years.
With Threema, on the other hand, the data is only stored on the user’s cell phone. If the smartphone is changed, users have to make a backup themselves and then reload the data. Threema only regularly creates an encrypted, anonymous backup of this data at the user’s request. Advantage: No one but the user himself has access to it. However, if the smartphone is lost (or stolen) and no backup was saved, all data is gone.
Similarly safe, and this might surprise some readers, is: WhatsApp! Here, too, any help is too late if the smartphone is lost without a backup. The chats and pictures are only stored on the smartphone and not on WhatsApp servers – a recovery without a backup is therefore impossible.
From a technical point of view, the conversations go through the WhatsApp server – but they arrive there exclusively encrypted, i.e. unreadable for WhatsApp. When the chat partner retrieves the message, only he or she can decrypt and read the data (see “Encryption”). After delivery, the data is deleted again by the WhatsApp server. With 55 billion messages, 4.5 billion photos and 1 billion videos sent via WhatsApp every day, this saves the operator a lot of storage space.
The criticism of WhatsApp is mostly directed at the documenting of metadata: Anyone who uses WhatsApp and has thereby agreed to the terms and conditions provides WhatsApp with the phone number and contacts in the phone book. WhatsApp also needs these – so that the chat between two phones can take place (your number is your identification, unlike Apple, which uses an anonymous Apple ID, or Threema, which also has its own ID). Likewise, the GPS, time and data stamps of successfully delivered messages are stored. WhatsApp sees which numbers chatted at what time and where – but not what was the content of the chat!
According to WhatsApp’s T&Cs, companies must use the WhatsApp Business App (for small businesses) or the WhatsApp Business API (for medium-sized and large companies) in order to use WhatsApp for customer communication. Companies can only access this API via a verified “Business Solution Provider”, which hosts the API on its own servers. Encryption and decryption do not take place on WhatsApp servers, but on the end devices of the users or on the servers of the certified solution providers. WhatsApp thus does not have access to non-encrypted chats and data in this scenario either, but the transmission is just as strongly secured as when using the “classic” smartphone app. (A small side note on our own behalf: At the business solution provider MessengerPeople, these servers are located in Europe and are fully data protection-verified).
This makes the service increasingly attractive for sensitive industries as well: “WhatsApp is taking an unexpected and commendable approach here to handling user data responsibly. As a provider of software that processes medical data, we pay particular attention to the confidentiality and security of user data. We don’t use messenger services (yet), but this is a step in the right direction to make something like this possible in the future,” says Andreas Schwinger, Head of Digital Business at Melos GmbH, one of the leading IT companies for laboratory software, accordingly.
The Interior Minister of Germany or the Indian Government wanted to force some messaging app operators to hand over private chats of their users to the authorities. WhatsApp would not be able to do this (see “Encryption” and “Data storage”) – and Threema also declined with:
Absolute confidentiality of communication lies in the DNA.
But the metadata generated during Messenger communication also arouses the interest of insurance companies and credit institutions. Of course, all messaging apps exclude the disclosure of data to authorities or companies. According to Messenger researcher Roland Schilling, the only critical point is with smaller providers: “At the same time, the app also has to cover its own costs, pay its staff and maintain the technical infrastructure. And then it occurs to them that they can also serve another market with the data that is fed to them daily by their users.” These lines make the reader wonder which messaging apps are most likely to rely on additional sources of revenue – and it’s probably not the marketing giant Facebook in the first place.
Ultimately, it is nowhere easier to break in than where you have the key. That’s why hackers – mostly purely for the sake of the challenge, by the way, and without any great commercial interests – like to attack encrypted systems.
There are two main weak points here: on the one hand, the user who installs malware unnoticed, for example, and on the other, the provider itself. If you compare Facebook’s IT department with that of smaller providers, for example, it quickly becomes clear who has more clout in defending against intruders.
On the other hand, WhatsApp, with its approximately 2 billion users, would certainly be the “accolade” for any hacker – while the hack of a “niche messaging app” is far less prestigious in the scene, but also in the public. The fact is: I am not aware of a single successful hack of WhatsApp to date (except for a few rather clumsy, and very-very special cases – like that of manipulations in group chats reported by Wired).
Paradoxically, one messaging app, in particular, claims security as its top priority. To make a long story short: No! Telegram Messenger is no more secure than WhatsApp. The marketing of Russian founder Pavel Valeryevich Durov, who also developed the exact copy of Facebook in Russia (VKontakte), apparently works nonetheless. So much so, in fact, that people paradoxically prefer to place their data in the hands of completely inscrutable developers rather than in the hands of a well-known billion-dollar corporation listed on the stock exchange. The Redaction Network Germany (RND) writes about the topic “Is Telegram secure”:
Why the platform is gaining popularity outside the conspiracy scene is practically inexplicable. Not even the location of the company is known. According to its own information, the development team is located in Dubai, and the founders are two Russian developers. Where exactly the servers are located is largely unclear.”
In summary, all messaging apps (exception: the Asian messenger giant WeChat) are relatively secure. But ultimately, it is the same for the citizen as with the storage of saved money: It is quite safe in the safe at home – but very impractical. In a wallet, you have quick access – but also less security.
So as far as practical use is concerned (and that’s what messaging apps are all about), from a communication point of view, it doesn’t make much sense to go for the most secure alternative if a somewhat less “secure” messaging app is used by the majority of my contacts or my target group for communication.
By the way, with MessengerPeople’s software solution, you and your company can…
- 🚀 … start without IT effort and in the shortest possible time – even from a work-from-home setup!
- 💬 … integrate WhatsApp & Co. as a direct touchpoint on your website via chip widget
- ✅ … offer your customers live chat via all popular messenger apps (at no extra cost or effort)
- 💻 … edit and reply to all messages centrally – no matter from which messenger
- ↔ … assign the requests as tickets to colleagues manually or automatically via autorouting
- 🤖 …easily set up automations using our simple chatbot builder
- 💰 … reduce your costs for service, as we do not charge a setup fee or a minimum runtime
Tip: Schedule a live demo of the Messenger Communication Platform now. We will guide you through the product via web demo and provide expert tips as well as answers to all your questions.