with one call you could spy on others

What is the safest messaging app?



When it comes to secure messaging apps, the loudest sounding names are Signal, Telegram, and WhatsApp. Today we face them face to face to see what is the safest messaging app for Android.



We will leave in the background therefore design, functionalities, number of users and other important factors when comparing messaging applications to focus only on the security and privacy of these three applications. Which one will come out better?






Permissions



The first thing you should consider when installing an application if you are concerned about your privacy are the permits they require, although it is true that this has changed a lot since Marshmallow and its runtime permissions arrived. With them the permissions are only requested if they are necessary, and you are free not to grant them if you do not want to use that function.



Permissions WhatsApp, Telegram and Signal permissions


Telegram and WhatsApp they have almost the same permissions Except for the access to SMS (used to verify the account), which is no longer necessary in Telegram but is still present in WhatsApp. Signal has the same permissions as Telegram but adds one more: the calendar. This permission is used to share your calendar events with other people on Signal.



All three apps make reasonable use of permissions



All three applications make reasonable use of permissions, asking for them only when necessary. In this way, you only need to grant the camera permission to send photos, or the storage permission to send files and photos saved on the mobile. In this regard, all applications behave the same.



Where there are some differences are in what permissions are really necessary for a basic use of the application. Telegram insists a lot during the initial setup for you to grant it permission to access the call log, though you can use it without granting a single permission. The same with Signal: your life will be easier if you add the permission to the contacts, although technically you can do it without them, adding by username in Telegram or by phone number, in Signal.



Thing Without the permission of "contacts" using WhatsApp is difficult


WhatsApp is the only one that "forces" you to grant access permission to contacts. Without it, you can't start a conversation with the app on its own, although you could use this method to talk to someone with their phone number. In short, all three apps handle permissions with sanity, although WhatsApp makes it a bit more difficult for you. Point for Telegram and Signal.



Access protection (PIN, fingerprint)



Private


Before worrying about what happens to your data in transit from your mobile to the receiver (that is, encryption), you should also take into account the security of your data on the phone itself. What if someone has physical access, even momentary, to your phone?



I am sure that if you are concerned about the privacy of your data you will have established an unlocking protection for your mobile, but perhaps Smart Unlock or another technology relaxes the security. If a person has access to your phone, can they read your Telegram, WhatsApp and Signal chats?



Fortunately, all three applications include a native function for protect chats from outside eyes, after WhatsApp added fingerprint protection. In none of the cases the protection comes active from home, but it is you who must activate it from the settings.



Locks Security options in Telegram, Signal and WhatsApp


There are some differences between the available options, however. Signal uses the Android lock, and can be activated automatically after a period of time, while in Telegram you have a little more control, being able to use a PIN or password and block the application at any time with the padlock icon. WhatsApp has the protection with fewer options, as it can only be by fingerprint. More options, more points. Point for Telegram.



Encryption



Encryption


All three applications use end-to-end encryption (WhatsApp's is signed by the creators of Signal, to be exact) although I already anticipate that Telegram is not going to take any point in this section. Not because your MTProto home-cooked encryption is insecure, but because not activated in all chats by default (normal chats are encrypted, but not end-to-end).



While WhatsApp and Signal use end-to-end encryption for all communications, in Telegram it is only used in secret chats, which add other extra security features like protection against screenshots and self-destructing messages.



Mtproto Diagram of how Telegram's client-cloud encryption works


Without secret chats Telegram continues to encrypt messages between the client and cloud and there is only evidence of a vulnerability in the implementation, dating from 2013. Although the experts are not very excited about Telegram using its own implementation, on paper it seems that in terms of security it has everything tied and well tied .



However, it is obvious that those concerned about your safety prefer that encryption occurs entirely at sender and receiver, without servers involved. Although all three applications can potentially do this, only WhatsApp and Signal do it transparently to the user, who should not take any additional steps.



Codes To verify that the "line is secure", you can compare the encryption keys


Considering that WhatsApp and Signal share encryption technology, it makes sense that they also share encryption scores. Point for Signal and WhatsApp and none for Telegram until it at least includes the option for all chats to be end-to-end encrypted by default, without having to choose each time.



Metadata



Metadata


Ensuring that your messages are transmitted safely and without anyone being able to intercept them is important, but the content of the message is as important as its metadata. Metadata in this context refers to all the additional information that accompanies a message, not including its own content.



By exampleIf someone calls a pizzeria and orders a pizza, the listener will know what happened, but the same can also be inferred from the metadata. This person called this phone that belongs to a pizzeria at lunchtime ... he will have ordered a pizza. Something similar happens with our conversations.



With encryption, nobody can read your messages, but they can know who you are talking to and from where, through the metadata



WhatsApp collects a good amount of metadata of its users such as IP addresses, dates of use, phone and model, network operator, phone number, unique device identifier, location and contacts. By crossing this information, even without being able to read the content of the messages, you can make pretty rough assumptions about who you are talking to and in some cases what.



Telegram It is cloud-based so technically all your messages, photos and files sent in non-private conversations are stored (encrypted, yes) on their servers, although in terms of metadata it is not very clear what other data they collect in addition to your contacts, devices and IP addresses. These data are kept for a maximum period of one year.



Signal is the only app on our list that minimizes metadata that saves. Just archive the last time you connected (the day, not even the time) and the phone number of your account. So, point for Signal.



Extra privacy / security features



Now that we've covered the most important things, it's time to assess the additional merits of each of the apps. Do you have added functions to improve your privacy and security that others do not have?



In the case of WhatsApp, the most relevant are the privacy options with which you can hide profile photo, connection time, info and status of some or all people, who can add you to groups and verification in two steps. There really isn't much else to grab the attention of privacy lovers.



WhatsApp Extra WhatsApp features


Telegram includes two-step verification and privacy controls similar to WhatsApp, and adds to the mix self-destructing messages, incognito keyboard support (be careful, you need a compatible keyboard app like Gboard or SwiftKey) and the protection against screenshots, although only in secret chats. You can also configure Telegram so that the account is destroyed after a certain period of activity, as well as prevent the text of a new message from being displayed in the notification.



Telegrammations Extra Telegram options


Signal It does not let you choose who can see your name and profile photo (it is shown to all the contacts you have in your account) but otherwise it also includes two-step verification (call here more correctly Registration lock PIN), self-destructing messages, notifications without messages, incognito keyboard and blocking (optional) against screenshots.



Signal adds to this the possibility of masking your IP address in calls and the self-delete old messages after exceeding a certain amount. With the advantage that all of the above is available in all conversations.



Privacy Signal privacy options


Considering that Signal was born as a secure messaging app, it should come as no surprise that it comes with quite a few privacy options as standard. It has some more than Telegram, although in return Telegram gives you more control over who can and cannot contact you or see your information. The last point is shared for Signal and Telegram.



Final result and comparative table



We have reached the end of the comparison and the time has come to count the votes. In case you don't want to retrace your steps to add up the points for each application, here is a summary table.
































WhatsApp



Telegram



Signal



Permissions



0



1



1



Access protection



0



1



0



Encryption



1



0



1



Metadata



0



0



1



Extra features



0



1



1



Total



1



3



4


So that, Signal is the best messaging app in terms of privacy and security, scoring a point against WhatsApp and Telegram in practically all the fronts that we have previously analyzed. The only one where the point is not taken home is in access protection that, although it has it, it is not as complete as that of Telegram.



WhatsApp only excels at encryption, at a point that it shares with Signal as it is powered by the same Open Whisper encryption. By last, Telegram is in second position with three points thanks to its padlock to protect chats, to the precision of its privacy options since technically you can use it without granting a single permission.

























































WhatsApp



Telegram



Signal



Mandatory permissions



Contacts



None



None



Chat protection



Yes, by footprint



PIN and password (fingerprint compatible)



Android lock (fingerprint compatible)



End-to-end encryption



Yes, all chats.



Only in secret chats.



Yes, all chats.



Collecting metadata



IP addresses, dates of use, phone and model, network operator, phone number, unique device identifier, location and contacts



Unknown, but being cloud-based, everything you do on Telegram is registered on their servers.



Only phone number and last day of connection



Two-step verification



Yes



Yes



Yes



Protection against screenshots



No



Yes, optional.



Yes, optional



Self-destructing messages



No



Yes, in secret chats



Yes



Notifications without content



No



Yes, optional.



Yes, optional.



Keyboard in incognito mode



No



Yes, in secret chats



Yes, optional



Mask IP in video calls



No



No



Yes, optional.



Account self-destruction due to inactivity



No



Yes, optional.



No



Delete messages after a certain limit



No



No



Yes, optional