Signal Vs Whatsapp

Comparisons of Signal vs whatsapp

WhatsApp is facing a lot of criticism since it rolled out the latest Privacy Policy updates. The Facebook-owned company has been trolled by several users over privacy concerns, and people are looking for Whatsapp alternatives. Are apps like Signal ,vivvber Telegram are good enough to replace WhatsApp ? We try to find out. Here’s an in-depth comparison of the most popular messaging apps.

WhatsApp is currently the largest messaging service in the world with over 2 billion monthly active users. Telegram has around 400 million users, while Signal has around 20 million monthly active users.

While WhatsApp stands biggest given the number of users, we can’t shy away from the growing popularity of Telegram and Signal.

 Google MessagesApple iMessageFacebook MessengerSignalMicrosoft SkypeTelegramViberFacebook WhatsappWickr MeWire
TL;DR: Does the app secure my messages and attachments?NoNoNoYesNoNoNoNoNoYes
Company jurisdictionUSAUSAUSAUSAUSAUSA / UK / Belize / UAELuxembourg / JapanUSAUSASwitzerland
Infrastructure jurisdictionWorldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions)USA (Ireland and Denmark planned); iMessage runs on AWS and Google CloudUSA, Sweden (Ireland planned)USAUSA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and JapanUK, Singapore, USA, and FinlandUSAUSA (unsure of other locations)USA (unsure of other locations)EU
Implicated in giving customers’ data to intelligence agencies?YesYesYesNoYesNoNoYesNoNo
Surveillance capability built into the app?NoNoNoNoYesNoNoNoNoNo
Does the company provide a transparency report?YesYesYesYesYesNoNoYesYesYes
Company’s general stance on customers’ privacyPoorPoorPoorGoodPoorPoorPoorPoorGoodGood
FundingGoogleAppleFacebookFreedom of the Press Foundation / the Knight Foundation / the Shuttleworth Foundation / the Open Technology Fund / Signal Foundation (Brian Acton)MicrosoftPavel DurovRakuten / friends and family of Talmon Marco (it’s very unclear)FacebookGilman Louie / Juniper Networks / the Knight Foundation / Breyer Capital / CME Group / WargamingJanus Friis / Iconical / Zeta Holdings Luxembourg
Company collects customers’ data?YesYesYesNoYesYesYesYesNoNo
App collects customers’ data?Yes

(Difficult to assess given the app is integrated into Google’s greater ecosystem)
Yes

(Difficult to assess given the app is integrated into Apple’s greater ecosystem)
Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other dataContact InfoYes

(Information not submitted to Apple Store)
Contact info /
contacts /
identifiers
Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnosticsPurchases /
financial info /
location /
contact info /
contacts /
user content /
identifiers /
usage data /
diagnostics
Contact info /
usage data /
diagnostics

(Contact info not sent when using anonymously)
Contact info / identifiers / usage data / diagnostics
User data and/or metadata sent to parent company and/or third parties?Minimal

(mandatory mobile number sent to third party for registration & recovery)
YesYesYes
Is encryption turned on by default?YesYesNoYesYesNoYes (if device supports it)Yes (if device supports it)YesYes
Cryptographic primitivesCurve25519 / AES-256 / HMAC-SHA256RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1Curve25519 / AES-256 / HMAC-SHA256Curve25519 / AES-256 / HMAC-SHA256RSA-1536 & 2048 / AES 256 / SHA-1RSA 2048 / AES 256 / SHA-256Curve25519 256 / Salsa20 128 / HMAC-SHA256Curve25519 / AES-256 / HMAC-SHA256ECDH512 / AES-256 / HMAC-SHA256Curve25519 / ChaCha20 / HMAC-SHA256
Are the app and server completely open source?NoNoNoYesNoNo (clients and API only)NoNoNoYes
Are reproducible builds used to verify apps against source code?NoNoNoAndroid onlyNoiOS and AndroidNoNoNoNo
Can you sign up to the app anonymously?NoNoNoNoNoNoNoNoYesNo
Can you add a contact without needing to trust a directory server?N/A, Google Messages uses RCS, which doesn’t use a directory serviceNoNoNoNoNoYesNoNoNo
Can you manually verify contacts’ fingerprints?YesNoYesYesNoNo (session only, does not provide users’ fingerprint information)YesYesYesYes
Directory service could be modified to enable a MITM attack?N/A, Google Messages uses RCS, which doesn’t use a directory serviceYesYesYesYesYesYesYesYesYes
Do you get notified if a contact’s fingerprint changes?NoYesNoNo (session only, does not provide users’ fingerprint information)YesNo (setting turned off by default)NoIf contact was previously verified
Is personal information (mobile number, contact list, etc.) hashed?N/A, Google Messages uses RCS, which doesn’t use a directory serviceNoNoMostlyNoNoNoNoYesMostly
Does the app generate & keep a private key on the device itself?YesYesYesYesYesYesYesYesYes
Can messages be read by the company?NoNoYesNoYesYesNoNoNoNo
Does the app enforce perfect forward secrecy?YesNoYesYesNo (session keys do change after being used 100 times)YesYesYesYes
Does the app encrypt metadata?NoNoNoYesNoNoYesMostly
Does the app use TLS/Noise to encrypt network traffic?YesYesYesYesYesNoYesYesYesYes
Does the app use certificate pinning?Yes (>=iOS 9.3)YesYes
Does the app encrypt data on the device? (iOS and Android only)NoYes (if passphrase enabled)Yes (if passphrase enabled)iOS: Yes (if passphrase enabled); Android: Yes (unsure of function)Yes
Does the app allow a secondary factor of authentication?NoNoNoNoNoYesNoYesYes (password for account used)Yes
Are messages encrypted when backed up to the cloud?Yes (>= Android P)NoN/A, Signal is excluded from iCloud/iTunes & Android backupsiOS: Yes
Android: No
N/A, Wire is excluded from iCloud/iTunes & Android backups
Does the company log timestamps/IP addresses?YesYesNoYesYesYesYesNoSome
Have there been a recent code audit and an independent security analysis?NoNoNoYes (October, 2014)NoYes (November, 2015)NoNoYes (August, 2014)Yes (March, 2018)
Is the design well documented?NoSomewhatSomewhatSomewhatNoSomewhatSomewhatSomewhatSomewhatSomewhat
Does the app have self-destructing messages?NoNoYesYesNoYesYesNoYesYes

The WhatsApp privacy policy update is helping the other two gain more users over the app’s security and privacy.

WhatsApp

WhatsApp has everything you would need on a social messaging service including the new in-app payments feature. Group chats work with up to 256 members. You can broadcast messages to multiple contacts, support voice and video calls, both for individuals and groups.

  • Group video calls (8 users at any point of time)
  • Ability to share live location with your contacts 
  • Backup and restore messages , data by using cloud services like Google Drive and iCloud
  • WhatsApp uses end to end encryption (E2E) for communication: messages, video calls, voice calls, photos,gif etc
  • WhatsApp Status feature (also called WhatsApp stories)
  • Whatsapp allows you to share all sorts of files and documents (upto 100MB)
  • Photos, videos and audio files can be shared upto 16 MB
  • WhatsApp uses E2E protocol developed by Open Whisper Systems, same as Signal 

Telegram

Telegram offers support to groups with up to 200,000 members. Known for its large and massive groups, Telegram offers multiple group-specific features such as bots, polls, quizzes and hashtags, extensive for large group experiences.

  • Self-destructing messages, where the message will get deleted after a point of time
  • The size limit for sharing files on Telegram is 1.5 GB
  • Supports voice and video call on Android and iOS devices
  • Telegram supports E2E only secret chats feature
  • The company confirmed it shares 0 bytes of data with third-parties or any governments till date

Signal

Signal offers secure messaging, voice, and video calls with end-to-end encryption. You can create groups, but can’t broadcast messages to multiple contacts at once. Signal also has added support for group calling.

  • Supports self-destructing messages
  • Note to Self to share your own thoughts and ideas without creating single member groups
  • Signal allows relay voice calls to its servers, identity is not shared, same as using a VPN
  • Signal uses back-end user-facing encryption service
  • It uses the open-source Signal Protocol to implement end-to-end encryption
  • Signal also encrypts your metadata offering multiple levels of security

WhatsApp vs Signal vs Telegram: Privacy Permissions, Which One More Secure?

WhatsApp does not encrypt backups (cloud or local). Whatsapp also does not encrypt metadata unlike Signal, which is used to carry communication between two endpoints. WhatsApp group chats have been earlier found to be indexed on Google search, major data breach point.

Telegram group chats are not encrypted unless you use Secret Chats, which again only supports single-user communication. 

In terms of user privacy, Signal offers the most secured form of communication on the internet as on date. But again, Signal is short of a host of features if compared to Whatsapp and Telegram. Signal by default encrypts all the local files with a 4-digit passphrase. It also supports encrypted group calls.

WhatsApp Data Collection

  • Device ID
  • User ID
  • Advertising Data
  • Purchase History
  • Coarse Location
  • Phone Number
  • Email Address
  • Contacts
  • Product Interaction
  • Crash Data
  • Performance Data
  • Other Diagnostic Data
  • Payment Info
  • Customer Support
  • Product Interaction
  • Other User Content

Telegram Data Collection

  • Contact Info
  • Contacts
  • User ID

Signal Data Collection

  • None
  • It only stores your phone number