Comparisons of Signal vs whatsapp
WhatsApp is facing a lot of criticism since it rolled out the latest Privacy Policy updates. The Facebook-owned company has been trolled by several users over privacy concerns, and people are looking for Whatsapp alternatives. Are apps like Signal ,vivvber Telegram are good enough to replace WhatsApp ? We try to find out. Here’s an in-depth comparison of the most popular messaging apps.
WhatsApp is currently the largest messaging service in the world with over 2 billion monthly active users. Telegram has around 400 million users, while Signal has around 20 million monthly active users.
While WhatsApp stands biggest given the number of users, we can’t shy away from the growing popularity of Telegram and Signal.
| Google Messages | Apple iMessage | Facebook Messenger | Signal | Microsoft Skype | Telegram | Viber | Facebook Whatsapp | Wickr Me | Wire | |
|---|---|---|---|---|---|---|---|---|---|---|
| TL;DR: Does the app secure my messages and attachments? | No | No | No | Yes | No | No | No | No | No | Yes |
| Company jurisdiction | USA | USA | USA | USA | USA | USA / UK / Belize / UAE | Luxembourg / Japan | USA | USA | Switzerland |
| Infrastructure jurisdiction | Worldwide (rollout on-going, unsure of exact locations, most likely Google Cloud regions) | USA (Ireland and Denmark planned); iMessage runs on AWS and Google Cloud | USA, Sweden (Ireland planned) | USA | USA, the Netherlands, Australia, Brazil, China, Ireland, Hong Kong, and Japan | UK, Singapore, USA, and Finland | USA | USA (unsure of other locations) | USA (unsure of other locations) | EU |
| Implicated in giving customers’ data to intelligence agencies? | Yes | Yes | Yes | No | Yes | No | No | Yes | No | No |
| Surveillance capability built into the app? | No | No | No | No | Yes | No | No | No | No | No |
| Does the company provide a transparency report? | Yes | Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes |
| Company’s general stance on customers’ privacy | Poor | Poor | Poor | Good | Poor | Poor | Poor | Poor | Good | Good |
| Funding | Apple | Freedom of the Press Foundation / the Knight Foundation / the Shuttleworth Foundation / the Open Technology Fund / Signal Foundation (Brian Acton) | Microsoft | Pavel Durov | Rakuten / friends and family of Talmon Marco (it’s very unclear) | Gilman Louie / Juniper Networks / the Knight Foundation / Breyer Capital / CME Group / Wargaming | Janus Friis / Iconical / Zeta Holdings Luxembourg | |||
| Company collects customers’ data? | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
| App collects customers’ data? | Yes (Difficult to assess given the app is integrated into Google’s greater ecosystem) | Yes (Difficult to assess given the app is integrated into Apple’s greater ecosystem) | Health & fitness / purchases / financial info / location / contact info / contacts / user content / search history / browsing history / identifiers / usage data / sensitive info / diagnostics / other data | Contact Info | Yes (Information not submitted to Apple Store) | Contact info / contacts / identifiers | Location / identifiers / purchases / location / contact info / contacts / identifiers / usage data / user content / usage data / diagnostics | Purchases / financial info / location / contact info / contacts / user content / identifiers / usage data / diagnostics | Contact info / usage data / diagnostics (Contact info not sent when using anonymously) | Contact info / identifiers / usage data / diagnostics |
| User data and/or metadata sent to parent company and/or third parties? | Minimal (mandatory mobile number sent to third party for registration & recovery) | Yes | Yes | Yes | ||||||
| Is encryption turned on by default? | Yes | Yes | No | Yes | Yes | No | Yes (if device supports it) | Yes (if device supports it) | Yes | Yes |
| Cryptographic primitives | Curve25519 / AES-256 / HMAC-SHA256 | RSA-1280 (encryption), ECDSA 256 (signing) / AES 128 / SHA-1 | Curve25519 / AES-256 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | RSA-1536 & 2048 / AES 256 / SHA-1 | RSA 2048 / AES 256 / SHA-256 | Curve25519 256 / Salsa20 128 / HMAC-SHA256 | Curve25519 / AES-256 / HMAC-SHA256 | ECDH512 / AES-256 / HMAC-SHA256 | Curve25519 / ChaCha20 / HMAC-SHA256 |
| Are the app and server completely open source? | No | No | No | Yes | No | No (clients and API only) | No | No | No | Yes |
| Are reproducible builds used to verify apps against source code? | No | No | No | Android only | No | iOS and Android | No | No | No | No |
| Can you sign up to the app anonymously? | No | No | No | No | No | No | No | No | Yes | No |
| Can you add a contact without needing to trust a directory server? | N/A, Google Messages uses RCS, which doesn’t use a directory service | No | No | No | No | No | Yes | No | No | No |
| Can you manually verify contacts’ fingerprints? | Yes | No | Yes | Yes | No | No (session only, does not provide users’ fingerprint information) | Yes | Yes | Yes | Yes |
| Directory service could be modified to enable a MITM attack? | N/A, Google Messages uses RCS, which doesn’t use a directory service | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Do you get notified if a contact’s fingerprint changes? | No | Yes | No | No (session only, does not provide users’ fingerprint information) | Yes | No (setting turned off by default) | No | If contact was previously verified | ||
| Is personal information (mobile number, contact list, etc.) hashed? | N/A, Google Messages uses RCS, which doesn’t use a directory service | No | No | Mostly | No | No | No | No | Yes | Mostly |
| Does the app generate & keep a private key on the device itself? | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| Can messages be read by the company? | No | No | Yes | No | Yes | Yes | No | No | No | No |
| Does the app enforce perfect forward secrecy? | Yes | No | Yes | Yes | No (session keys do change after being used 100 times) | Yes | Yes | Yes | Yes | |
| Does the app encrypt metadata? | No | No | No | Yes | No | No | Yes | Mostly | ||
| Does the app use TLS/Noise to encrypt network traffic? | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes |
| Does the app use certificate pinning? | Yes (>=iOS 9.3) | Yes | Yes | |||||||
| Does the app encrypt data on the device? (iOS and Android only) | No | Yes (if passphrase enabled) | Yes (if passphrase enabled) | iOS: Yes (if passphrase enabled); Android: Yes (unsure of function) | Yes | |||||
| Does the app allow a secondary factor of authentication? | No | No | No | No | No | Yes | No | Yes | Yes (password for account used) | Yes |
| Are messages encrypted when backed up to the cloud? | Yes (>= Android P) | No | N/A, Signal is excluded from iCloud/iTunes & Android backups | iOS: Yes Android: No | N/A, Wire is excluded from iCloud/iTunes & Android backups | |||||
| Does the company log timestamps/IP addresses? | Yes | Yes | No | Yes | Yes | Yes | Yes | No | Some | |
| Have there been a recent code audit and an independent security analysis? | No | No | No | Yes (October, 2014) | No | Yes (November, 2015) | No | No | Yes (August, 2014) | Yes (March, 2018) |
| Is the design well documented? | No | Somewhat | Somewhat | Somewhat | No | Somewhat | Somewhat | Somewhat | Somewhat | Somewhat |
| Does the app have self-destructing messages? | No | No | Yes | Yes | No | Yes | Yes | No | Yes | Yes |
The WhatsApp privacy policy update is helping the other two gain more users over the app’s security and privacy.
WhatsApp has everything you would need on a social messaging service including the new in-app payments feature. Group chats work with up to 256 members. You can broadcast messages to multiple contacts, support voice and video calls, both for individuals and groups.
- Group video calls (8 users at any point of time)
- Ability to share live location with your contacts
- Backup and restore messages , data by using cloud services like Google Drive and iCloud
- WhatsApp uses end to end encryption (E2E) for communication: messages, video calls, voice calls, photos,gif etc
- WhatsApp Status feature (also called WhatsApp stories)
- Whatsapp allows you to share all sorts of files and documents (upto 100MB)
- Photos, videos and audio files can be shared upto 16 MB
- WhatsApp uses E2E protocol developed by Open Whisper Systems, same as Signal
Telegram
Telegram offers support to groups with up to 200,000 members. Known for its large and massive groups, Telegram offers multiple group-specific features such as bots, polls, quizzes and hashtags, extensive for large group experiences.
- Self-destructing messages, where the message will get deleted after a point of time
- The size limit for sharing files on Telegram is 1.5 GB
- Supports voice and video call on Android and iOS devices
- Telegram supports E2E only secret chats feature
- The company confirmed it shares 0 bytes of data with third-parties or any governments till date
Signal
Signal offers secure messaging, voice, and video calls with end-to-end encryption. You can create groups, but can’t broadcast messages to multiple contacts at once. Signal also has added support for group calling.
- Supports self-destructing messages
- Note to Self to share your own thoughts and ideas without creating single member groups
- Signal allows relay voice calls to its servers, identity is not shared, same as using a VPN
- Signal uses back-end user-facing encryption service
- It uses the open-source Signal Protocol to implement end-to-end encryption
- Signal also encrypts your metadata offering multiple levels of security
WhatsApp vs Signal vs Telegram: Privacy Permissions, Which One More Secure?
WhatsApp does not encrypt backups (cloud or local). Whatsapp also does not encrypt metadata unlike Signal, which is used to carry communication between two endpoints. WhatsApp group chats have been earlier found to be indexed on Google search, major data breach point.
Telegram group chats are not encrypted unless you use Secret Chats, which again only supports single-user communication.
In terms of user privacy, Signal offers the most secured form of communication on the internet as on date. But again, Signal is short of a host of features if compared to Whatsapp and Telegram. Signal by default encrypts all the local files with a 4-digit passphrase. It also supports encrypted group calls.
WhatsApp Data Collection
- Device ID
- User ID
- Advertising Data
- Purchase History
- Coarse Location
- Phone Number
- Email Address
- Contacts
- Product Interaction
- Crash Data
- Performance Data
- Other Diagnostic Data
- Payment Info
- Customer Support
- Product Interaction
- Other User Content
Telegram Data Collection
- Contact Info
- Contacts
- User ID
Signal Data Collection
- None
- It only stores your phone number