Skip to main content

Messaging Apps That Are Secure: Signal vs.  WhatsApp

Popular messaging apps such as Signal and WhatsApp attempt to protect the privacy and security of users.
  • Author:
  • Updated:
    Original:

Consumers are increasingly concerned about their privacy as more communication and information is sent via messaging apps.

Two messaging apps, Signal and WhatsApp, have become commonplace for people to talk to each other instead of sending a text. Figuring out what happens to those conversations, some of which may include personal or financial details or even  current events such as Roe v. Wade being overturned, is critical to maintaining privacy.

Both WhatsApp, which is owned by Meta Platforms  (META) , and Signal, which is owned by a nonprofit called the Signal Foundation, are very secure since they offer end-to-end encryption (E2EE), Jason Glassberg, co-founder of Casaba Security, a Redmond, Wash.-based ethical hacking company, told TheStreet.

Signal is more secure since the app provides end-to-end encryption by default and the company does not keep records of your communications. While messages on WhatsApp are also secure and end-to-end encryption is on by default.

Consumers can never rely on any communication to be 100% secure, including communication apps on mobile devices, Mark Lambert, vice president of products at ArmorCode, a Palo Alto, Calif.-based application security provider, told TheStreet.

Both Signal and WhatsApp use encrypted communication protocols, which means that even if they are intercepted the messages are “unreadable,” he said.

How To Make Messages More Secure

Signal has publicly stated the company does not have access to their users’ communications.

Security includes what data is stored on the servers and how well the overall system is protected, which includes how you secure your phone, Lambert said.

“Bottom line: Even with the best intentions, any system or service can be compromised,” he said. “I personally use both Signal (for work) and WhatsApp (for family) and am constantly vigilant of any suspicious attachments or communications from unverified sources.”

A Signal spokesperson told TheStreet that the company does not sell data, "no advertisers to sell it to, and no shareholders to benefit from such a sale" for all communications, including text, calling and videos in both one to one and group chats.

Since Signal is a nonprofit, its strategy on tech is different from its competitors.

"We’re building a different kind of tech – where your data stays in your hands," the spokesperson said. "But we’re also building a different kind of tech organization - one without investors, quarterly earnings calls, or share price considerations."

One advantage that Signal has is that "all of your messages are stored locally on your device and not Signal's servers," the spokesperson said. "Signal doesn’t have access to what you send or with whom you communicate with and does not have any influence on the content anyone receives. Every call and message sent through Signal is encrypted by default."

People who have concerns about their privacy should avoid backing up their WhatsApp messages and shared media with iCloud or Google Drive because it could potentially be accessed by an outside party, Glassberg said.

“For the average person, both Signal and WhatsApp are secure and safe to use,” he said.

"All personal messages and calls on WhatsApp are end-to-end encrypted, and messages are stored on your device and not WhatsApp servers after they are delivered," a WhatsApp spokesperson said. 

Why Signal Beats WhatsApp

Signal is ideal out of the two messaging apps, even though it requires a phone number to sign up, Jon Gaines, a senior application security consultant at nVisium, a Falls Church, Va.-based application security provider, told TheStreet.

Meta can share the account registration information, transaction data and service-related information of WhatsApp users, he said.

“I would avoid WhatsApp completely,” Gaines said.

One positive factor is that WhatsApp does utilize the Signal protocol so the content of your messages are most likely secure, he said. The Signal protocol is audited, hardened and monitored.

A hiccup is that based on the history of Meta, the company keeps data forever, Gaines said.

“In addition, they have not yet disclosed their data retention policy, so what else can they see, such as time zone or IP address?” he said.

A major issue is that companies that provide end-to-end encryption that are headquartered or operate anywhere in the U.S. with servers have to comply with U..S law enforcement, Gaines said.

“That means they have to be able to collect some type of information when sent a court order, although the verbosity of that information is often very low when it comes to pure E2E apps like Signal,” he said.

Consumers should be aware that their WhatsApp messages could be accessible to law enforcement if they are backing up messages to a cloud service, Karim Hijazi, CEO of Prevailion, a Houston-based cyber intelligence company, told TheStreet.

Deleting Data

Signal does not have to delete any messages sent by consumers because they do not receive them.

“The messages reside on the sender and recipient's device,” Andrew Barratt, a vice president at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services, told TheStreet.

While Signal has a "delete for everyone" feature, consumers need to be aware that their “assurance is limited as you can’t be sure that the recipient hasn’t screenshotted the image or even captured it with another phone,” he said.

Messaging apps serve a purpose, such as for dissidents, whistleblowers, people needing increasingly difficult to get medical care or two people who just want to have a private chat, Sammy Migues, principal scientist at Synopsys Software Integrity Group, a Mountain View, Calif.-based provider of integrated software solutions, told TheStreet.

“If you just don’t want the neighbors to know, these apps are probably OK,” he said. “However, if you don’t want the government to know, then you might want to look elsewhere.”

Other Security Issues

Many mobile apps depend heavily on the underlying security of the platform they are running on such as iOS or Android, Barratt said.

Privacy features do not necessarily equate to application security such as being hacked and consumers should keep the apps and the underlying platform as up to date, he said.

“As an end user of these mobile apps, it can often be very easy to determine privacy features, but almost impossible to really understand whether or not the application is secure on a given platform as potential application security vulnerabilities could lead to privacy features being circumvented,” Barratt said.

One clear advantage of Signal is that the signal source code is open source and available via GitHub to validate its security.

“Signal has a fairly phenomenal pedigree from its origins under Moxie Marlinspike’s direct leadership,” he said.

Both Signal and WhatsApp are both well-secured from a security standpoint, Casey Ellis, CTO at Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, told TheStreet.

WhatsApp has a long running bug bounty program and is backed by the capability of the Facebook security team, while Signal is open-source and heavily and continuously scrutinized for security flaws.