December 7, 2022

Secure messaging apps: Signal vs WhatsApp

Consumers are increasingly concerned about their privacy as more communications and information are sent through messaging apps.

Two messaging apps, Signal and WhatsApp, have become commonplace for people to talk to each other instead of texting. Understand what happens to those conversations, some of which may include personal or financial details or even current events such as the cancellation of Roe v. Wade, is essential to maintaining confidentiality.

WhatsApp, which is owned by Meta Platforms (META) – Get the report from Meta Platforms Inc.and Signal, which belongs to a non-profit called the Signal Foundationare very secure because they offer end-to-end encryption (E2EE), Jason Glassberg, co-founder of Casaba Security, an ethical hacking company based in Redmond, Washington, told TheStreet.

Signal is more secure because the app provides end-to-end encryption by default, and the company doesn’t keep a record of your communications. While messages on WhatsApp are also secure and end-to-end encryption is enabled by default.

Consumers can never rely on 100% secure communication, including communication apps on mobile devices, said Mark Lambert, vice president of products at ArmorCode, a Palo Alto-based app security provider, in California, at TheStreet.

Signal and WhatsApp both use encrypted communication protocols, which means that even if intercepted, the messages are “unreadable”, he said.

How to make messages more secure

The signal has publicly declared the company does not have access to the communications of its users.

Security includes data stored on servers and protecting the entire system, including how you secure your phone, Lambert said.

“The bottom line: Even with the best of intentions, any system or service can be compromised,” he said. “I personally use both Signal (for work) and WhatsApp (for family) and am constantly on the lookout for any suspicious attachments or communications from unverified sources.”

A Signal spokesperson told TheStreet that the company does not sell data, “no advertisers to sell it to and no shareholders to benefit from such sale” for all communications including text messages, calls and videos in individual and group chats.

Since Signal is a non-profit organization, its technology strategy is different from that of its competitors.

“We’re building a different kind of technology – where your data stays in your hands,” the spokesperson said. “But we’re also building a different kind of technology organization — one without investors, quarterly earnings calls, or stock price considerations.”

One of the benefits of Signal is that “all of your messages are stored locally on your device and not on Signal’s servers,” the spokesperson said. “Signal has no access to what you send or who you communicate with and has no influence over the content anyone receives. Every call and message sent through Signal is encrypted by default.”

People who are concerned about their privacy should avoid backing up their WhatsApp messages and shared media to iCloud or Google Drive because they could potentially be viewed by an outside party, Glassberg said.

“For the average person, Signal and WhatsApp are secure and safe to use,” he said.

“All personal messages and calls on WhatsApp are end-to-end encrypted, and messages are stored on your device and not on WhatsApp servers after delivery,” a WhatsApp spokesperson said.

Scroll to continue

Why Signal beats WhatsApp

Signal is ideal among the two messaging apps, although it does require a phone number to register, Jon Gaines, senior app security consultant at nVisium, a Falls Church-based app security provider, told TheStreet. , Virginia.

Meta may share account registration information, transaction data and service information of WhatsApp users, he said.

“I would avoid WhatsApp altogether,” Gaines said.

A positive factor is that WhatsApp uses the Signal protocol, so the content of your messages is most likely secure, he said. The Signal protocol is audited, hardened and monitored.

One catch is that, based on Meta’s history, the company keeps the data forever, Gaines said.

“Also, they haven’t disclosed their data retention policy yet, so what else can they see, like time zone or IP address?” he said.

A major issue is that companies providing end-to-end encryption that are headquartered or operate anywhere in the United States with servers must comply with US law enforcement, Gaines said.

“That means they need to be able to collect some type of information when sending a court order, although the verbosity of that information is often very low when it comes to apps. Pure E2E like Signal,” he said.

Consumers should be aware that their WhatsApp messages could be accessible to law enforcement if they save messages to a cloud service, Karim Hijazi, CEO of Prevailion, a Houston-based cyber intelligence firm, told TheStreet. .

Data deletion

Signal does not have to delete messages sent by consumers because they do not receive them.

“Messages reside on the sender’s and recipient’s device,” Andrew Barratt, vice president of Coalfire, a Westminster, Colorado-based cybersecurity consulting service provider, told TheStreet.

Although Signal has a “delete for everyone” feature, consumers should be aware that their “assurance is limited because you cannot be sure that the recipient did not capture the image or even have it. captured with another phone,” he said.

Messaging apps have a purpose, such as for dissidents, whistleblowers, people finding it increasingly difficult to get medical attention, or two people who just want to have a private conversation, Sammy Migues, Principal Scientist at Synopsys Software Integrity Group, in Mountain View, California. integrated software solutions provider, told TheStreet.

“If you just don’t want the neighbors to know about it, those apps are probably fine,” he said. “However, if you don’t want the government to know, you might want to look elsewhere.”

Other Security Issues

Many mobile apps rely heavily on the underlying security of the platform they’re running on, such as iOS or Android, Barratt said.

Privacy features don’t necessarily equate to app security, such as hacking, and consumers need to keep apps and the underlying platform up-to-date, he said.

“As an end user of these mobile apps, it can often be very easy to determine the privacy features, but it’s almost impossible to truly understand whether or not the app is secure on a given platform because the Potential application security vulnerabilities could lead to privacy features being bypassed,” Barratt said.

A clear advantage of Signal is that the Signal source code is open source and available through GitHub to validate its security.

“Signal has a pretty phenomenal pedigree since its origins under the direct leadership of Moxie Marlinspike,” he said.

Signal and WhatsApp are both well-secured from a security perspective, Casey Ellis, chief technical officer of Bugcrowd, a San Francisco-based cybersecurity leader, told TheStreet.

WhatsApp has a long-standing bug bounty program and is backed by the capability of Facebook’s security team, while Signal is open-source and thoroughly and continuously scrutinized for security vulnerabilities.