Messaging apps that are secure: Signal vs. WhatsApp
Consumers are increasingly concerned about their privacy as more communications and information are sent via messaging apps.
Two messaging apps, Signal and WhatsApp, have become common for people to talk to each other instead of sending a text. Finding out what happens to these conversations, some of which may include personal or financial details or even current events like Roe v. Wade being overturned, is critical to maintaining privacy.
Both WhatsApp, which is owned by Meta Platforms (META) and Signal, which is owned by a nonprofit called the Signal Foundation, are very secure since they offer end-to-end encryption (E2EE), Jason Glassberg, co-founder of Casaba Security, a Redmond, Wash.-based ethical hacking company, told TheStreet.
The signal is more secure since the app provides end-to-end encryption by default, and the company does not keep track of your communications. While messages on WhatsApp are also secure and end-to-end encryption is on by default.
Consumers can never trust communications to be 100% secure, including communications apps on mobile devices, Mark Lambert, vice president of products at ArmorCode, a Palo Alto, Calif.-based application security provider, told TheStreet.
Both Signal and WhatsApp use encrypted communication protocols, meaning that even if intercepted, the messages are “unreadable”, he said.
How to make messages more secure
Signal has publicly stated that the company does not have access to users’ communications.
Security includes what data is stored on the servers and how well the overall system is protected, which includes how you secure your phone, Lambert said.
“Bottom line: Even with the best intentions, any system or service can be compromised,” he said. “I personally use both Signal (for work) and WhatsApp (for family) and am constantly on the lookout for any suspicious attachments or communications from unverified sources.”
A spokesperson for Signal told TheStreet that the company does not sell data, “no advertisers to sell it to, and no shareholders to benefit from such sales” for all communications, including text, conversations and videos in both one-on-one and group chats .
Since Signal is a non-profit organization, its strategy on technology is different from its competitors.
“We’re building a different kind of technology – where your data stays in your hands,” the spokesperson said. “But we’re also building a different kind of technology organization — one without investors, quarterly earnings calls or stock price considerations.”
One advantage that Signal has is that “all your messages are stored locally on your device and not on Signal’s servers,” the spokesperson said. “Signal does not have access to what you send or who you communicate with and has no influence on the content anyone receives. Every call and message sent through Signal is encrypted by default.”
People who have concerns about their privacy should avoid backing up WhatsApp messages and shared media using iCloud or Google Drive because it could potentially be accessed by an outside party, Glassberg said.
“For the average person, both Signal and WhatsApp are safe and secure to use,” he said.
“All personal messages and conversations on WhatsApp are end-to-end encrypted, and messages are stored on your device and not WhatsApp servers after they are delivered,” a WhatsApp spokesperson said.
Why signal beats WhatsApp
Signal is the better of the two messaging apps, although it does require a phone number to sign up, Jon Gaines, a senior application security consultant at nVisium, a Falls Church, Va.-based application security vendor, told TheStreet.
Meta may share account registration information, transaction data and service-related information to WhatsApp users, he said.
“I would avoid WhatsApp altogether,” Gaines said.
A positive factor is that WhatsApp uses the Signal protocol, so the content of your messages is most likely secure, he said. The signal protocol is revised, hardened and monitored.
One hiccup is that based on Meta’s history, the company keeps data forever, Gaines said.
“Also, they have yet to disclose data retention policies, so what else can they see, such as time zone or IP address?” he said.
A big problem is that companies that offer end-to-end encryption that are headquartered or operate anywhere in the U.S. with servers must comply with U.S. law enforcement, Gaines said.
“That means they have to be able to collect some type of information when they’re served with a court order, although the scope of that information is often very low in the case of pure E2E apps like Signal,” he said.
Consumers should be aware that their WhatsApp messages may be available to law enforcement if they back up messages to a cloud service, Karim Hijazi, CEO of Prevailion, a Houston-based cyber intelligence firm, told TheStreet.
Deletion of data
Signal does not have to delete messages sent by consumers because they do not receive them.
“The messages reside on the sender’s device and the recipient’s device,” Andrew Barratt, a vice president at Coalfire, a Westminster, Colo.-based provider of cybersecurity consulting services, told TheStreet.
While Signal has a “delete for everyone” feature, consumers should be aware that their “security is limited, as you can’t be sure the recipient hasn’t screenshotted the image or even taken it with another phone “, he said.
Messaging apps serve a purpose, such as for dissidents, whistleblowers, people who need increasingly difficult access to medical care or two people who just want to have a private chat, said Sammy Migues, principal researcher at Synopsys Software Integrity Group, a Mountain View, Calif. -based provider of integrated software solutions, told TheStreet.
“If you just don’t want the neighbors to know, these apps are probably OK,” he said. “But if you don’t want the government to know, you might want to look elsewhere.”
Other security issues
Many mobile apps depend heavily on the underlying security of the platform they run on, such as iOS or Android, Barratt said.
Privacy features don’t necessarily equate to app security like being hacked, and consumers should keep their apps and underlying platform up to date, he said.
“As an end user of these mobile apps, it can often be very easy to find privacy features, but almost impossible to truly understand whether or not the application is secure on a given platform, as potential application security vulnerabilities can cause privacy features to be bypassed,” Barratt said. .
A clear advantage of Signal is that the Signal source code is open source and available via GitHub to validate its security.
“Signal has a pretty phenomenal pedigree from its origins under Moxie Marlinspike’s direct leadership,” he said.
Both Signal and WhatsApp are both well secured from a security standpoint, Casey Ellis, CTO of Bugcrowd, a San Francisco-based leader in crowdsourced cybersecurity, told TheStreet.
WhatsApp has a long-standing bug bounty program and is supported by the function of Facebook’s security team, while Signal is open source and is rigorously and continuously investigated for security flaws.
