Skip to main content

Privacy and security in messaging apps, explained

Android Messages Folder
Android Messages Folder (Image credit: Jerry Hildenbrand / Android Central)

You just got one of the best Android phones and chances are one of the first things you'll do is message a friend to tell them the good news.

When we send a message to someone, we should expect a few things: that they'll get the message, nobody else can read the message, and no other company is tracking anything we do while we're chatting it up. Unfortunately, it doesn't usually work that way.

Most one-on-one ways to message someone are secure to an extent. Nobody can read your Twitter DMs unless they are logged in as you. Google and Facebook spend a lot of money to make sure the servers that transmit messages are locked-down tight. Apps like Signal and Telegram are developed with help from security specialists to make them secure.

Most messengers are secure, but few are actually private.

Unfortunately, privacy is another matter. Most messaging apps are designed to track you in some way. The developers want to know how and when you use them, how long you used them, where you are, whether you're on Wi-Fi or cellular network, and so on. Your carrier tracks everything you do and even keeps a log of what you typed. Nobody is actually reading your messages because all this tracking is automated, but there's a file attached to you that's chock full of data about you.

Both of these things are pretty important — and before you say you don't care, think how you would feel if I came into your house and dug through your dresser drawers. Privacy and security should be important to everyone. Unfortunately, how it all ties together when you send a message to a friend is confusing, so let's break it down and try to fix that.

Privacy

Telegram Message

Source: Jerry Hildenbrand / Android Central (Image credit: Source: Jerry Hildenbrand / Android Central)

Guess what? I fell going down the steps the other day. I was chatting in a Telegram group when it happened and I said something like "o crap I just fell down the stairs again" and laughed it off. I shared this with a few friends, and to my pal Jeramy I mentioned that I usually have to kind of crawl my way up or down because walking isn't my strong point. Now I'm sharing that with you.

There are some things we just don't want to share with the world or with an app developer.

This isn't the kind of information I want to share with the world, but I'm doing it this time to prove a point — we say things in messages that we don't ever want other people to read. It doesn't have to be something illegal or something sexy or something dramatic. It could be something as simple as saying you're a grown man who has to crawl up and down the stairs. We want to keep the things we message private between just ourselves and the intended recipient(s). And yes, Jeramy said I could share this.

This is the kind of privacy we understand. Nobody wants someone else to read their messages. But privacy means a little bit more when you're talking about an app on your smartphone. All Android apps aren't offenders, but many of them try to track everything you do. Most messenger apps are fairly decent about the data they collect and only want metrics that they can use to improve the app or the service.

Never give an app access to your contacts so it can help you find your friends. You can do that yourself.

One thing almost every messenger app does though is ask to look into your address book to help you find friends that also use the app. Unfortunately, that often ends up with an app harvesting all the contact data you have on your phone including phone numbers and notes you've added. Always say no when a messenger asks for access to your contacts. If not for yourself, do it for your friends.

Also, remember that your carrier tracks everything, and also keeps a record of your SMS messages. It's doubtful that anyone reads them unless they are subpoenaed by a law enforcement agency.

Security

Signal, WhatsApp, and Telegram logos on Android phones

Source: Joe Maring / Android Central (Image credit: Source: Joe Maring / Android Central)

When it comes to messaging, security means two different things: the security of the service and any cloud components, and the security of the messaging service itself. A big part of a messaging service's security is also designed to protect your privacy.

The cloud component of any decent messaging service is kept secure.

Every name that you know when it comes to a messaging service keeps its servers secure. That doesn't mean that they are impenetrable — it means that the company spends the time and money to make the servers that transmit your messages as secure and up to date as they can be. Your messages only spend a very short time on these servers and should never be stored.

The second layer of security that applies to those servers is how the service itself works. Ideally, a messaging service should use true end-to-end encryption. That means when you send a message, it's encrypted and only the recipient has the key to decrypt it. If someone were to break into a server or find another way to capture a message that's being sent they would not have the key to decrypt it.

End to end encryption is a must if you value your privacy and care about security.

Encryption isn't foolproof though. Any encryption can be broken if someone wants to put enough time and effort into it. Thankfully, most of us aren't high-profile public figures and thus aren't worth that time and effort. A bigger problem is when a service is forced to share encryption keys with a government. That has happened and will happen again. Your government does not like encryption because it wants to be able to read your messages if you were on trial for committing a criminal act.

The final thing to know is that encryption on any level means nothing if someone is able to get access to your phone. Messages from any service are just a tap away from anyone. Keep your lock screen active, use a good password and PIN, set up a biometric lock for convenience, and never rely on Android's stock face unlock or pattern lock as the only thing keeping someone else out of your phone.

What's the most secure service?

Security info about Signal

Source: Joe Maring / Android Central (Image credit: Source: Joe Maring / Android Central)

The answer here is debatable, but my choice as the most private and secure messenger is Signal (opens in new tab). Many services offer end-to-end encryption and have well-maintained cloud servers, but Signal is open-source and security experts love digging through the code trying to find a way to break it. By doing so, any vulnerabilities can be quickly patched and the process starts all over again.

Signal or Telegram are your best choices for a secure and private messenger.

Telegram (opens in new tab) is also open source, but only for a client that uses the Telegram API as the server isn't open-source the way Signal's is. That's some important code for security researchers to have access to and with Telegram, they just don't. Either Telegram or Signal is a very good choice though and you should consider your messages secure and private when using either service.

The more important conversation here is which services don't offer privacy or good security that helps protect it. That list is long and also debatable, but there are a few standouts.

  • SMS is never secure nor is it private.
  • Google Messenger/Chat is not end-to-end encrypted if you send an SMS message. The same goes for iMessage if you happen to use an iPhone, iPad, or an Apple computer.
  • WhatsApp offers end-to-end encryption but Facebook simply can't be trusted to not track your usage.
  • Facebook Messenger has the same problem as WhatsApp — Facebook itself.
  • DMs through social networks aren't encrypted and your usage is tracked both on the web and through an app.

In the end, you're probably not going to be able to get all your friends, family, and odd acquaintances to switch messaging apps, so a lot of this conversation is moot. That's why I have and use four messaging services — nobody wants to switch to Signal, which is my preference.

What you can do is use some common sense when you're chatting and remember that it's possible someone else might get to see anything you send. It's doubtful that anyone with the time and the skill is trying to get into your messaging accounts, but it could happen.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

10 Comments
  • Signal is my messaging service of choice, too. I've never installed or used it though, there's no point.
  • Interesting. You say, "never let apps have access to your contacts". And yet, both messenger apps you favor request, in fact, require it!
    You say, encryption is important. And yet, everywhere I look on tec sites that dubious Telegram messenger is being promoted, which has, as you probably know, no e2e encryption unless one specifically engages in a secure chat! By your definition everyone should stay away from these two apps. As far as I know there's only one messenger app that does not require access to contacts, nor your phone number, nor your email - in fact, no personal info whatsoever from a user. That app is Threema, a Swiss based company. The app is open source and to finance their operation it cost you a few bucks. It's highly popular in Germany, Switzerland and Austria.
  • Telegram does not "require" access to your contacts. I just downloaded and installed it.
    Its working fine without access to my contacts.
  • "Always say no when a messenger asks for access to your contacts. If not for yourself, do it for your friends." So I've installed Signal but none of my contacts want to make the effort to switch from WhatsApp.
    But, If I refuse to accept their (Facebook's) disgraceful Terms and Conditions in May and my contacts agree and accept them, does that mean that my friends will automatically be sharing my details from their WhatsApp account with Facebook?
    And if my friends already use Facebook and the other social media apps it owns (I never have and never will use any of them) have they already been given access to my Contacts? And if so does it really make any difference whether or not I stop using WhatsApp, or is it too late and I might as well click on Agree?
    Jerry is right, as ever, to raise the issue. Privacy and Security is a nightmare but have we already sold our souls?
  • There's a good chance Facebook got all the data in your friend's contacts, including whatever they have entered for you. I'm not positive Facebook is an offender, but if I were a betting man I would say yes. That's the problem with giving access to contacts — it's an all or nothing deal and any app has full access to read all the data stored in there.
  • I thought iMessage is end to end?
  • Not when sending or receiving SMS messages. No service can encrypt an SMS.
  • “You just got one of the best Android phones and chances are one of the first things you'll do is message a friend to tell them the good news.” Nope 😋
  • I have been a BBM fan for a LONG time...
    When they brought a cross platform version over I was elated and then able to make the move to Android from BlackBerry.. Still miss my Q30.. Today, I use BBM Enterprise and pay the semi annual fee since the free model went away. I have my friends and family mostly using it as well... ....I really hope that BlackBerry does make another Android device and that this time they get serious enough for me to potentially make a purchase... 🤞
  • No mention of session app?? Anonymous sign up, e2ee, open source, no contact requested, no metadata collected or leaked, onion routing through incentivized node owners, and otp is possible. Ever looked into child pornography and telegram can't consciously support or use a app company allowing that on their platform.