In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 million users, according to the platform’s founder Pavel Durov.

While the Facebook outage was due to a routine maintenance error, the event led many to wonder about messaging app breaches and other issues. If someone switched from WhatsApp to Telegram, did they really end up with a more secure app? What makes a messenger app more secure? And what about the risks of using instant messages for business?

These questions matter, since we use messaging apps more and more in day-to-day life. This is especially relevant among international teams where rapid, affordable communication helps people work faster.

Messaging app security comparison

While there’s no consensus, messaging app security comparisons exist. But beware. What one source says is secure, another source might say otherwise.

Meanwhile, cybersecurity researcher Natalie Silvanovich from the Project Zero team at Google found a serious glitch in the Signal app. Using a modified client, she sent a peer-to-peer connect message to a device running Signal. This enabled a voice call to be answered, even though the callee never touched the device.

Silvanovich found similar gaps in Facebook Messenger, Google Duo, JioChat and Mocha. After her report, all these vulnerabilities have since been fixed.

Messaging app with privacy: What do threat actors use?

What about threat actors? What app are they chatting on? Is it secure? Recent research described a burgeoning network of cyber criminals on Telegram, where data leaks have increased in frequency. Some illicit Telegram channels host tens of thousands of subscribers, and the content looks like what one might find on darknet hubs. Still, what attracts threat actors might not be the app’s security, but rather the lack of platform moderation.

Security-wise, Telegram uses its own MTProto encryption protocol, rather than the more widely accepted Transport Layer Security (TLS) protocol. Some cryptographers consider MTProto to be a cryptographic weakness. While any encryption is better than none, the MTProto security requirement building blocks (hash functions, block ciphers, public-key encryption, etc.) are untested.

We dare you to attack us

Telegram isn’t worried about its encryption security, though. In fact, the platform recently held a contest to crack Telegram’s encryption. Despite offering a $30,000 bounty, nobody cracked the platform’s Secret Chats code. Note that the Telegram Secret Chats mode is not on by default, and it doesn’t function in group chat, either. During standard chat and group chat, end-to-end encryption remains inactivated on Telegram.

Up to 740 billion SMS messages per year exposed

What about SMS messages? Are they more secure? Syniverse is a company that routes hundreds of billions of text messages every year for hundreds of carriers, such as Verizon, T-Mobile and AT&T. In May 2021, the company told government regulators that attackers had been breaching its databases for five years. Syniverse processes over 740 billion messages each year for over 300 mobile operators worldwide.

What information did the attackers expose? The company did not say, but SMS text message content may have been targeted.

Big name messenger app security

Google Messages, Apple iMessage and Facebook Messenger (and Meta’s WhatsApp) have also been scrutinized for their application security. Google and Apple turn on encryption by default, as does WhatsApp, but Facebook Messenger does not.

Other criticisms about security surrounding Google and Facebook include the collection of user information. Since they collect user data, they must also secure it. This implies added risk. In addition, Apple uses a closed-source app and backend server code. This calls into question the quality of the code, including the strength of encryption or if vulnerabilities exist.

Get the signal?

Of all the messaging apps out there, Signal appears to be one of the more secure. Yes, it was found to be at risk for eavesdropping attacks as mentioned earlier, but that weakness has reportedly been fixed.

Meanwhile, Signal has many traits to look for in a secure messaging app, such as:

  • It’s an open-source project supported by grants and donations. This means there should be no ads, affiliates or hidden tracking.
  • End-to-end encryption by default means only the parties involved in the conversation can see the messages. No one else, not even the app owners, can see chat content.
  • A self-destructing, disappearing messages feature removes messages forever after a set period of time.
  • Minimal user data collection means messages, pictures and files are stored locally on your phone, unlike Google or Facebook apps which harvest information for other business purposes.

Messenger application hygiene

Beyond the intrinsic security of the messenger platform, how your teams interact with the app greatly affects security. For example, phishing campaigns and social engineering attacks have affected third-party messenger apps for years. Attackers simply send a tempting message to targets to get them to click on a link or download an infected file.

While breaching a corporate network from a smartphone app might be difficult, many users also install a desktop version of their messaging app. Any malicious link or download accessed from the desktop app version could open the door to malware.

No perfect messenger app

It’s likely that companies — especially ones with international teams — will continue to use popular messaging apps. While no application is 100% secure, some implement better security measures than others. End-to-end default encryption is one example of good security practice. It also pays to remind teams that online phishing scams are just as dangerous when they target you from your app.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today