In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 million users, according to the platform’s founder Pavel Durov.

While the Facebook outage was due to a routine maintenance error, the event led many to wonder about messaging app breaches and other issues. If someone switched from WhatsApp to Telegram, did they really end up with a more secure app? What makes a messenger app more secure? And what about the risks of using instant messages for business?

These questions matter, since we use messaging apps more and more in day-to-day life. This is especially relevant among international teams where rapid, affordable communication helps people work faster.

Messaging app security comparison

While there’s no consensus, messaging app security comparisons exist. But beware. What one source says is secure, another source might say otherwise.

Meanwhile, cybersecurity researcher Natalie Silvanovich from the Project Zero team at Google found a serious glitch in the Signal app. Using a modified client, she sent a peer-to-peer connect message to a device running Signal. This enabled a voice call to be answered, even though the callee never touched the device.

Silvanovich found similar gaps in Facebook Messenger, Google Duo, JioChat and Mocha. After her report, all these vulnerabilities have since been fixed.

Messaging app with privacy: What do threat actors use?

What about threat actors? What app are they chatting on? Is it secure? Recent research described a burgeoning network of cyber criminals on Telegram, where data leaks have increased in frequency. Some illicit Telegram channels host tens of thousands of subscribers, and the content looks like what one might find on darknet hubs. Still, what attracts threat actors might not be the app’s security, but rather the lack of platform moderation.

Security-wise, Telegram uses its own MTProto encryption protocol, rather than the more widely accepted Transport Layer Security (TLS) protocol. Some cryptographers consider MTProto to be a cryptographic weakness. While any encryption is better than none, the MTProto security requirement building blocks (hash functions, block ciphers, public-key encryption, etc.) are untested.

We dare you to attack us

Telegram isn’t worried about its encryption security, though. In fact, the platform recently held a contest to crack Telegram’s encryption. Despite offering a $30,000 bounty, nobody cracked the platform’s Secret Chats code. Note that the Telegram Secret Chats mode is not on by default, and it doesn’t function in group chat, either. During standard chat and group chat, end-to-end encryption remains inactivated on Telegram.

Up to 740 billion SMS messages per year exposed

What about SMS messages? Are they more secure? Syniverse is a company that routes hundreds of billions of text messages every year for hundreds of carriers, such as Verizon, T-Mobile and AT&T. In May 2021, the company told government regulators that attackers had been breaching its databases for five years. Syniverse processes over 740 billion messages each year for over 300 mobile operators worldwide.

What information did the attackers expose? The company did not say, but SMS text message content may have been targeted.

Big name messenger app security

Google Messages, Apple iMessage and Facebook Messenger (and Meta’s WhatsApp) have also been scrutinized for their application security. Google and Apple turn on encryption by default, as does WhatsApp, but Facebook Messenger does not.

Other criticisms about security surrounding Google and Facebook include the collection of user information. Since they collect user data, they must also secure it. This implies added risk. In addition, Apple uses a closed-source app and backend server code. This calls into question the quality of the code, including the strength of encryption or if vulnerabilities exist.

Get the signal?

Of all the messaging apps out there, Signal appears to be one of the more secure. Yes, it was found to be at risk for eavesdropping attacks as mentioned earlier, but that weakness has reportedly been fixed.

Meanwhile, Signal has many traits to look for in a secure messaging app, such as:

  • It’s an open-source project supported by grants and donations. This means there should be no ads, affiliates or hidden tracking.
  • End-to-end encryption by default means only the parties involved in the conversation can see the messages. No one else, not even the app owners, can see chat content.
  • A self-destructing, disappearing messages feature removes messages forever after a set period of time.
  • Minimal user data collection means messages, pictures and files are stored locally on your phone, unlike Google or Facebook apps which harvest information for other business purposes.

Messenger application hygiene

Beyond the intrinsic security of the messenger platform, how your teams interact with the app greatly affects security. For example, phishing campaigns and social engineering attacks have affected third-party messenger apps for years. Attackers simply send a tempting message to targets to get them to click on a link or download an infected file.

While breaching a corporate network from a smartphone app might be difficult, many users also install a desktop version of their messaging app. Any malicious link or download accessed from the desktop app version could open the door to malware.

No perfect messenger app

It’s likely that companies — especially ones with international teams — will continue to use popular messaging apps. While no application is 100% secure, some implement better security measures than others. End-to-end default encryption is one example of good security practice. It also pays to remind teams that online phishing scams are just as dangerous when they target you from your app.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today