The Game of Phones: WhatsApp vs Telegram vs encryption

12 min read
Lexie

Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.

best-messenger

**UPDATED FOR 2017**

In this article, ExpressVPN focuses on WhatsApp and Telegram. If you want to see how other chat apps compare, click here for the best of the rest.

WhatsApp now has a user base of more than one billion, but Telegram is quickly catching up. In February 2016 Telegram claimed that more than 350,000 users signed up every day, on top of its existing 100 million daily active users.

Telegram faces a lot of criticism for not being fully encrypted by default. But it was the first mass-market messaging app to offer any encryption, and as such was often referred to as the “encrypted chat app” in the media. It’s a nickname that seems to have stuck, and one that might have even helped it earn endorsements from organizations such as ISIS, the notorious terrorist group.

WhatsApp announced it would move to full end-to-end encrypted chats in September 2014, but it only rolled out the feature in April 2016. Since then its PR aides have undergone much effort to claim the title of the encrypted chat app.

The beginnings of Telegram

Behind Telegram stand the brothers Nikolai and Pavel Durov, exiled Russian-born billionaires, previously famous for the Facebook clone Vkontakte (now VK). Pavel Durov had to leave Vkontakte in 2014 over a dispute about handing over Ukrainian protesters’ user data. Consequently, the brothers left Russia for Berlin, where they founded Telegram.

The beginnings of WhatsApp

Brian Acton and Jan Koum founded WhatsApp in 2009 to publish quick status updates, similar to those on Facebook. But it was the messaging feature bundled in Version 2 that boosted user numbers and made the app a huge success.

In February 2014 Facebook bought WhatsApp for $19 billion, and now Facebook wants to integrate it into its internet.org vision (disclaimer: ExpressVPN supports OpenMedia, an organization critical of internet.org).

Messengers are built on network effects—meaning what makes a messenger platform valuable is not how great, secure, or feature-rich this platform is, but rather how many people can be reached with it. But these network effects are fragile, as it is very easy and cheap for a user to switch messaging services. And though users can easily have multiple messengers installed alongside each other, many users prefer not to. So one platform could easily not only overtake another but also make it completely worthless.

As such, the “war of the messengers” (which also includes other giants like WeChat, Kakao, and Line) is very much real. WhatsApp even goes as far as blocking all links to Telegram messenger within its platform.

telegram-vs-whatsapp
Messages incoming. Will ExpressVPN’s review cause shame, shame, shame?

The battle between WhatsApp and Telegram

ExpressVPN put both messengers to the test so that you can be more informed in choosing your favorite.

Let’s start with the biggest category:

Which has the better message encryption?

Telegram uses a self-developed protocol, called MProto. Telegram has been heavily criticized for creating its own standard, rather than making use of something else. MProto is not entirely new, however (it makes use of the AES and RSA standards), and OpenWhisper Systems (the standard WhatsApp has incorporated) is also a new development.

ExpressVPN is not a cryptographer, but it appears the MProto protocol has yet to be broken. It’s also open-source, like all Telegram apps, so anyone is free to try to break it. In fact, Telegram has repeatedly offered large bounties (the current one is $200,000 in Bitcoin) to anyone who can successfully break the standard, though Moxie Marlinspike, the creator of OpenWhisper Systems, has called the prize “rigged” in his blog.

Telegram’s encryption cipher is certainly very fast and efficient, and encrypted messages can be sent when all other apps fail because of slow internet connections. Telegram also changes keys every week, or after 100 messages, to provide perfect forward secrecy. Perfect forward secrecy ensures that if your phone were ever to get hacked and the encryption keys stolen, your deleted messages could not be decrypted.

The big difference lies not in what encryption protocols are being used, but how they are applied. WhatsApp automatically encrypts all your messages, and there is no option to send an unencrypted message. This is a huge difference compared with Telegram’s encryption, where you have to select “Secret Chat” to initiate a secure conversation. Many people don’t do this, either because it’s an extra step, or because they don’t understand the necessity.

Without encryption, chats are vulnerable to interception and surveillance, even more so on Telegram, where messages are stored until you delete them. WhatsApp, on the other hand, does not store messages; it only forwards them to your device. Even group chats are encrypted in WhatsApp.

WhatsApp backdoor update:

In January 2017, The Guardian reported a backdoor in WhatsApp’s design. WhatsApp designed its encryption mechanism in a way that makes key changes seamless. However, the setup allows the WhatsApp servers, or anyone in control of them, to read your messages by requesting your app re-encrypt messages with a different key owned by the attacker. This loophole only works for messages about to be delivered and doesn’t work for messages delivered in the past.

To make sure nobody is snooping on your WhatsApp messages, go to Settings -> Account -> Security and enable “Show Security Notifications.” This would send you a notification if your contact’s keys changed, which could be a sign that third parties are using their own key to read your messages. If you receive a notification stating the key has changed, stop chatting until you have re-verified your intended contact’s public key.

Such an attack is theoretically also possible in Telegram, though not in active chats. In Telegram, each chat has its own key. This is great in theory, as it allows the creation of individual secure lines among trusted devices, but it doesn’t work well in practice. Each time you start a new secret chat, you need to verify the other person’s identity again.

Verdict: Despite the recent backdoor story, it’s still a win for WhatsApp

whatsapp-encryption

Getting started: Which has the better sign-up process?

For WhatsApp, you can only sign up through a mobile phone app, while Telegram lets you sign up anywhere, even with its web app.

But both Telegram and WhatsApp use your phone number for authentication. This is convenient at first, but it leaves serious security concerns. A hacker could take over your account by diverting text messages to the hacker’s own number by either tricking your mobile phone provider or even colluding with it. The latter is especially of concern if your adversary is your local government.

For the encrypted WhatsApp, this will allow hackers to impersonate you, but with Telegram, someone could gain access to all your unencrypted chats and group chats.

Though WhatsApp has superior encryption, Telegram has the option to set a secondary password, which is effectively two-factor authentication. A hacker will need not only access to your phone number but also a password to get to your contacts.

Giving users no option other than signing up with a number is not a good practice. Phone numbers can easily be linked to an identity through location, and many countries require you to show ID when buying SIM cards.

Verdict: Draw

game-of-phones

How to make the sign-up process better

Both Telegram and WhatsApp should allow you to sign up for their services through other identifiers, such as usernames or email addresses. WhatsApp needs a secondary password solution, and both WhatsApp and Telegram should probably make it mandatory.

Which has the best download options?

Telegram’s apps are all open-source, which means you can build them yourself, rather than download them from the app stores. You can modify the apps, and researchers can look through them to find errors in the implementation of security features. You can also build a Telegram integration for your own application, which makes it more accessible to people who do not have access to official app stores (for example if their country blocks them), but it also means a susceptibility to backdoored or malicious versions.

Open-source is pretty awesome, and Telegram impresses further with its wide range of supported platforms. There are the usuals such as iOS, Android, and Windows Phone, but there are also browser apps for Firefox and Chrome OS, a Pidgin plugin, desktop apps, and even a Command Line Interface! Sadly, though, the Windows and Linux apps are just wrapped versions of the browser app (Webogram), which does not support end-to-end encryption.

WhatsApp also has Windows and Mac apps, but it primarily focuses on mobile phones, where it supports older systems like Symbian or BlackBerry. WhatsApp is far more restrictive and has in the past shut down independent implementations, such as a Pidgin plugin.

Verdict: Telegram wins

telegram-encryption

Which is the least intrusive?

WhatsApp requires access to your entire address book to even function; something ExpressVPN regards as highly invasive. Without this access, WhatsApp is practically useless.

On Telegram, you can start chatting without giving the app access to your contacts. You also don’t have to hand out your telephone number to anyone you want to chat with. Instead, you can set a username and hand that out instead. That’s a pretty great, and privacy-friendly, feature.

Verdict: Telegram wins

telegram-encryption

How to make chatting better

A messenger shouldn’t ask you to upload your entire address book just to get started, and you shouldn’t have to give out a phone number for people to be able to reach you.

Which offers the best group chat features?

As mentioned, group chats are encrypted in WhatsApp, and you can create groups with up to 256 members. That’s pretty amazing, although, with that many people in the group, you can probably assume it’s no longer private.

Telegram group chats are unencrypted but have a few more features. You can even create supergroups with thousands of participants. In these supergroups, you can pin messages and create invite URLs that can be posted on your website, or sent in an email. You can also add the infamous Telegram bots to your groups, making it easy to do polls, or play games.

Verdict: WhatsApp wins, encryption is king

whatsapp-encryption

Which app has the best features in general?

As already mentioned, Telegram impresses through its features. While WhatsApp also embeds some content and shows previews for sites and videos, everything seems a lot slicker in Telegram. You have to leave the Telegram app far less to see chat content, and that translates into a good user experience.

Telegram is also the more open platform. You can easily create your own bot, upload your own sticker set (ExpressVPN even found one on Information Security!), or even alter the client and release it with new features (as GetGems has done), which allows you to embed Telegram messenger capability into any other app. Telegram also has channels, which allow you to easily share updates about yourself, like a short blog.

WhatsApp, however, has one feature that ExpressVPN likes quite a lot, and really can’t do without: Encrypted phone calls. It works quite well, is free, and beats a regular phone call regarding convenience, security, and cost.

Telegram’s huge advantage lies in being independent of a single device. You can install Telegram on as many computers and phones as you like, and even have the web app open in separate browsers at the same time. In WhatsApp, your primary device has to be turned on and connected to the internet, even when you are using WhatsAppWeb.

Verdict: WhatsApp wins, purely for the encrypted phone calls

whatsapp-encryption

Other privacy and security issues

Both Telegram and WhatsApp allow you to control the “last seen” stamp, and both allow a compiled list of blocked users.

The fact that you can easily log into Telegram from multiple devices can become a security threat, though the platform mitigates this well by making your “active sessions” visible in the settings, where you can also easily disable anything that is not you.

Telegram will also automatically delete your account, along with all the information contained within, after six months of non-use (you can set this to one month, or a year), so if other people were to get your phone number after you abandon it, they wouldn’t get access to your account.

In Telegram you can additionally control who is allowed to add you to groups, making it harder for spammers to annoy you.

Telegram’s “secret chats” come with a few more perks than just encryption: You get notified when the other party takes a screenshot, and you can set a self-destruct time from anywhere between one second to one week. After the destruction, the app deletes all the messages on both devices (starting from when the other party read the message), putting you more in control of what your phone stores, and what information could become vulnerable if your phone is stolen or lost.

Telegram secret chats also do not send any message previews to Apple or Google servers, where they could also be additionally logged. In WhatsApp (and Telegram unencrypted chats), this option exists, but you have to disable it manually. Telegram also asks if you want to enable link previews in secret chats. Link previews are generated on Telegram’s servers, and they could compromise privacy, so it’s wise to disable them.

Telegram secret chats cannot be backed up, while WhatsApp chats can be. On iOS, you get the option to back up your chats in iCloud, while on Android you can save them to your Google Drive. On other platforms, you might have the choice to download them as a file. When you or one of your contacts enables this, your chats are only as secure as this backup. Be careful!

Verdict: Telegram wins

telegram-encryption

Results: Telegram wins! But so does WhatsApp!

Telegram wins overall! The platform impresses by being open-source, is easily accessible for designers (stickers) and developers (bots), and boasts a massive line-up of apps for all kinds of platforms. All apps ExpressVPN tried felt fast and beautifully integrated with the operating systems they were built for. While you’ll be far from anonymous, ExpressVPN feels you are a bit more in control of your identity and contacts. The biggest problem is the lack of end-to-end encryption by default.

WhatsApp wins encryption

The one-billion-people app has brought end-to-end encryption to the masses, and ExpressVPN thinks it may be the only big platform that does encryption right. Unfortunately, WhatsApp struggles to become more than a dull pipe for messages, and some users might expect more. The fact that users are confined to a single device/app feels like the biggest barrier.

Curious about other messengers? Click here for ExpressVPN’s chat app privacy rankings.

Also, be sure to check out the Guide for Mobile Security.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.