WhatsApp stepped up its security game by rolling out standing-to-end encryption to its 700 million users earlier this year. Open System Whisper Signal, released in 2014, is relatively new to the game, but has amassed a lot of security-focused followers due to its great encryption. For the uninitiated, most private messaging apps like WhatsApp, Facebook Messenger, Google Allo use the secure Open System whisper protocol to enforce encryption. For the average user, if all of these messaging apps already sport strong Whisper Open System encryption, why so much fuss in the move to Signal? So today I'm going to highlight 5 security reasons to switch from WhatsApp to Signal:
1. WhatsApp Does Encrypt Metadata
Let me give you a quick heads-up on what metadata means. From Techterms.com: Metadata describes other data. It provides information about the content of a certain point. For example, an image can include metadata that describes how big the photo is, color depth, image resolution, when the image was created, and other data.
Similarly, in the context of messaging, metadata means data about the actual text message which may include the sender's phone number, recipient's phone number, date and time of message. At first glance, it is easy to discard metadata messages as it may seem trivial. But do not get me wrong. Using metadata, researchers can create a network that describes with whom and when the individual communicates. For example, back in 2013, Microsoft's research team released a paper, which described a system to discern your age, gender, sexuality based solely on the things you liked on Facebook. Pretty scary, right?
Likewise, while WhatsApp can't read your actual message, it can hand over message metadata to comply with laws. Law enforcement authorities can analyze this data to find out the date, time and all the people you have been in contact with. Signal, the good-guy is proud to admit that he encrypts this metadata, so when the time comes, he has next to nothing of substance to hand over.
2. WhatsApp lacks in-app encryption
WhatsApp enabled end-to-end encryption for messages going over the internet, but missed out on a basic feature – no encryption for messages stored on your phone. So what good is encryption for messages on the network if someone happens to steal your device without a password? They can obviously go through all your messages.
To combat this, Signal encourages you to set up a password of your own choosing. Then all text messages in Signal are encrypted with your password before being stored locally. You can also choose to automatically lock the signal after a certain period of time.
3. WhatsApp Online Backups Are Unencrypted
Backing up your WhatsApp messages to your Google Drive can come in very handy. After all, there's no telling when your phone might fail you or worse, get stolen. Restoring messages from Google Drive could prove as a lifesaver in these situations. Unfortunately, storing your data in the cloud presents an even greater risk when it comes to security. Since backup data is stored in Google Drive, your Google credentials are the only layer of security here. Don't trust me? See this screenshot from WhatsApp settings, which clearly says that Messages you backup are not protected by end-to-end encryption while in Google Drive :
If God forbid your Gmail is hacked, or if Google has to comply with a warrant, remember - all of your conversations are going to be exposed. But that's not all. Even if you have online saves disabled, but the other party has you chatting with it enabled, you go down, too. You know the time when you have to suffer for the faults of others? Yes, this is such a moment.
Signal solves this problem nicely, not providing a feature save option. It only understands a simple manual backup / restore to plain text option if you need.
It might not be the most convenient option, but in the end it all comes down to one thing: features vs security. And Signal does what it does best – focusing on safety.
4. WhatsApp is proprietary (and owned by Facebook!)
End-to-end encryption provides only one side of the story. For the full picture, it is necessary to understand how encryption has been integrated. With closed-source apps like WhatsApp, it's nearly impossible to examine the code and see how the encryption has been built in. On the other hand, the signal code base is open source and can be analyzed by researchers to find if security measures are applied correctly.
Also, Facebook owns WhatsApp, and Facebook's business model is based on advertising. Remember how in August WhatsApp said they were going to share some of your data with parent company Facebook? Mainly, it shared your phone number to offer better friend suggestions and of course, more relevant ads! Even if you opted-out during the 30-day period, some data is still shared with Facebook.
By contrast, Open Whisper Systems is a nonprofit community of volunteers, as well as a small team of developers funded by dedicated grants.
5. Signal has Best Security Focused Settings
I would also like to point out two small security settings focused on this signal a. The first is Disappearing messages, which stays true to its name and lets you send self-destructing messages. You have the ability to send messages, which self-destruct after 5 seconds for all the way up to a week.
The second is Screen Security, which prevents anyone from taking a screenshot of your conversation. Obviously, it's not foolproof as someone could always take a photo from another phone.
Also, your conversation does not show a preview in the signal window, when you press the recent / multitasking button on Android. Refer the picture below for better understanding.
While these two aren't characteristic headlines, small details like these are why I'm inclined towards Signal.
Exactly how secure is Signal?
Signal provides high-level encryption, which is why even NSA whistleblower Edward Snowden recommends using it. If you really want to know what data Signal can share about you, if the time comes, it is this: the time of your Signal account creation and the date of last connection to Signal servers, that too with an accuracy reduced to one day. It is more or less that. Not really. Not even the metadata, let alone the actual content of the message. For reference, Signal was subpoenaed recently and here is the information they leaked.
Download: Signal for Android | Signal for iPhone