WhatsApp now has a user base of more than one billion, but Telegram is quickly catching up. In February 2016 Telegram claimed over 350,000 users signed up every day, on top of the existing 100 million daily active users.
Telegram faces a lot of criticism for not being fully encrypted by default. But they were the first mass-market messaging app to offer any encryption, and as such were often referred to as the “encrypted chat app” in the media. It’s a nickname that seems to have stuck, and one that might have even contributed to the endorsements garnered from groups such as the notorious terrorist group, ISIS.
WhatsApp announced they would move to full end-to-end encrypted chats in September 2014, but only rolled out the feature in April 2016. Since then its PR aides have undergone much effort to claim the title of the encrypted chat app.
The Beginnings of Telegram
Behind Telegram stand the brothers Nikolai and Pavel Durov, exiled Russian-born billionaires, previously famous for the Facebook clone Vkontakte (now VK). Pavel Durov had to leave Vkontakte in 2014 over a dispute about handing over Ukrainian protesters’ user data. Consequently, the brothers left Russia for Berlin, where they founded Telegram.
The Beginnings of WhatsApp
Brian Acton and Jan Koum founded WhatsApp in 2009, to publish quick status updates, similar to those on Facebook. Though it was the messaging feature bundled in version 2 that boosted user numbers and made the app a huge success.
In February 2014 Facebook bought WhatsApp for US$19 billion, and now they want to integrate it into their internet.org vision (disclaimer: EXpressvpn support OpenMedia, an organization critical of internet.org).
Messengers are built on network effects—meaning what makes a messenger platform valuable is not how great, secure, or feature-rich this platform is, but rather how many people can be reached with it. But these network effects are fragile, as it is very easy and cheap for a user to switch messaging services. And though users can easily have multiple messengers installed alongside each other, many users prefer not to. So one platform could easily not only overtake another but also make it completely worthless.
As such, the “war of the messengers” (which also includes other giants like WeChat, Kakao, and Line) is very much real. WhatsApp even goes as far as blocking all links to Telegram messenger within its platform.
The Battle between WhatsApp and Telegram
EXpressvpn put both messengers to the test so that you can be more informed in choosing your favorite.
Let’s start with the biggest category:
Which Has the Better Message Encryption?
Telegram uses a self-developed protocol, called MProto. Telegram has been heavily criticized for creating its own standard, rather than making use of something else. MProto is not entirely new, however (it makes use of the AES and RSA standards), and OpenWhisper Systems (the standard WhatsApp has incorporated) is also a new development.
EXpressvpn is not cryptographers, but it appears the MProto protocol has yet to be broken. It’s also open-source, like all Telegram apps, so anyone is free to try to break it. In fact, Telegram has repeatedly offered large bounties (the current one is US$ 200,000 in Bitcoin) to anyone who can successfully break the standard, though Moxie Marlinspike, the creator of OpenWhisper Systems, has called the prize “rigged” in his blog.
Telegram’s encryption cipher is certainly very fast and efficient, and encrypted messages can be sent when all other apps fail due to slow Internet connections. Telegram also changes keys every week, or after 100 messages, to provide perfect forward secrecy. Perfect forward secrecy ensures that if your phone were ever to get hacked and the encryption keys are stolen, your deleted messages could not be decrypted.
The big difference lies not in what encryption protocols are being used, but how they are applied. WhatsApp automatically encrypts all your messages, and there is no option to send an unencrypted message. This is a huge difference compared to Telegram’s encryption, where you have to select “Secret Chat” to initiate a secure conversation. Many people don’t do this, either because it’s an extra step, or because they don’t understand the necessity.
Without encryption, chats are vulnerable to interception and surveillance, even more so on Telegram, where messages are stored until you delete them. WhatsApp, on the other hand, does not store messages, it only forwards them to your device. Even group chats are encrypted in WhatsApp.
WhatsApp backdoor update:
In January 2017, the Guardian reported a backdoor in WhatsApp’s design. WhatsApp designed its encryption mechanism in a way that makes key changes seamless. However, the setup allows the WhatsApp servers, or anyone in control of them, to read your messages by requesting your app re-encrypt messages with a different key owned by the attacker. This loophole only works for messages about to be delivered and doesn’t work for messages delivered in the past.
To make sure nobody is snooping on your WhatsApp messages, go to Settings -> Account -> Security and enable “Show Security Notifications.” This would send you a notification if your contact’s keys changed, which could be a sign someone is using their own key to read your messages. If you receive a notification stating the key has changed, stop chatting until you have re-verified your intended contact’s public key.
Such an attack is theoretically also possible in Telegram, though not in active chats. In Telegram, each chat has its own key. This is great in theory, as it allows the creation of individual secure lines among trusted devices, but doesn’t work well in practice. Each time you start a new secret chat, you need to verify the other person’s identity again.
Verdict: Despite the recent backdoor story, it’s still a win for WhatsApp
Getting Started: Which Has the Better Sign up Process?
For WhatsApp, you can only sign up through a mobile phone app, while Telegram lets you sign up anywhere, even with their web app.
But both Telegram and WhatsApp use your phone number for authentication. This is convenient at first but leaves serious security concerns. A hacker could take over your account by diverting text messages to their own number by either tricking your mobile phone provider or even colluding with them. The latter is especially of concern if your adversary is your local government.
For the encrypted WhatsApp, this will allow hackers to impersonate you, but with Telegram, someone could gain access to all your unencrypted chats and group chats.
Though WhatsApp has superior encryption, Telegram has the option to set a secondary password, which is effectively two-factor authentication. A hacker will need not only access to your phone number but also a password to get to your contacts.
Giving users no option other than signing up with a number is not a good practice. Phone numbers can easily be linked to an identity through location, and many countries require you to show ID when buying SIM cards.
How to Make the Sign up Process Better
Both Telegram and WhatsApp should allow you to sign up for their services through other identifiers, such as usernames or email addresses. WhatsApp needs a secondary password solution, and both WhatsApp and Telegram should probably make it mandatory.
Which Has the Best Download Options?
Telegram’s apps are all open-source, which means you can build them yourself, rather than downloading them from the app stores. You can modify the apps, and researchers can look through them to find errors in the implementation of security features. You can also build a Telegram integration for your own application, which makes it more accessible to people who do not have access to official app stores (for example if their country blocks them), but it also means a susceptibility to backdoored or malicious versions.
Open-source is pretty awesome, and Telegram impresses further with its wide range of supported platforms. There are the usuals such as iOS, Android, and Windows Phone, but there is also browser apps for Firefox and Chrome OS, a Pidgin plugin, desktop apps, and even a Command Line Interface! Sadly, though, the Windows and Linux apps are just wrapped versions of the browser app (Webogram), which does not support end-to-end encryption.
WhatsApp also has a Windows and Mac app, but it primarily focuses on mobile phones, where it supports older systems like Symbian or Blackberry. WhatsApp is far more restrictive and has in the past shut down independent implementations, such as a Pidgin plugin.
Which Is the Least Intrusive?
WhatsApp requires access to your entire address book to even function; something EXpressvpn regards as highly invasive. Without this access, WhatsApp is practically useless.
On Telegram, you can start chatting without giving the app access to your contacts. You also don’t have to hand out your telephone number to anyone you want to chat with. Instead, you can set a username and hand that out instead. That’s a pretty great, and privacy-friendly, feature.
Verdict: Telegram Wins