Messenger apps have become an integral part of our everyday lives. Whether it’s WhatsApp, Signal, Telegram, or Threema – everyone uses them for private or professional communication. The choice of service is usually based on which messenger most of your friends use. From a data protection and IT security perspective, however, this is rarely the best choice.
This article doesn’t aim to dictate which app you should use – because that’s often impractical. For example, if your football club, a neighborhood group, or a parent community has agreed on a particular service, it’s hard to opt out. What’s important is this: understand the risks of messenger services and find ways to minimize them as much as possible.
What Features Should a Secure Messenger Have?
A key feature of secure messengers is end-to-end encryption (E2EE). It ensures that only the sender and the recipient can read the messages – not even the messenger service provider has access.
However, it’s important to note: E2EE must not only exist technically but also be actively enabled. For example, with Telegram, encryption is only active in “Secret Chats” – if you forget that, you’re communicating unencrypted, even though the app technically supports E2EE.
For more detailed information on why E2EE can be implemented more effectively in native apps, see the previous article Mobile Apps vs. Web Apps – Special Case: Messaging Services.
Group Chats: Particularly Sensitive for Confidential Topics
Even when E2EE is active, group chats remain problematic. You never have complete control over who is reading along. It’s not uncommon for the wrong people to be added – either intentionally or by mistake (see recent incidents from the White House).
Therefore: sensitive information doesn’t belong in group chats – even if they are encrypted.
Device Linking and Chat Backups: Use With Caution
Many messengers allow you to use chats across multiple devices or to back up your chat history. This is convenient, but increases the attack surface:
- Only link multiple devices for non-sensitive content whenever possible.
- Regularly check which devices still have access to your account.
- Carefully consider whether you really need backups – especially for sensitive data.
If you want to preserve important information, it’s better to export it manually and store it encrypted in a secure location. When in doubt, avoid backups altogether, especially cloud backups, which can be easily compromised in the event of an attack.
User Account: Weak Spot Phone Number
Many messengers use the phone number for identification. This is convenient but risky – because:
- If you change your number, you may lose access to your account.
- Phone numbers can be spoofed or hijacked (keyword: SIM swapping).
A secure messenger should therefore offer additional identification mechanisms such as a service account or a PIN to verify your identity. Also check whether the service offers options like two-factor authentication or device verification.
Metadata and Profiling
Even if your message content is encrypted, many messengers can infer your behavior through so-called metadata – such as when, with whom, and how often you communicate. This data can be used for profiling, for example, for targeted advertising.
If you’re dependent on a specific messenger, say, for organizing a group that can’t switch to a more secure service, you can still do something: use the messenger strictly for that purpose. This minimizes the amount of data available for profiling.
Conclusion
Much of this article may seem overly cautious at first glance. But anyone who has experienced having an account hacked or private content suddenly made public knows: protecting personal communication is no trivial matter.
The good news is: you don’t need a perfect solution – but using messenger apps consciously can significantly reduce risks.
Checklist
- Don’t share anything in group chats you wouldn’t want to see published in a newspaper under your full name.
- Verify the identity of your chat partners: the phone number alone is not a reliable proof. Some messengers offer features like QR code scans to match encryption keys.
- If a message seems strange or suspicious: better to call or ask in person to confirm whether the message really comes from the person it claims to.
- For confidential conversations:
- Use only one device
- Do not create backups
- Store important information encrypted outside the app
- Secure your device with a strong passcode and biometrics
- Know how to completely wipe the device – simply deleting the app is not enough if backups remain on the device.