Telegram Vs Signal vs WhatsApp | Comparison, Differences between Messaging Apps

A Comprehensive Comparison of Secure Messaging Apps:
Signal, Telegram, WhatsApp, and Session

Secure messaging apps have become increasingly important in recent years, as privacy concerns continue to mount and more people seek to protect their personal and sensitive information. Some of the most popular secure messaging apps include Signal, Telegram, WhatsApp, and Session.

Each of these apps uses a combination of encryption technologies, privacy-enhancing features, and user-friendly interfaces to provide secure and private communication for users.

Each of these apps has its own strengths and weaknesses. The best choice for a given user will depend on their specific privacy and security needs, as well as their personal preferences for user interface and additional features. Regardless of which app a user chooses, however, they can be confident that they are using a secure and private communication tool that will help protect their information and conversations from prying eyes.

An Overview
Signal, Telegram, WhatsApp, and Session are all secure messaging applications that aim to provide users with privacy and security in their online communications. Each of these messaging apps has its own unique features and approaches to privacy and security.

Signal is developed by Open Whisper Systems as an open-source app. The app is widely regarded as one of the most secure messaging apps available. It uses end-to-end encryption to protect messages and calls, meaning that only the sender and recipient can access the content of a message. Signal also has advanced security features such as password-protected lock screens and the ability to verify the identity of your contacts. They are known for their strong encryption and privacy features, including end-to-end encryption for all messages, voice and video calls, and group chats.

Telegram is a cloud-based messaging app that offers end-to-end encryption for secret chats but not regular ones. It also provides features like group chats, bots, and a large library of stickers and gifs. It uses encryption to protect messages, but the encryption keys are stored on Telegram's servers, which some security experts believe could make the app vulnerable to hacking. Telegram also has a "Secret Chats" feature that uses end-to-end encryption to protect messages.

WhatsApp is a popular messaging app that Facebook owns. The app uses end-to-end encryption for all messages, voice and video calls, and group chats. It has a large user base and is known for its user-friendly interface and integration with other Facebook products.
Despite its security features, some people have concerns about WhatsApp's connection to Facebook and the potential for the app to collect and share users' data.

Session still needs to be discovered by many. Session is a decentralized and open-source messaging app. The app uses some of the most advanced privacy-enhancing technologies, such as the Signal protocol, onion routing, and decentralized message storage and retrieval. The goal of Session is to provide users with minimal metadata leakage and strong message encryption while providing an easy-to-use interface with features such as multi-device support, attachments, and group chats. It also uses a proof-of-work mechanism to prevent spam attacks and offers additional security features like threat codes, remote wipes, and pseudonyms.

Independence
WhatsApp is owned by the big player Facebook, which means that Facebook has (theoretically) access to the data collected by WhatsApp, including messages and user information. This has raised privacy concerns for some people, as Facebook has a history of collecting and using user data for its own purposes.

Signal is an independent, non-profit organization that is focused on providing secure communication tools. It is not owned by any corporation or company and is funded through grants and donations.

Telegram is an independent company founded by the brothers Pavel and Nikolai Durov and is based in Dubai. It operates as a separate entity and is not owned by any other company or corporation.

Session is an open-source project that is developed and maintained by a community of volunteers. Any corporation or company does not own it.

But the independence of Telegram, compared to Session and Signal, is a matter of perspective. On the one hand, Telegram is an independent company that any other corporation does not own, giving it greater control over its operations and development.

On the other hand, like any company, Telegram may still be subject to outside influences such as government regulations, legal requirements, and economic pressures. Therefore, the extent to which Telegram can be considered independent depends on the specific circumstances and issues being considered. Ultimately, the independence of Telegram, like any company, is a complex and nuanced issue that requires careful consideration and examination of multiple factors.

Interesting is a piece of information that most users do not know: Pavel Durov, the founder of Telegram, is a member of the World Economic Forum (WEF).
The WEF is an international organization that brings together business, government, and civil society leaders to discuss global issues and find solutions. Membership in the WEF is by invitation only and is generally extended to leaders and experts in various fields.
Being a member of the WEF does not necessarily mean that Pavel Durov or Telegram have any particular political or corporate affiliations. However, it indicates that he is recognized as a leader in his field and involved in discussions about critical global issues. It's important to keep in mind that the World Economic Forum is a neutral platform for discussion and collaboration, and membership does not imply endorsement of any particular political or corporate agenda.

Comparing Signal and Session:
A Detailed Look at Privacy and Security in Independent Messaging Apps

Because of their independency, let us compare Signal and Session in detail. 
Both apps are known for their strong focus on privacy and security. Here's some more information on each of them:

Signal
End-to-end encryption:
Signal uses end-to-end encryption to protect messages, which means that only the sender and recipient can access the content of the message. 

Advanced security features:
Signal has advanced security features such as password-protected lock screens and the ability to verify the identity of contacts.

Open-source:
The source code for Signal is publicly available and can be reviewed by anyone, contributing to its transparency and security. This allows experts and the community to examine the code, identify potential vulnerabilities, and contribute to improving the app.

Non-profit organization:
Signal is a non-profit organization that is funded through grants and donations, which means that any corporation or company does not influence it.

Privacy-focused:
Signal strongly focuses on privacy, and it does not collect or store any user data on its servers.

Session
End-to-end encryption:
Session uses end-to-end encryption to protect messages, which means that only the sender and recipient can access the content of the message.

Decentralized network:
Session uses a decentralized network to transmit messages, which makes it difficult for anyone, including the developers of the app, to access the content of messages.

Open-source:
Session is an open-source project, meaning the code is publicly available for anyone to review and audit.

Privacy-focused:
Session strongly focuses on privacy, as it does not store any message data on its servers and uses a decentralized network to transmit messages.

So, both Signal and Session are known for their strong focus on privacy and security, and they are independent of any corporation or company.

Highly Secure: Signal and Session
Signal and Session are considered highly secure messaging apps, and each level of security is primarily based on the implementation of end-to-end encryption.
In terms of how they encrypt messages, both Signal and Session use a similar encryption protocol called the Signal Protocol. The Signal Protocol uses a combination of asymmetric (public key) and symmetric (private key) encryption to protect messages.

Here's a high-level overview of how the encryption works in each of the apps:

Signal
Key exchange: When you first start a conversation with a contact, Signal generates a unique encryption key for that conversation. The encryption key is exchanged between the sender and recipient using a combination of public key and private key encryption.

Message encryption: Once the encryption key has been exchanged, messages are encrypted using a private key and sent to the recipient. The recipient uses their private key to decrypt the message.

Session
Key exchange: When you first start a conversation with a contact, Session generates a unique encryption key. The encryption key is exchanged between the sender and recipient using a combination of public key and private key encryption.

Message encryption: Once the encryption key has been exchanged, messages are encrypted using a private key and sent directly from the sender to the recipient using a peer-to-peer network. The recipient uses their private key to decrypt the message.

Both Signal and Session use the Signal Protocol (https://signal.org/docs/) to encrypt messages and protect them from third-party access. The main difference between the two is in their design and the way they transmit messages, with Signal using centralized servers and Session using a decentralized network. However, both apps provide high security and privacy for messages.

In terms of security, both Signal and Session have similar features, such as end-to-end encryption and the ability to verify the identity of contacts. However, there are some differences between the two in terms of implementation and design.
 

As mentioned before, Signal is a centralized app that uses servers to transmit messages. This can make it easier for the app developers to add new features and fix bugs, but it also means that the servers could be vulnerable to hacking or other security threats.

Signal has a strong focus on privacy and security, and it implements several advanced security features to protect user data. On the other hand, Session is a decentralized app that uses a peer-to-peer network to transmit messages. This means that there are no central servers that could be vulnerable to attack, making it difficult for anyone, including the app developers, to access the content of messages. 

However, this decentralized design also means that Session may have a steeper learning curve and may not be as user-friendly as Signal. 
In theory, a decentralized app like Session may be considered more secure than a centralized app like Signal, as there is no central point of failure that hackers or other security threats could target.

Encryption Standards

Both Signal and Session use the Signal Protocol for encryption, a combination of asymmetric (public key) encryption and symmetric (private key) encryption. The Signal Protocol uses the Double Ratchet Algorithm (https://signal.org/docs/specifications/doubleratchet/) for symmetric encryption, which uses a combination of AES encryption and the XSalsa20 stream cipher. The key length used for AES encryption is AES-256, considered a strong encryption standard and widely used in many security-sensitive applications.

AES-256 encryption in the Signal Protocol ensures that messages are protected from unauthorized access and encrypted using a robust and widely-used encryption standard.

XSalsa20 is a stream cipher used in the Double Ratchet Algorithm in the Signal Protocol. A stream cipher encrypts data one bit or byte at a time, providing additional security compared to encrypting the entire message simultaneously. XSalsa20 is a variation of the Salsa20 stream cipher and is used to encrypt messages in combination with AES encryption and public key cryptography in the Signal Protocol.

As described, Session uses the same encryption protocol as Signal, which is the Signal Protocol.

Whether you choose Signal or Session, you can be confident that you are using a secure and private communication tool that will help protect your information and conversations.

Session is using the Signal Protocol. But not the same.
The official whitepaper of Session indicates that Session does not modify the fundamentals of the Signal Protocol but makes some changes to the sharing of prekey bundles to avoid using centralized servers.
In Session, prekey bundles are shared through the "friend request" system, which allows users to send friend requests to other users and share their prekey bundles with them. This allows for the encryption and decryption of messages in a decentralized manner without the need for a centralized server to store prekeys.

Additionally, the whitepaper mentions that Session adds additional information to each message to route the message to its desired recipient and verify that it was created correctly. This information helps to ensure that messages are delivered to the correct recipient and that they are not tampered with during transmission.

Overall, these changes to the Signal Protocol help ensure that Session provides a high level of security and privacy for users while avoiding using centralized servers.

Centralized vs. Decentralized
With the rise of privacy concerns and the increasing need for secure messaging apps, it's important to understand the differences between centralized and decentralized systems.

• Centralized Systems (Signal)
  Centralized systems have a single point of control, which can make them easier to manage and maintain. App developers can add new features and fix bugs more easily. Centralized systems can also be more scalable, as they can handle many users and a large amount of data. Additionally, centralized systems can be easier to use, with a consistent user experience and interface.

However, centralized systems also have some disadvantages. There is a single point of failure, which means that if the central server is compromised or goes offline, the entire system may be impacted. Additionally, centralized systems can be vulnerable to hacking, as all of the user data is stored on a single server. Furthermore, centralized systems can raise privacy concerns, as the central server may access all of the user data.

• Decentralized Systems (Session)
  On the other hand, decentralized systems do not have a single point of failure, which means that if one part of the system goes offline, the rest of the system can continue to operate. Decentralized systems can also provide increased security and privacy, as the user data is distributed across multiple nodes and is not stored on a single server.

However, decentralized systems can also have some drawbacks. They can be more challenging to manage and maintain, as there is no single point of control. Additionally, decentralized systems can face scalability challenges, as they need to handle a large number of nodes and a large amount of data. Finally, decentralized systems can have a steeper learning curve, as they may be less user-friendly and may require more technical knowledge to use effectively.

The choice between a centralized and decentralized system will depend on your individual needs and preferences.

Security Standpoint: A closer look into Session
From a security standpoint, a decentralized system of Session can provide increased security compared to a centralized system as Signal uses. This is because there is no central server that can be targeted by attackers, which makes it more difficult for unauthorized parties to access the data stored in the system.

Also, the user data is distributed across multiple nodes in a decentralized system, which makes it more difficult for anyone, including the developers of the app, to access the content of messages. This increased security can make decentralized systems a good choice for users concerned about their data privacy and security.

A statement from the Session whitepaper indicates that the app is designed to protect against active attacks by network adversaries. By encrypting data and using onion requests to store and retrieve messages, Session aims to make targeted attacks by network adversaries difficult and ensure messages' privacy and security.

An onion request in Session is a type of encrypted network request that is routed through multiple nodes, with each node only able to see the previous and next nodes in the route. This makes it difficult for network adversaries to intercept or tamper with the request, as they would need to compromise multiple nodes in the route.

By using onion requests and encryption, Session aims to protect messages from active attacks by network adversaries, such as corrupting or rerouting packets or adding delays.

The use of the Signal Protocol in Session helps to ensure that messages are encrypted using strong, widely-used encryption standards and provides a high level of security and privacy for users. The use of prekeys, which are stored on a central server, ensures that these prekeys are available even when a user's device is offline, which can help to ensure that messages can be encrypted and decrypted even when a user's device is not connected to the internet.

Session also provides a secure and encrypted way for users to participate in group chats. The naive solution for building group chats in Session is to start a pairwise session with every group member and encrypt each message individually for each participant. This solution provides the group chat with the same guarantees as standard pairwise communications using the Signal Protocol. However, it can become burdensome for low-powered clients participating in large group chats, as each message would need to be encrypted and stored N times, where N is the number of members in the group.

Session has improved group chats by adopting the "Sender Keys" system used by WhatsApp. This system involves a set of keys (a Chain Key and a Signature Key) that each client generates for each of its groups. These Sender Keys are shared between all group members in a traditional pairwise manner using the Signal Protocol. When a client needs to send a message to the group, it derives a message encryption key using its Chain Key and encrypts the message only once.

The Sender Keys scheme is effective in small- to medium-sized group chats where the membership set changes infrequently. However, it may be impractical in larger groups where users frequently leave or are kicked from the chat, as all Sender Keys must be updated and redistributed in each such event. The Session whitepaper mentions that further improvements to the Sender Keys scheme have been proposed in the draft MLS specification.

Session provides a secure and encrypted way to send attachments. The official whitepaper describes the solution for attachments in Session, which is to interface with an untrusted centralized server that stores data obliviously. Attachments are encrypted with a random symmetric AES key and uploaded using an onion request. The sender then sends a message to the recipient containing a link to the encrypted attachment, a hash of the content, and the decryption key. The recipient uses an onion request to download the encrypted attachment from the centralized server and decrypts it locally using the decryption key. The recipient also checks the hash of the attachment to ensure that it has not been modified in transit.

By default, all Session clients use a Session file server run by the Loki Foundation for attachment sending and storage.

However, the file server is fully open-source, and setup instructions are provided so that users can set up their own file server if they choose. This allows users to control which file server they use for attachment-sending functionality and ensures the continued usefulness and functionality of Session even if the Loki Foundation can no longer maintain the default Session file server.

Conclusion
In conclusion, secure messaging apps like Signal, Telegram, WhatsApp, and Session have become increasingly important or, better to say: a must-have in today's digital landscape as privacy concerns continue to grow.

These apps offer different features and levels of security, with Signal and Session being highly secure options that use encryption protocols like the Signal protocol and onion routing (Session) to protect users' data and conversations. On the other hand, Telegram and WhatsApp offer a good balance of security and user-friendly features but may not be as secure by design as Signal and Session. Ultimately, the choice of a secure messenger depends on an individual's specific privacy and security needs, and it's important to consider the different options available and their unique strengths and limitations.

A problem with Signal is that it stores the phone number you use to sign up on US servers, which can cause issues for, e.g., EU citizens.

Session aims to provide users with a privacy-focused messaging platform by combining some of the most advanced privacy technologies available today. The platform aims to offer minimal metadata leakage and strong message encryption through the use of the Signal protocol, onion routing, and decentralized message storage and retrieval.

The developers of Session plan to continue to work on the application to provide users with additional features and improve the level of security and privacy offered by the platform.

To enhance privacy, Session uses proof of work to prevent spam attacks and employs a centralized server for attachment storage that does not know the contents of the files. The Loki Foundation maintains the app and is open-source, allowing users to set up their own file server. 

With plans for future development to add more features and improve security and privacy, Session is a good choice for anyone seeking a secure and private instant messaging app.

And the best: You don't need a mobile number or an email to make an account with Session. Your display name can be your real name, an alias, or anything else you like.
 

We suggest using both Secure Messengers to get a feel for them. Session and Signal prove themselves well in everyday life.

For more information about the two independent solutions, please visit:

Session Messenger: https://www.getsession.org/

Signal Messenger: https://www.signal.org

We are planning a new analysis in the future and would like to include other well-known secure messengers such as Threema, Wire, Element, and others.