Earlier in May, the Texas Attorney General’s office sued Meta for deceiving users on the level of security offered by end-to-end encryption on WhatsApp. 

Meanwhile, Apple and Google just announced that rich text messaging between Android and iOS users will now support end-to-end encryption. But that only works if you have RCS enabled on your smartphone, it does not apply to traditional SMS or MMS texting. With apps like Telegram, too, E2EE is not enabled by default on all messages and you need to start a “Secret Chat” each time you want true end-to-end encryption in a text chain. 

My point: E2EE is used as a catch-all term to describe secure messaging features across a lot of different apps, but these apps each apply different implementation standards and the level of security is never the same. You should not assume that all your communications are safe from interception just because your messaging app supports E2EE. 

In fact, there are other opt-in security features that you should enable when you want true peace of mind while exchanging sensitive information in texts. It’s a lot to unpack, so here’s my simplified explanation for how this encryption works across devices and apps, what it protects, and what it doesn’t. 

How end-to-end encryption (E2EE) works

End-to-end encryption (or E2EE) works by scrambling your messages and data as they leave your device, so that only the recipient who holds the right security key on their device can unscramble it. 

By design, E2EE prevents anyone who might be trying to intercept your communications, including people who work at the company that owns your messaging app, from accessing its contents. While the people who own the messaging app can see that a message was sent, they can’t actually read it since they don’t have the decryption key needed to unscramble it. 

It’s a good security measure for exchanging sensitive information, like financial or medical data that shouldn’t be public knowledge. That said, it’s not foolproof. End-to-end encryption only works on the contents of your message itself. It doesn’t do anything to encrypt the associated metadata, like the identity of the sender and receiver, their geolocation, or the timestamp on the various messages. 

Moreover, there are other points of exposure in a messaging app that end-to-end encryption doesn’t cover, like your backups—when you back up your messages on to third-party cloud storage, they are no longer encrypted end-to-end. So when you’re uploading your WhatsApp message history to Google Drive or iCloud, there’s a brief window during transit when your messages can be easily intercepted by WhatsApp, Apple, or Google. 

E2EE implementation also varies from messaging app to messaging app. Apps like Telegram and Signal offer higher levels of security than WhatsApp or Messenger. At the same time, WhatsApp enables basic E2EE on all your messages by default, whereas Telegram requires you to opt in for the encryption every time you want to use it. 

E2EE doesn’t always work the same way

“Encrypted” can mean many things. Depending on the architecture of your messaging app, its associated security features, and the quality of encryption it uses, your security level can fluctuate wildly. 

WhatsApp encrypts messages, but not backups

I already mentioned that WhatsApp does not extend end-to-end encryption to your cloud backups—there’s a brief window as you’re uploading your messages to your cloud drive when they can be freely intercepted without a decryption key. However, there’s no direct evidence that Meta secretly reads your messages during WhatsApp backups, so that part is pure conjecture. 

Telegram’s encryption is opt-in only

When the Texas government sued Meta over WhatsApp encryption claims, Telegram made a big show of promoting itself as the safer alternative that offers stronger encryption. But that’s only part of the truth. 

In reality, Telegram encrypts all your messages in transit and at rest, but the same company also holds the keys to decrypt your communications. Unless, that is, you opt for “Secret Chats,” which lets you create a more secure communication chain where your messages are truly end-to-end encrypted and cannot be decrypted by Telegram. Meanwhile, group chats and channels on Telegram don’t have an end-to-end encryption feature at all. 

iMessage has a blind spot in iCloud Backups

iPhone-to-iPhone messaging offers end-to-end encryption on all communications by default, but if you have enrolled into iCloud Backups, your backup also contains the decryption key itself. That means Apple can theoretically decrypt your messages if it wants to, unless you enable a buried feature called “Advanced Data Protection” from your iPhone settings. 

Signal is your best bet for true encryption

Of all the messaging apps discussed so far, Signal has the best possible E2EE implementation by a long shot: Everything, including sender identities and even group chats, are encrypted by default both in transit and at rest. This has been demonstrated publicly when Signal was furnished with legal subpoenas, but they barely had any data to turn in at all. 

There’s still a downside, however: Signal only works if the person you’re communicating with also has it installed on their device. It’s not as popular as WhatsApp or Telegram, too, so this can be a genuine drawback. 

What is not protected by end-to-end encryption

Regardless of the messaging app you use, there are certain kinds of information that end-to-end encryption doesn’t extend to, at least by default.

First, the metadata. This is all recorded information pertaining to who you’re messaging, how often, and at what times and dates. Even without the actual contents of your messages, these details are often enough to betray relationships, job searches, medical visits, etc. Signal is the exception to this; they barely maintain any server logs at all and aggressively encrypt the sender’s identity, contact lists, profile information, and group names. But for every other app I mentioned, you won’t get the same privacy. 

Then there’s your device. E2EE does not protect you against spyware, keyloggers, or other kinds of malicious attacks directed directly at your phone or workstation. Pegasus has repeatedly used zero-click exploits to read encrypted messages straight off the screen, without relying on your messaging app at all. 

Finally, group chats are another serious vulnerability. Most messengers straight up don’t offer end-to-end encryption for chat groups involving several members. Even with the apps that do encrypt group chats, the number of members presents an entirely new threat because any of them could be exposed to device specific attacks that render E2EE useless. 

Getting more privacy out of your messaging app

Though many of them are not enabled by default, WhatsApp, Telegram, and other messaging apps have started rolling out enhanced security features that can opted into for additional encryption and privacy. K

• Encrypted backups make sure that your messages aren’t exposed during cloud backup, which is a known loophole that affects both WhatsApp and iMessage. But there’s an easy fix. On WhatsApp, you can go to Settings > Chats > Chat Backup > End-to-End Encrypted Backup to enable E2EE during the backup process. This will prevent your messaging data from being leaked during transit, but you’ll still need to configure the appropriate security settings for your cloud storage separately. If you use iMessage, iCloud has a feature called Advanced Data Protection under your account settings (iCloud > Advanced Data Protection) that lets you extend end-to-end encryption to your backup as well. 

• If you want complete privacy, use Signal. It’s the only messaging app that offers complete E2EE protection with almost zero metadata tracking and no identifying details stored anywhere. Not everyone uses it, but sensitive communications are worth the extra effort of installing the app.

• Disappearing messages can shield you against future spyware attacks by destroying your communication history after a set period of time. This won’t protect against real-time threats, but it’s still a bit of added protection.

• Apps like WhatsApp, Signal, and iMessage offer a 60-digit security key or QR code that you can compare with your sender or recipient to make sure that no third party is intercepting your messages. Every single 1-to-1 encrypted chat gets its own security code (also called safety numbers or contact keys). This is derived from the devices of both the sender and receiver. It does not change unless either of you replaces your devices.