Is my messaging app actually encrypted — and what's the difference between Signal, WhatsApp, iMessage, and the rest?

Quick answer

WhatsApp, Signal, iMessage, and the modern versions of Messenger and Telegram (with 'Secret Chats' switched on) all use end-to-end encryption, meaning even the company running the service cannot read the content — Signal is the most privacy-protective of the lot because it also minimises what it knows about who is talking to whom, while WhatsApp and iMessage are encrypted for content but retain more metadata than Signal does.

What it's NOT

Encryption is NOT the same as privacy — a messaging app can be perfectly encrypted (the message content is unreadable to outsiders) while still recording who you message, how often, your phone number, your contact graph, and shareing some of that. And 'end-to-end encrypted' is NOT a single thing across apps: the same label covers very different default behaviours (Signal vs Telegram default chats vs WhatsApp backups before 2021).

More context

A messaging app is end-to-end encrypted (E2EE) when the message content is unreadable to anyone except the sender and the recipient — including the company running the service. That is the meaningful security property; everything else is detail. The detail matters, though, because the same label covers different defaults across apps.

The honest state of the major messaging apps in 2026:

  • Signal. E2EE by default for everything: chats, calls, groups, voice notes, video messages. Stores almost no metadata (no contact graph, no record of who messages whom). Open-source, audited, run by a non-profit foundation. The reference standard for messaging privacy. Trade-off: the app you have to convince people to install.
  • WhatsApp. E2EE by default for chats, calls, groups (same Signal Protocol). Stores substantial metadata (who, when, how often). Cloud backups (iCloud, Google Drive) were a gap until 2021; now optional E2EE for backups is available, but you must enable it. Owned by Meta. The most privacy-protective app most people will actually adopt because everyone is already there.
  • iMessage. E2EE by default for blue-bubble (iPhone-to-iPhone) messages. Apple holds the iCloud backup keys by default — switching on Advanced Data Protection (Settings → iCloud → Advanced Data Protection) closes that gap. RCS chats with Android users are E2EE since Apple added RCS support in 2024-2025 (Android-to-Android RCS through Google Messages is also E2EE). SMS fallback to non-iPhone is not encrypted.
  • Messenger (Meta). Default chats became E2EE during 2023-2024. The migration was gradual; if you have not opened Messenger in a while, you may need to opt in.
  • Telegram. Default and group chats are not E2EE. Only one-to-one “Secret Chats” — which must be started explicitly — are. Most Telegram users are not on E2EE chats and do not realise it. Telegram complies with court orders in many jurisdictions and is not the privacy app it is often assumed to be.
  • Discord, Snapchat, Instagram DM, X DMs. Mostly not E2EE. Snapchat encrypts media in transit and deletes after view (which is not the same as not being able to read it). Instagram DM offers an opt-in E2EE mode for one-to-one. X DMs added an opt-in E2EE mode in 2023 for paid users only.
  • SMS and RCS through carriers (non-Google Messages, non-iMessage). Not E2EE. Treat SMS as a postcard.

What “encrypted” does NOT cover, even when it is on:

  • The list of people you talk to (metadata). Signal hides this best; WhatsApp and iMessage hold more of it.
  • The screenshots the other person takes. Encryption is between the services; humans can still copy the text and forward it.
  • A compromised device. If malware is on your phone, the encryption is unwrapped when you read the message and the malware can see everything.
  • The cloud backup, unless you have explicitly turned on the E2EE backup option (WhatsApp since 2021, iMessage with Advanced Data Protection).
  • Lawful intercept of metadata in jurisdictions that compel it. Signal can be compelled to hand over what it knows; Signal famously knows very little.

Practical defaults for a 2026 household:

  1. Pick one encrypted app as your default: Signal if privacy is the criterion, WhatsApp if reach is, iMessage if everyone in your family is on iPhone.
  2. Turn on E2EE cloud backup on the chosen app (WhatsApp: Settings → Chats → Chat Backup → End-to-end encrypted backup; iCloud Messages: Settings → iCloud → Advanced Data Protection).
  3. Treat SMS as untrusted for content. Use it only to receive codes and for casual messages.
  4. Verify the safety number with people you have very sensitive conversations with (Signal calls this “verifying safety numbers”, WhatsApp has the same feature under contact info). This catches person-in-the-middle attacks if the app or the network is compromised.
  5. Lock the app itself with biometric or passcode in its own settings, so a stolen unlocked phone does not reveal years of conversation.

For more sensitive use cases (journalism, dissidence, source protection), Signal with disappearing messages, biometric app lock, and Advanced Data Protection-equivalent settings is the practical baseline. For ordinary family-and-friends use, any of Signal, WhatsApp, or iMessage gives a level of privacy that was science fiction a decade ago. The single decision that matters is stop using SMS for anything that has content.

People also ask

What does 'end-to-end encrypted' actually mean? +

The message is encrypted on the sender's device, travels through the messaging company's servers as unreadable noise, and is decrypted only on the recipient's device. The company that runs the service cannot read the content even if a government, a court, or an attacker compels them. This is dramatically different from 'encrypted in transit' (TLS only, where the company can read everything on its servers) — which is what most email and many older chat apps still do.

Signal vs WhatsApp — which is more secure? +

Both use the same underlying encryption protocol (the Signal Protocol, which Signal Foundation publishes openly). The difference is metadata. Signal stores almost nothing about you — no contact list on their servers, no message graph, no profile data beyond what is strictly needed. WhatsApp encrypts the content but retains substantial metadata (who you message, when, how often, your phone number, your profile photo, in some setups your contact list). Both are vastly better than SMS. If privacy is the criterion, Signal wins; if reach is the criterion, WhatsApp wins because everyone you know is already on it.

Is Telegram encrypted? +

Partially. Telegram's default chats and all group chats are NOT end-to-end encrypted — Telegram holds the keys and can in principle read them (and complies with legal requests in many jurisdictions). Only one-to-one 'Secret Chats' (which you have to explicitly start) are end-to-end encrypted. Most Telegram users are using the non-E2EE default. This is fine for many use cases but should not be confused with Signal- or WhatsApp-style protection.

Are my iMessages encrypted on the iCloud backup? +

By default, until 2022, no — iMessage content was encrypted in transit but Apple held the keys to the iCloud Messages backup. With **Advanced Data Protection** (opt-in, available since late 2022) Apple no longer holds the keys, and iMessages in iCloud are then fully end-to-end encrypted across devices. The same is true for WhatsApp's iCloud / Google Drive backups since 2021, if you enable end-to-end encrypted backup explicitly. Always-on cloud backups are a common gap that surprises people.

Should I use SMS for anything sensitive? +

No. SMS is not encrypted between phones and the network, can be intercepted by SIM-swap attacks, and is increasingly the channel for [smishing scams](/en/library/everyday/phishing/). Use SMS for receiving authentication codes if no better option exists, but never for the content of anything sensitive — passwords, banking details, intimate conversations, business plans. A modern encrypted messaging app is free and takes one minute to set up.

Also explained

What is phishing, and how do I recognise it?

Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.

What is a VPN, and do I actually need one?

A VPN is a privacy tool that hides your internet activity from your local network (your office, the café Wi-Fi, your ISP) and from websites — but it does NOT make you anonymous, and for most people in 2026 it is far less essential than the ads suggest.

What does the padlock in my browser actually mean?

The padlock means the connection between your device and the website is encrypted, so nobody on your Wi-Fi, your office network or your internet provider can read what you send or receive — but it does NOT mean the website itself is honest, legitimate, or safe to trust with your data.
← Back to everyday cybersecurity