How the Most Popular Messaging Apps Handle Your Encrypted Messages

As messaging apps become the default way we communicate, concerns about privacy and data security are growing. From how messages are encrypted to where they’re stored and what data is collected, there’s a lot going on behind the scenes. In this article, we explore the technology behind encrypted messaging, its benefits, its limitations, and what it means for users and law enforcement alike.

Since the internet became mainstream in the 1990s, the number of messages sent has grown exponentially. From the early days of messaging over ICQ, to the dominance of MSN Messenger, and the currently popular WhatsApp, the importance of instant messaging to the internet cannot be underestimated. One key area that has become an increasing concern for many users is privacy. Back in the days of MSN Messenger, all text messages were stored in plain text. However, now the vast majority of messaging apps offer end-to-end encryption, providing customers with a level of privacy that an early noughties teen could only dream of. 

What is end-to-end encryption?

First, we should explain what exactly encryption means. Encryption is a method of obfuscating data so that only certain people can read it. This is done using a “key”. This key allows the recipient to decrypt the message sent so they can read it, but without the key, anyone who may intercept the message would have to figure out the key, or else the message will just be a load of gibberish. This protects the confidentiality of the message being sent, as only authorised parties should be able to read it [1].

There are various encryption methods that can be used; however, most messaging apps utilise end-to-end encryption (E2EE). E2EE uses public key encryption (also called asymmetric encryption) to allow two individuals to safely communicate without having to send a private key over an unencrypted channel. This involves using two different types of keys – one of which is private and only known to one person, and the other is public and can be viewed by anyone. Data is then encrypted using the public key and can only be decrypted using the private key. As such, it does not matter if an attacker intercepts the message, as the message can only be decrypted if they also know the private key [2].

How does WhatsApp encrypt your messages?

Perhaps the most well-known and widely used encrypted messenger app is WhatsApp, which introduced encryption in 2016 [3]. WhatsApp utilises E2EE for sending messages, meaning that only the sender and the recipient can read what has been sent. However, messages are not always only stored on the user’s devices, as messages can be backed up to the cloud. This introduces a whole new variable to the privacy discussion, because if these backups are not also encrypted, then anyone who gains access to the cloud storage would be able to read all your chats. WhatsApp offers you the choice to back up your messages to your Google account (Android) or iCloud (iPhone) with or without E2EE, but when you do so you will need to create a password or save a 64-digit key [4].

What encryption looks like on Messenger

Towards the end of 2023, Meta announced that all Facebook and Messenger chats would be automatically encrypted [5]. This works very similarly to how Meta’s other messaging app, WhatsApp, encrypts messages, by also using E2EE. What is important to know about this encryption method is that not even Meta can see what your message says – so even Mark Zuckerberg doesn’t get to see your conversations. Where Facebook differs from WhatsApp, however, is how these encrypted messages are stored. Instead of storing your encrypted messages in your Google or iCloud account, Meta stores these on their own servers or locally on your device. In order to access this storage, you need to set up a 6-digit PIN or store a virtual key in your Google Drive or iCloud [6].

Signal’s open source approach to security

A more niche messaging app is Signal. Signal came to prominence in March 2025 after messages regarding US airstrikes were accidentally leaked to a journalist via a group chat they were mistakenly added to [7]. Despite this, Signal is generally considered one of the most secure messaging apps available, becoming a key resource for journalists, whistleblowers, and anyone else who may have concerns about privacy [8].

Signal is another messaging app that uses E2EE; however, the code for Signal is open source, meaning that anyone can view it and check for any vulnerabilities so they can be patched before hackers exploit them. Signal also claims to collect far less user data than its counterparts, largely due to the owner company’s status as a non-profit organisation [9]. Additionally, Signal does not offer any message backups, making the messages more secure, but on the flip side, you can only transfer messages from an old device to a new one manually [10]. Overall, Signal is a very secure messaging platform, as long as you don’t accidentally invite any journalists to your private group chats.

The benefits and limitations of end-to-end encryption

So, what are the benefits of using encryption for messaging apps? As already mentioned, there is an increased level of privacy afforded to individual users. No one wants their private messages to be leaked. E2EE also protects the message’s integrity in transit – meaning that an attacker cannot manipulate the content before it reaches its destination. These benefits are also available to corporations that utilise apps such as WhatsApp in their day-to-day business, as it drastically reduces the likelihood of sensitive information being leaked via communication channels or for this data to be unknowingly modified. This, in turn, helps protect the business’s reputation and can help prevent a cyberattack, depending on the information being sent via these channels [11].

This is all well and good, but there are a few downsides to E2EE, and a few areas that it cannot cover. Firstly, if a malicious actor were to gain access to one of the individual’s devices, they would be able to access the messages unencrypted. Similarly, if either the sender or recipient were to screenshot the chat, this could also compromise the confidentiality of the conversation. This makes it vitally important to ensure that your device is locked with a PIN, password, or biometrics. Another issue is that E2EE does not hide or encrypt the metadata, so in theory anyone can find out who you sent a message to and when, even if they do not know what you sent [12].

Finally, there are potential legal issues with the use of E2EE on messaging apps. Because E2EE obfuscates what is being said, these messaging apps can potentially be used for illegal purposes. In an attempt to combat this, the UK government issued an order in January 2025 requiring Apple to create a backdoor in its encrypted cloud storage on user devices due to concerns about child safety [13].

Overall, despite these issues and potential for harm, end-to-end encryption does not look like it is going away anytime soon, despite the legal challenges from governments. Obtaining privacy online has been hard fought, and E2EE is a key part of that. It is important to make sure that, if you are backing up your messages, the backups are also encrypted, and to make sure that you follow basic cybersecurity principles such as using strong passwords and not sharing sensitive information over insecure channels.

How AJC can help

As messaging platforms become more embedded in business operations, understanding the risks and protections associated with encrypted communication is essential. We help organisations assess and manage these digital risks, from messaging app usage policies to wider information governance and compliance.

Whether you’re reviewing internal communications practices, need guidance on encryption and legal obligations, or want to build cyber awareness across your team, our experts can help.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

• https://www.fortinet.com/uk/resources/cyberglossary/encryption
• https://www.cloudflare.com/en-gb/learning/privacy/what-is-end-to-end-encryption/
• https://www.bbc.co.uk/news/technology-35969739
• https://faq.whatsapp.com/490592613091019
• https://www.bbc.co.uk/news/technology-67646047
• https://about.fb.com/news/2024/03/end-to-end-encryption-on-messenger-explained/
• https://www.theatlantic.com/politics/archive/2025/03/signal-group-chat-attack-plans-hegseth-goldberg/682176/
• https://www.nbcnews.com/tech/security/signal-app-used-hegseth-can-leave-door-open-hackers-rcna197956
• https://www.bbc.co.uk/news/articles/c1kjd091019o
• https://www.eff.org/deeplinks/2025/05/back-it-back-it-let-us-begin-explain-encrypted-chat-backups
• https://www.cioinsight.com/security/end-to-end-encryption/
• https://www.businessinsider.com/guides/tech/end-to-end-encryption
• https://www.bbc.co.uk/news/articles/cgj54eq4vejo

Image accreditation: Philip Oroni (July 2024) from Unplash.com. Last accessed on 15th July 2025. Available at: https://unsplash.com/photos/a-close-up-of-a-remote-control-on-a-table-lAfqEdYykJg