Telegram and Signal continue to surge following WhatsApp’s privacy backlash—tens of millions of you are now using these messengers for the first time. But, just like WhatsApp, Telegram and Signal have critical settings you must change before you start using the apps. Here’s what you need to do now.
Both Signal and Telegram come with default settings you absolutely need to change—you should do that now. Although Signal is much more secure than Telegram, Telegram has significantly more users, which might make it a better fit for you, but you’ll need to understand those security limitations. Signal is much more a WhatsApp lookalike than Telegram, which is a mix of messaging and social media, with broadcast channels and almost unlimited group sizes, to bring together likeminded people.
Unlike both WhatsApp and Signal, Telegram stores all your messages and content in its cloud, so you can access everything from anywhere, using all your different devices. For that reason, it’s critical that you’re comfortable with the information you’re storing in your Telegram account, as it’s outside your control. Because Signal is much more secure than Telegram, we’ll leave that until the end; it’s almost usable out of the box—there’s just one setting you absolutely need to change.
Telegram has completed its evolution from subversive, even underground messaging platform to the mainstream. “At about 500 million users and growing,” founder Pavel Durov taunted last week, “Telegram has become a major problem for the Facebook corporation—I hear [it] has an entire department devoted to figuring out why Telegram is so popular.”
True or not, the point is a throwback to Telegram’s origins—it wasn’t designed to offer an alternative to mainstream U.S. tech, it was designed to enable dissidents and protest groups to store content out of the reach of the authorities and to access that content from any platform. Yes, it has fun features like WhatsApp and iMessage, but underlying these is a complex architecture designed to keep data away from governments and security agencies.
Telegram says it has sought to balance “usability” with security, making its service easier to use than its competition. And it wants to do this without selling your data. When competing with WhatsApp, this is a compelling argument, especially now.
But Telegram is finding it hard to shake free from its roots—200,000 group member limits and unlimited broadcast channels meet the needs of protest groups, and worse. You’re unlikely to use these options if you’re just switching out WhatsApp after recent, alarmist headlines. Telegram is a complex platform used by a significant number of people—you shouldn’t use it until you’ve changed these critical settings.
Let’s deal with the easy ones first.
As with WhatsApp and Signal, when you install Telegram on your device, you enter your phone number and receive an SMS to confirm it’s your number and to link that to your new account. Again, like the others, if you upgrade your phone, you simply repeat the process, enter the SMS code and restore your account.
But there’s a serious problem. If anyone gets hold of that SMS code, they can hijack your account and gain access to your content. Attackers install Telegram on their device, enter your number, and then try to get the SMS code which is sent to you. If successful, this provides access to your account and cloud storage.
There are sophisticated ways to steal these SMS codes—tricking networks into issuing duplicate SIMs, intercepting SMS traffic on the network, or planting malware on your device. But by far the easiest and most common method is to send you a message from the already hijacked account of a friend. It doesn’t have to be Telegram—Facebook or WhatsApp will do. They tell you that their network is down, and they’ve asked for an SMS to be sent to you instead of them—please forward it to them. It’s as simple as that.
Telegram (just like Signal and WhatsApp) offers a surefire way to prevent this happening. You can set up a 2FA password that is required alongside the SMS code to register a new Telegram install. Unlike WhatsApp, this can be an alphanumeric code, not just a PIN, and you also get to enter a backup email address in case you forget it. These 2FA codes should be mandatory, but they’re not. Make sure you set it up right away under “privacy security” in your app’s settings. Account hijacks are a major issue, impacting countless people, and it takes just seconds to protect yourself.
The second setting you need to change is your actual privacy settings. There’s not much point quitting WhatsApp over data privacy concerns and then sharing your private information with Telegram’s 500 million users. Just as with WhatsApp, your default option should be to share your phone number, timestamp and profile photo with your contacts and no-one else. Just as importantly, you also need to limit who can call you or add you to groups.
Your privacy settings should look like this:
Telegram offers a few other security settings that you should know. You can review the “active sessions” on your account—given Telegram can be accessed by multiple devices, this will assure you that no one else is accessing your messages. You can also tell Telegram how long to wait before deleting your content if you stop logging in—between one month and one year. You can also delete the data it holds on your contacts, which it uses to show you the contacts on your device also using Telegram.
As with your other messengers, you should also secure your app with the biometric or passcode security on your device where available. Remember, all your content is decrypted and available to anyone with access to that device. As Telegram says, “we cannot protect you from your own mother if she takes your unlocked phone without a passcode. Or from your IT department if they access your computer at work. Or from any other people that get physical or root access to your phones or computers.”
And now for the big one—end-to-end encryption. Telegram’s default is to encrypt between your device(s) and its cloud, and then between its cloud and your contacts—it is not encrypted from sender to recipient in the same way as Signal and WhatsApp. Despite Durov casting spurious aspersions over the protocol used by Signal and WhatsApp, Telegram’s approach is weak when compared to the default end-to-end encryption used by the others. This means the default setting is to store your content on Telegram’s cloud, using encryption to which Telegram has the key.
Telegram does offer “secret chats,” which provides end-to-end encryption, albeit only from one device to another, between just two people. It won’t sync across multiple devices and it won’t work for groups. Telegram says this is technically difficult to do, albeit both Signal and iMessage have managed to execute this level of encryption flawlessly. In reality, Telegram’s architecture is designed to provide fast and seamless multi-device access to a cloud repository—its priorities are different.
It’s critical that you are aware of this issue. While I would advocate for Signal or Wickr or Threema for work chats, putting your employer’s confidential information on Telegram’s cloud servers is questionable. Similarly, if you want to ensure your data is locked to just you and your contacts, then use secret chats or another platform.
To begin a secret chat with one of your contacts, go to the normal chat with your contact, and click on the three-dots on Android or “more” on iOS, and then “start secret chat.” You will see the secret chat confirmed by a padlock next to the contact’s name and the option to set messages to disappear if you want to be even safer.
At this point, those 1:1 chats have the same security as Signal and WhatsApp, albeit this cannot be accessed from multiple devices. None of this content will be stored in Telegram’s cloud and Telegram does not have the key to decrypt those messages. This is the default level of security on WhatsApp and Signal, and while it’s a little fiddly to enable and has its limits, you should use this for your 1:1 messaging on Telegram.
Telegram is fine to use—just keep yourself safe. Change these settings, keep an occasional eye on the active sessions on your account, don’t save attached images or video to your phone unless you can trust the sender and the actual media, and opt for secret chats when you’re messaging one other person, especially if it’s sensitive.
Signal settings you need to change
When you first install Signal and setup an account, just like WhatsApp and Telegram you’re asked for your number and you’re sent an SMS code to verify that it’s your phone. It was this surge in SMS code requests that caused problems for Signal after the initial exodus from WhatsApp, before the messaging platform itself buckled under the weight of new users. All that is now fixed, and Signal is operating smoothly once again.
Unlike Telegram and WhatsApp, the two-factor authentication PIN is mandatory with Signal—you select a number or alphanumeric code when you install the app. This code links to your account and can be used to recover some account information if you lose your device. That doesn’t include message content though—unlike Telegram, there’s no cloud storage underpinning your account. And although Signal has multi-device access, it’s much more limited and each device is an endpoint of its own, messages don’t sync—that means you need to delete messages in each place, for example.
Signal is end-to-end encrypted. Period. It can’t be switched off. It uses its own fully open-source protocol—every aspect of its deployment can be examined by researchers to find vulnerabilities before bad actors do the same. The signal protocol is used by WhatsApp, Facebook Messenger and Google’s end-to-end encrypted beta of Android Messages. It is the nearest thing we have to an industry standard.
The Signal settings you must change are the “registration lock” and the “screen lock.” Of these, the registration lock is the critical one. This means you’ll need that PIN to install your Signal account on a new phone, stopping anyone hijacking your account. If someone does hijack your account, they won’t get access to your message history—just messages sent while they have access. This is similar to WhatsApp, albeit such hijacks have become a major issue. As Signal gains popularity, the risk will increase.
Beyond that setting, you should set the screen lock—using your device biometric security or passcode to open the app. You can also disable previews from appearing in the app switcher on iOS and disable screenshots (on your own app only) on Android. The other nifty trick on Android is to make Signal your default SMS app, helping you make your messaging to secure and encrypted Signal, where your contacts are also on Signal—which you’ll be able to see in the app, as an alternative to unsecured SMS.
Despite Signal stealing headlines with its celebrity endorsements, Telegram may ultimately be the bigger winner from WhatsApp’s self-inflicted problems. “Telegram is growing faster compared to them,” one of its former engineers told me, “and is already the default messaging app in a few countries.” Telegram’s scale, he explained, makes it easier to avoid scrutiny, able to “guarantee higher, overall privacy to the masses.”That said, most security professionals advocate for Signal above other mainstream options. It stands the best chance of replacing WhatsApp, given it is more private and more secure, but has broadly the same functionality.
Meanwhile, the scale of the WhatsApp backlash has clearly shocked WhatsApp. We all now wait to see whether it will actually do anything to moderate Facebook’s influence, given that there are now very credible alternatives for its 2 billion users. If not, the viral nature of Telegram and Signal means this mass exodus has only just begun.