Valkyrie was recently approached by a client using WhatsApp for work-related discussions who was concerned about how secure it really is. His concerns followed recent coverage of the UK’s Online Safety Bill and its implications for end-to-end encryption (“E2EE”)—alongside headlines about US officials using Signal during classified decision-making linked to the Yemen conflict. His question was simple but important: should I be using something else?
It’s not an isolated concern. From private negotiations to executive strategy, encrypted messaging apps have become essential—but with that reliance comes confusion and misplaced trust. Gurpreet Thathy, Valkyrie’s Director of Electronic Counter Measures and Cyber Security, regularly advises clients on this issue. Many assume that end-to-end encryption guarantees full security—but in reality, the app is only part of the equation. Device security and user behaviour are just as important.
End-to-End encryption isn’t the full story: Apps like Signal, WhatsApp, and Telegram all offer some level of E2EE, but the differences matter. Signal is widely viewed as the most secure—open-source, minimal metadata, and run by a non-profit. WhatsApp uses Signal’s protocol but is owned by Meta, which collects some metadata (e.g., contacts, usage) and has faced criticism over data-sharing practices. Telegram does not use E2EE by default—only one-to-one “secret chats” are fully encrypted, while group chats and standard messages are stored on its servers.
Device Security is the weakest link: Encryption protects messages in transit—not your device. If your phone is compromised via malware, spyware, or poor backup practices, even the most secure app can be bypassed. At Valkyrie, we’ve seen cases where the breach came not from the app itself, but a compromised handset or recovery flaw. Two-factor authentication (2FA), encrypted backups, and regular updates are essential—but often overlooked.
Helpful features—with limitations: Many messaging apps offer disappearing messages, encrypted backups, and screen locks. These features support privacy but aren’t foolproof. Screenshots can still be taken, content forwarded, and group chats compromised by a single unvetted participant. Even Signal can’t stop recipients from sharing content outside the platform.
Practical advice: Don’t rely solely on an app’s encryption. Consider who owns the platform, what metadata is collected, and where messages are stored. Think carefully about what you’re sharing—and who might access it now or in future.
At Valkyrie, we advise individuals, families, and organisations on secure communication strategies tailored to their threat profile. Choosing the right app is important—but mindset, discretion, and good digital habits remain your strongest defences. Digital security isn’t just technical—it’s tactical.
