Telegram, Signal, Wickr Me: Choosing the Most Secure Messenger and Whether It Really Exists

The audit and consulting team at Group-IB conducted a comparative analysis of the security of three major messengers most often cited as the most secure. In this review, we present the results of an independent study and offer our answer to which messenger is the safest.

Which Messengers Were Analyzed?

The selection of messengers for this review was based on existing open research on messenger security, their popularity in Russia, and their market positioning.

After evaluating and studying expert opinions, our team chose three messengers focused on user data protection:

• Signal — a non-profit project by Open Whisper Systems
• Telegram — a non-profit project by Telegram FZ-LLC
• Wickr Me — a commercial project by Wickr Inc with a free version

The latest versions available in the App Store and Google Play at the time of the study were used. Messengers were installed on smartphones running iOS 13.3.1 and Android 7.1.2, both with superuser rights enabled (jailbreak for iOS and root access for Android).

How Were the Messengers Compared?

The security analysis was based on three main categories:

• Openness to the Community
• Architecture
• Core Functionality

Openness to the Community evaluated:

• Availability of external audit reports (including bug bounty programs)
• Accessibility of the messenger’s source code for researchers (client and server, encryption protocol)
• Availability of detailed documentation for users

This category did not involve technical testing; results were based on expert assessment. The maximum possible score here was 12 points.

In the Architecture and Core Functionality categories, technical (instrumental) tests were conducted according to the OWASP Mobile Security Testing Guide.

Architecture was assessed for:

• Data security (e.g., configuration files needed for the messenger to work)
• Security of communication channels (e.g., data transmission to the messenger’s server)
• Backup security (e.g., app files created by the messenger or the smartphone OS)
• User profile data security (e.g., user login, location)

If any shortcomings were found, the maximum score for the category was reduced. The highest possible score was 200 points.

Core Functionality evaluated the correct operation of:

• Messaging (including files of various formats)
• Video and audio calls

The maximum score in this category was 120 points.

Thus, the maximum total score for a messenger was 332 points, distributed as follows:

• Openness to the Community: 12 points
• Architecture: 200 points
• Core Functionality: 120 points

For more details, the full methodology is available here.

Note: The study did not include:

• Source code analysis (not available for all messengers)
• Server-side research (requires written consent and may involve invasive actions)
• Cryptographic analysis of encryption algorithms and reverse engineering (these require more time and specialized expertise)

Results

The results are as follows: as shown in the diagram below, Wickr Me scored the highest with 304 out of 332 possible points.

The table below shows how each messenger was scored:

Let’s look at the leaders in each category and the identified shortcomings, then examine each messenger in more detail.

Openness to the Community

Signal and Telegram led this category with 10 points each. Their repositories contain the application’s source code and protocols, available for public review. However, the server-side code is closed, so they did not receive the maximum score. Wickr Me scored lower because it does not disclose its source code.

Architecture

All messengers share a common flaw: the possibility of bypassing biometric authentication, which could allow access to user data. Wickr Me led this category with fewer identified issues. Signal and Telegram scored lower due to insecure storage of sensitive data on the client side. On the plus side, all messengers support E2EE (end-to-end encryption), so certificate pinning was not evaluated.

Core Functionality

This category could be expanded endlessly, but the team focused on basic features and their security: messaging and audio/video calls. Wickr Me and Telegram scored the maximum points. The Android version of Signal had an exception handling flaw that caused the app to crash, resulting in a lower score.

Details on Identified Flaws

All identified flaws were found on devices with root access (or jailbroken devices).

Bypassing Biometric Authentication

Modern smartphones support several authentication mechanisms, including biometric authentication via Touch ID or Face ID. When enabled, the device scans a fingerprint or face and compares it to a stored template.

iOS

All tested iOS messenger apps use the Local Authentication Framework and the evaluatePolicy function of the LAContext class for biometric authentication. When a user taps the messenger icon, a dialog requests biometric confirmation. The result (“true” or “false”) determines access. The flaw: authentication is based solely on the evaluatePolicy result, and the messenger does not use system authorization mechanisms when accessing the Keychain. More details can be found in the Mobile Security Testing Guide: here and here.

How to fix: Store a secret (e.g., authentication token) in the Keychain with attributes like kSecAccessControlTouchIDAny or kSecAccessControlTouchIDCurrentSet. Accessing this record would require successful biometric authentication, reducing the risk of unauthorized data access.

Android

The same flaw exists for Android messengers. Biometric authentication uses classes like FingerprintManager (deprecated after Android 9), BiometricPrompt, and BiometricManager. The process is similar to iOS. The flaw: messengers do not use the system’s KeyStore for user authorization, allowing a potential attacker to bypass authentication.

How to fix: Use symmetric/asymmetric cryptographic keys (KeyGenerator class) with setUserAuthenticationRequired(true). This ensures access to keys only after successful local authentication, and the keys can be used to encrypt sensitive data like authentication tokens.

Insecure Local Storage of Sensitive Data

This flaw was found in two of the three messengers. Examples on iOS include:

• Transferred files and cached chat images stored in plain text
• Messenger database encryption key stored in the Keychain without local authentication
• Configuration files containing encryption parameters
• Device IP address in messenger log files
• Chat messages stored in plain text in the database

On Android, insecure storage includes:

• Configuration files with encryption parameters and user phone number
• User messages (including drafts) stored in plain text
• Contact information of users the device owner has messaged

How to fix: Review the architecture and storage methods for sensitive data. Note: these data are only accessible with root access or jailbreak.

Incorrect Exception Handling

This vulnerability applies only to Signal on Android. Sending certain file formats caused the app to crash with a “Signal has stopped” error. Log analysis showed an unhandled exception, but no error data was sent to external servers.

How to fix: Implement file format validation before sending.

Developer Responses

The team reported all identified flaws to the messenger developers. At publication, responses were received from Signal and Telegram; Wickr Me did not reply. Developers thanked the team and stated that the identified issues are not considered vulnerabilities, as the tested versions use standard OS security mechanisms. These mechanisms prevent exploitation of the flaws, and using root or jailbreak is at the user’s discretion. However, messengers could implement root detection and notify users to reduce potential data compromise risks.

Conclusion

We conducted a comparative security analysis of three messengers that position themselves as secure. All have some common flaws, and Signal and Telegram also have issues with local storage of sensitive data. While exploiting these flaws requires physical access to the device, our team believes they reduce user data security.

Wickr Me emerged as the leader, scoring 304 points and having the fewest flaws. The bottom line: there is no absolutely secure messenger, but we hope this research helps you maintain privacy and improve the security of your communications by being aware of the potential pitfalls of your chosen service.