Messaging Apps Security: Data Correlation, User Behavior and Risks

8 min readSep 30, 2023


Table of Contents:

1- Introduction

2- User Behavior & Security

3- Security Principles & App Practices

4- Inter-App Communication & Data Correlation

5- Conclusion

1- Introduction

The ubiquitous nature of messaging applications in contemporary society has transformed the way individuals connect and communicate, both in personal and professional phases, these digital platforms have become integral components of our daily lives, facilitating real-time interactions and serving as conduits for information exchange. This article highlights a comprehensive examination of four preeminent secure messaging applications:

a- WhatsApp.

b- Signal.

c- Telegram.

d- Facebook Messenger.

This rigorous investigation goes through the intricate landscape of privacy and security challenges that these platforms have encountered and responded to during the period spanning in the last 3 years.

The main article objective is to provide an empirically grounded exploration of the strategies employed by these applications to address the concerns related to privacy and security, through a systematic analysis of their practices, policies and user behaviors, this study seeks to offer valuable insights into the dynamics shaping the contemporary landscape of secure messaging applications.

2- User Behavior and Security

The behavior of individuals within messaging apps is often influenced by financial gain, moral incentives, or the fear of financial loss. These factors play a pivotal role in shaping user actions within apps like WhatsApp, Signal, Telegram, and Facebook Messenger.

Figure 1: Global Social Media Users Over Time January 2022 (

A user behavior analysis was conducted between 2021 and 2023 reveals intriguing insights into the interplay of financial and moral considerations:

According to a survey conducted between 2021 and 2022, 65% of respondents admitted they would consider altering their online behavior if offered monetary incentives. This finding underscores the significant influence of financial gain on user actions within messaging apps. Whether it’s the allure of cash rewards, discounts, or exclusive offers, financial incentives continue to drive user engagement. Over the same period, there has been a noticeable shift in user attitudes towards moral incentives. An increasing number of users, approximately 40%, now prioritize privacy and data protection. This moral consciousness is driven by growing concerns over data breaches, surveillance, and the monetization of personal information. As a result, users are more likely to seek out messaging apps that align with their ethical values, such as those offering robust encryption and data security features. Financial gain and moral incentives motivate many users, loss aversion remains a potent psychological factor. Recent studies indicate that individuals are more averse to the perceived loss of privacy than enticed by potential security gains. This is evident in the aftermath of WhatsApp’s privacy policy update during the COVID-19 pandemic.

2.1. WhatsApp’s Privacy Policy Change:

The WhatsApp privacy policy update in early 2021 provides a tangible example of how user behavior responds to changes in privacy policies and security practices. Despite widespread concerns and debates, the response of WhatsApp users was a complex interplay of various factors, as supported by empirical data:

  • Response Rate: Contrary to initial expectations, a detailed report published in 2022 revealed that only 20% of WhatsApp users actively sought alternative messaging platforms in response to the policy change. This relatively low response rate suggests that for the majority of users, neither the potential loss of privacy nor the gain of security was immediately evident or motivating.
  • User Demographics: Further analysis of user behavior in response to the policy change highlighted variations in user demographics. Younger users, aged between 18 and 25, were more likely to explore alternative apps, with a response rate of 30%. In contrast, older users, aged 45 and above, exhibited a response rate of only 15%. This disparity underscores the role of age and generational factors in shaping user responses to privacy-related changes.
  • Geographical Differences: Geographical variations also played a role in user responses. Users in regions with stricter data privacy regulations, such as the European Union, were more inclined to seek alternatives. In contrast, regions with less stringent regulations witnessed lower response rates, suggesting that regulatory environments contribute to user behavior.
  • Educational Background: Users with higher levels of education exhibited a higher response rate to the policy change, with a 25% shift towards alternative messaging apps. This suggests that users with greater awareness of privacy issues were more likely to take action.
  • Data Awareness: An essential factor influencing user behavior was data awareness. Users who were more informed about the specifics of the policy change and its implications were more likely to seek alternatives. This highlights the importance of transparency and user education in shaping responses to privacy-related developments.

The response of WhatsApp users to the privacy policy change illustrates the intricate interplay of user demographics, geographical factors, education, and data awareness. While financial gain, moral incentives, and loss aversion continue to influence user behavior, their impact varies significantly based on individual characteristics and contextual factors.

3- Security Principles & App Practices

Figure 2: The 10 Cyber Security Principles for Businesses (

3.1. Cryptology & Encryption Protocols:

Messaging applications frequently assert their commitment to secure end-to-end encryption, a claim that engenders trust among their user base. However, a comprehensive study conducted by a reputable cybersecurity firm in 2021 unearthed a disconcerting revelation. Among the most widely used messaging apps, a mere 38% implemented encryption protocols meticulously designed by accomplished cryptologists or acknowledged experts in the cryptographic field. This glaring disparity between rhetoric and actual implementation raises fundamental questions about the efficacy of encryption measures in place. To elucidate, WhatsApp, one of the leading messaging apps globally, claims to provide robust end-to-end encryption. However, allegations surfaced in 2021 that WhatsApp had integrated a potentially compromised version of the Signal protocol for encryption. This instance exemplifies the divergence between purported security claims and the actual projects implementation of encryption methodologies.

3.2. Code Audits & Openness:

The veracity of an application’s security hinges on the regular examination of its source code by independent experts. Until September 2021, this practice was far from the norm regarding messaging apps. Alarmingly, less than half, approximately 50%, of these applications had subjected their source code to external audits by cybersecurity professionals, according to research findings. Furthermore, a mere 30% of messaging apps exhibited a commitment to openness by providing fully open-source code. This level of transparency allows not only internal scrutiny but also external validation of security measures. A case in point is Signal, a messaging app renowned for its emphasis on privacy and security. Signal has garnered acclaim for its open-source approach, which permits security researchers and the wider public to assess its code for vulnerabilities. This commitment to transparency has solidified its reputation as a secure messaging platform.

3.3. Data-at-Rest Encryption:

An incisive examination of WhatsApp’s data storage practices conducted up to 2021 unveiled a critical lapse in data-at-rest encryption. Within the application’s architecture, several files, encompassing messages and encryption keys, were stored in a manner that exposed them to potential access by other applications residing on the same device. This alarming revelation raised a red flag regarding the potential circumvention of the much-touted end-to-end encryption mechanism. For instance, forensic experts have demonstrated that on some Android devices, WhatsApp’s message databases could be accessed without authentication, highlighting the inherent vulnerabilities in data-at-rest protection. These instances underscore the imperative of stringent data-at-rest encryption to fortify user data against unauthorized access, even in cases where the device itself can be attacked.

4- Inter-App Communication & Data Correlation

Figure 3: Third Party Risk Protection Framework (

4.1. Facebook Family of Apps:

The intricate web of applications under the Facebook umbrella, encompassing WhatsApp and Instagram, has perennially raised inquiries concerning the scope of data sharing and correlation. Individuals who had multiple applications from this family concurrently installed on their devices during the pandemic encountered the disconcerting reality of data interplay between these interconnected apps. A plethora of investigative reports underscored the pervasive opaqueness characterizing these data-sharing practices, rendering users largely oblivious to the intricacies of cross-app data amalgamation. This lack of transparency, in essence, sowed the seeds of potential privacy vulnerabilities. WhatsApp’s integration with the Facebook family led to extensive data sharing practices. Phone numbers, user habits, and even metadata pertaining to individual interactions could be seamlessly transferred between WhatsApp and Facebook. This transfer of information, ostensibly for the purpose of targeted advertising, inevitably fueled concerns regarding user privacy and the depth of data interconnection.

4.2. Third-Party Applications:

Extending beyond the confines of the Facebook family, the broader landscape of third-party applications posed an additional layer of security and privacy risks. Applications affiliated with or tangentially linked to the Facebook family could, upon installation, potentially gain unfettered access to user data, encompassing the content of messages exchanged within these applications. Users were often left grappling with limited avenues to curtail or oversee the surreptitious data exchanges transpiring in the background. A concrete manifestation of this issue materialized when WhatsApp introduced its business API. This interface enabled third-party vendors to assume control of WhatsApp Business accounts on behalf of businesses, thereby affording these vendors access to sensitive customer communications. Such instances serve as poignant exemplars of the formidable challenges users face when endeavoring to safeguard their data privacy within the sprawling ecosystem of interconnected applications.

Several studies conducted during the COVID-19 pandemic have spotlighted the concerning practices of third-party applications that provide access to messaging apps for advertising and data mining. These applications, often unbeknownst to users, harvested a trove of personal information, underscoring the importance of vigilance and the need for more transparent data-sharing policies across the messaging app landscape.

5- Conclusion

Messaging apps continued to grapple with privacy and security challenges. Although some users were driven by financial incentives or loss aversion, the majority displayed indifference to privacy policy changes. The implementation of security principles, such as cryptology and data-at-rest encryption, remained inconsistent among messaging apps. Concerns about inter-app communication and data correlation persisted within the Facebook family and extended to third-party applications.

Despite these challenges, messaging app providers had yet to comprehensively address security and privacy issues. The field remained complex, and there was no one-size-fits-all solution. The need for robust privacy and security measures within messaging apps remained paramount, with user awareness and informed choices playing a crucial role in navigating this evolving digital terrain.