Signal, Telegram, WhatsApp: I Audited Their Privacy Policies Against Their Code. Here’s What I Found

By Claudia S. Tiller

End-to-end encryption is considered the gold standard of private digital communication, but it is only one layer of the privacy story. Using ClassyShark, a binary inspection tool, I extracted and analysed the Android Manifests of Signal, Telegram, and WhatsApp, then compared the technical findings against each app's published privacy policy. What I found was a significant gap between what these apps say and what their code actually does.

What is an Android Manifest and Why Does It Matter?
Android manifests are required files in the app’s installation package. They declare app services, permissions, and third-party software developer kits (SDKs): built-in software packages. They reveal third-party, advertising, and other permissions — not visible from the privacy policy or app interface alone.

Finding 1: E2EE Protects Your Messages. Not Your Metadata

Encryption doesn’t protect everything. Metadata (who you talk to, how often, and in some cases, your approximate location via IP address) is a separate manner.

Signal stores the minimum possible: dates of account creation and last connection, PIN hash, and phone number. It doesn’t share data with third parties and offers 0 cloud backups. Messages are locally stored and encrypted. It adheres to its privacy-by-design philosophy, emphasising data minimisation and retaining essential account and operational information.

Telegram stores significantly more: IP addresses, device information, contact lists, and the content of cloud chat messages on its servers. Despite Telegram’s claim of sharing data with governments only upon court order, privacy concerns are raised.

WhatsApp stores profile information, device and app usage data, message metadata, including who you contact and how frequently, and backup data on iCloud or Google Drive that is unencrypted by default. E2EE backup is available, but it must be manually enabled by the user, a step many don’t take. WhatsApp also leverages various Facebook SDKs and Meta services for advertising, attribution, engagement, and analytics.

While encryption protects message content, it doesn’t protect the picture of your life that metadata reveals.

Finding 2: Telegram Is Not as Private as Its Reputation Suggests

Telegram has built a strong reputation as a privacy-focused app. That reputation is partially deserved. The critical distinction is between cloud chats and secret chats. Cloud chats, the default, are stored on Telegram's servers and are not E2EE. Telegram can technically access them. Only "Secret Chats”, which are manually activated, use genuine E2EE. The manifest confirms it: 58% of Telegram’s privacy permissions fall into the “dangerous” category – the highest risk level in Android’s permission system.

Finding 3: WhatsApp's Integration With Meta Goes Deeper Than the Privacy Policy Suggests

WhatsApp's privacy policy acknowledges data sharing with Meta. What it doesn’t make obvious is the extent of that integration at the technical level.
The manifest reveals Facebook analytics, advertising manager integration, and an advertising identifier (AD_ID): a unique device tracker for cross-app behavioural profiling, absent in both Signal and Telegram. It references over a dozen Meta/Instagram packages. WhatsApp has 73% dangerous permissions, the highest of all 3, compared to Telegram’s 58% and Signal’s 31%.
This doesn't mean WhatsApp is reading your messages. It does, however, mean that significant data about your device, behaviour, and connections flow through Meta’s ecosystem in ways a casual reading of the privacy policy won’t reveal.

Finding 4: The Gap Between Policy and Code Is Real

Privacy policies are written by lawyers for compliance purposes, not to give users a clear picture of what actually happens with their data.
Signal's is consistent with its policy: minimal SDKs, disabled analytics, and no third-party data sharing. Telegram's confirms broader data collection and partially contradicts its privacy-focused branding. WhatsApp's reveals the full extent of Meta integration in ways the policy acknowledges but does not emphasise.

Finding 5: Signal Wins, But Nothing Is Perfect

Signal is the clear privacy leader across every metric, but even Signal has its caveats. It relies on Google’s core infrastructure, including Firebase Cloud Messaging for push notifications, meaning some data flows through Google’s ecosystem regardless. No Android app is entirely independent of Google’s services.

What This Means For You

If you use messaging apps for sensitive communications (legal, financial, political, or simply personal), the choice of platform is a governance decision, not just a preference. The code is ground truth — reading privacy policies isn’t enough.
Signal is the strongest choice for privacy-sensitive communications. Telegram is acceptable for general use, provided you activate Secret chats. WhatsApp is deeply integrated with Meta’s advertising system — not ideal for data minimisation.
Privacy is increasingly recognised as a fundamental right. The gap between what companies say and what their code does is a governance issue. Closing it requires technical audits that most users and organisations never conduct. That’s worth changing.

Author

Claudia S. Tiller

Claudia S. Tiller is a Cybersecurity and Geopolitical Research Associate. She holds a BSc in Computer Science from the Georgia Institute of Technology and an MA in Big Data in Culture and Society from King's College London.