End-to-end encryption is now a standard claim. Almost every messaging app advertises it. But encryption is only part of the picture. What matters equally is metadata: who you talk to, when, how often, and from where. Most apps protect content but leak everything else.
Content encryption means that the provider cannot read the text of your messages. Signal, WhatsApp, Threema, and iMessage all provide this. But content is only one layer.
Metadata includes your phone number, contact list, message timestamps, frequency of communication, IP addresses, device identifiers, and group membership. This data is often more revealing than the messages themselves. Intelligence agencies have stated publicly that they "kill people based on metadata." It is not a trivial concern.
WhatsApp uses the Signal protocol for content encryption but is owned by Meta. It collects metadata extensively: who you message, when, how often, your phone number, device information, IP address, and contact list. This metadata is shared across Meta's advertising infrastructure.
Signal is significantly better. It collects almost no metadata. However, it requires a phone number to register, which ties your identity to your account. Signal also relies on centralised servers operated by the Signal Foundation in the US, which means it is subject to US legal processes.
Telegram does not use end-to-end encryption by default. Standard chats are encrypted in transit but stored on Telegram's servers in a readable form. Only "Secret Chats" use end-to-end encryption, and these do not support group messages, desktop access, or message sync.
iMessage provides end-to-end encryption for Apple-to-Apple communication, but falls back to unencrypted SMS for non-Apple contacts. If iCloud Backup is enabled, message keys are stored by Apple, which means Apple can access your messages if compelled by law enforcement.
Threema is a Swiss-based messaging app that does not require a phone number or email to register. You get a random Threema ID. There is no link between your identity and your account unless you choose to add one.
When you pair Threema with Mullvad VPN, you remove two critical exposure points. Threema ensures your messaging metadata is not collected. Mullvad ensures your IP address and DNS queries are not visible to your ISP or network operator. Together, they provide a communication layer that does not leak identity, location, or behaviour patterns.
This is the default configuration on every device we ship. It is not optional. It is the baseline.
Secure messaging is not just about encryption. It is about what else is collected, stored, and accessible.
Every device we build ships with Threema and Mullvad configured. Ask us on WhatsApp if you have questions.