Private messaging not private to app providers: Study

• 
  
  End-to-end encryption by iOS apps graded in survey.
  
  


• 
  
  Facebook and Signal at different ends of the scale.
  
  


• 
  
  Other data collection by vendors blurs the picture of privacy.
  
  

A recent analysis by Surfshark reviews ten common messaging iOS apps and assesses their privacy and data security standard. The company’s study considers encryption, the scope and use of data collection, tracking practices, and the integration of AI into each app.

End-to-end encryption is now far from standard on major messaging services, with Instagram removing e2ee from messages sent via the platform. The protection offered by Apple’s own iMessage is conditional on messages passing between Apple devices. If a conversation crosses to Android, the system falls back to SMS or MMS. In iOS group chats, a single Android-based participant means all members lose e2ee. Discord does not provide end-to-end encryption for standard text messages at all.

Many applications combine encrypted transport yet continue to collect data for the app vendor. The study found that, on average, every app of the ten collects 17 of the 35 categories of data listed in Apple’s App Store disclosures. Some services take more than others: Meta’s Messenger declares collection of 32 categories, LINE 26 categories, WeChat 22, and Rakuten’s Viber, 18. All vendors state that at least some user data is required for ‘core functions’. Signal and Telegram claim their app’s data collection is limited to what the companies need to operate, with Signal in particular only taking a user’s phone number.

Several categories of data collected by applications are linked directly to advertising or data harvesting, the latter the collation of information for sale directly or via data brokers to third-parties. Such transactions are not revealed to the user, and usually fall under the definition of intellectual property, thus protected by law, their details unavailable to outsiders.

The presence of AI in an app introduces separate sets of issues, and nine of the ten studied by Surfshark include some form of AI feature, ranging from message summarisation to translation. The deployment of AI introduces new security concerns in systems that might otherwise be end-to-end encrypted, albeit with the presence of e2ee helping to assure app users that their data is private. Data processing by an AI may be local, but thanks to the closed nature of most messaging apps’ code, exact details of where AI algorithms are sited are not made public, and users can only rely on commercial providers’ uncorroborated statements.

Signal receives the highest score overall for privacy and data security standards in the Surfshark review. The app’s limited data collection, absence of tracking, and lack of built-in AI features means it scores a near-maximum for its first place ranking. At the lower end are LINE, Discord, Viber, and Facebook Messenger, which all fall below the average data privacy and security score. LINE, Discord, and Viber state openly that they collect data for tracking purposes, and Messenger details (via its T&Cs) that it collects the widest number of data categories.

The study concentrated on Apple’s default Messages app and the nine most downloaded messaging apps from the Apple App Store in 2025, based on AppMagic’s app use data. One candidate, MAX, was excluded because it is not available in the US App Store. Each app was assessed on five factors: the type of encryption, the number of data categories collected, whether data can be used for tracking, whether data can be used beyond core functionality, and the presence of AI.

Many major messaging services provide strong protection for messages in transit but obfuscate user-to-user privacy (“no one else can read your messages”) with user-to-vendor privacy (“we do not use data harvested from your device”). In short, phrases like “no one, even us, can read your messages” don’t necessarily rule out other user data being passed to third parties or used by the vendor. User privacy does not extend to data collection, tracking, and AI processing. Data shared may be anonymised, but a relatively trivial cross-referencing of data sources from more than a couple of sources reveals who messages whom, if not the content of said messages.

(Image source: “private conversation” by remuz [Jack The Ripper] is licensed under CC BY-NC-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-sa/2.0)

Want to experience the full spectrum of enterprise technology innovation?

Join

TechEx

in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click

here

for more information.

TechHQ is powered by

TechForge Media

. Explore other upcoming enterprise technology events and webinars

here

.