Security and Privacy Features Analysis of Messaging Applications (Arattai, Whatsapp, Signal, Prav and Element) 

End-to-end encryption is like sending a locked box that only the intended recipient has the key to open. When you send a message, it gets scrambled (encrypted) on your device and can only be unscrambled (decrypted) on the recipient’s device. Even the messaging service provider, internet companies, hackers, or governments cannot read your messages because they don’t have the key.

How it works: Imagine Suraj wants to send a private message to Anu. Anu has two keys – a public key (which anyone can use to lock messages for her) and a private key (which only she has to unlock messages). Suraj uses Anu’’s public key to lock his message, turning “Hello Anu” into scrambled nonsense. When Anu receives it, she uses her private key to unlock and read the message

Encrypted backups protect copies of your messages stored in the cloud. Without encryption, anyone accessing the cloud storage (including the cloud provider, hackers, or law enforcement) can read your backup.

Server-side encryption: The cloud provider encrypts your backup on their servers using their keys. They can still access your data if required or if hacked.

End-to-end encrypted backups: Your device encrypts the backup before sending it to the cloud, using a password or key only you control. Even the cloud provider cannot decrypt your backup.

i) E2EE by Default – This criteria examines whether encryption is automatically enabled for all users without requiring manual activation.

Arattai currently does not offer E2EE by default for text messages and media. While the app provides E2EE for audio and video calls, text messages are stored in plain text on Zoho servers. The company announced that E2EE for messages is under active development and will be rolled out soon as their “highest priority”.

WhatsApp provides E2EE by default for all messages, calls, and media. All communications are automatically encrypted without requiring user configuration.

Signal has E2EE enabled by default for all messages, calls, and media. This inherent security does not require additional configuration from users.

Prav offers E2EE by default for all messages using the OMEMO encryption protocol over XMPP. All communications are encrypted automatically without user intervention.

Element uses E2EE by default for private chats and encrypted rooms using the Matrix protocol. The encryption is based on the Olm and Megolm protocols, which extend Signal’s Double Ratchet algorithm.

ii) E2EE of Messages –This examines whether text messages and media files are protected with end-to-end encryption.

Arattai does not currently have E2EE for text messages, though it offers a “Secret Chat” feature where E2EE is available on an opt-in basis. Messages are stored on Zoho servers without E2EE protection.

WhatsApp encrypts all messages end-to-end using the Signal Protocol. Message content cannot be accessed by WhatsApp, Meta, or any intermediaries.

Signal encrypts all messages using its proprietary open-source Signal Protocol. Neither Signal nor other parties can read message contents.

Prav encrypts all messages end-to-end by default using OMEMO encryption. The service cannot access message content.

Element provides E2EE for messages in encrypted rooms using Matrix’s encryption implementation based on Olm and Megolm. Messages are decrypted per-device rather than per-user for additional security.

iii) E2EE of Call- This criteria evaluates whether voice and video calls are protected with end-to-end encryption.

Arattai provides E2EE for all audio and video calls. Call data is not accessible by the service or intermediaries.

WhatsApp offers E2EE for all voice and video calls by default. Call content is protected with the same encryption as messages.

Signal encrypts all voice and video calls end-to-end. Call data cannot be accessed by Signal or third parties.

Prav supports E2EE for audio and video calls. The encryption is handled through the XMPP protocol with OMEMO.

Element provides E2EE for voice and video calls using Matrix protocol encryption. However, group calls may not be fully encrypted in all implementations.

iv) Encrypted Backups – This criteria evaluates how message backups are protected when stored in the cloud or on servers.

Arattai stores backups on Zoho servers located in India. The company states that “all conversations and titles are encrypted in storage” on servers. However, without E2EE for messages, the encryption level of backups remains unclear.

WhatsApp offers optional end-to-end encrypted backups for Google Drive and iCloud. By default, cloud backups are not E2EE protected, though WhatsApp doesn’t have access to them. Users must manually enable E2EE backup with a password or 64-digit encryption key.

Signal does not offer cloud backup functionality. Users can create local encrypted backups on their devices, which are protected with a passphrase.

Prav stores messages on XMPP servers, and encryption depends on the server configuration. Messages can be stored encrypted on participating servers.

Element stores encrypted messages on Matrix homeservers. Encrypted room data is accessible only to participants with proper decryption keys, though metadata remains visible to server administrators.

Metadata is “data about data” – information that describes other information. In messaging apps, while your message content might be encrypted, metadata reveals who you talked to, when you talked, how long you talked, and where you were located. For instance think of it like a letter, E2EE protects what’s inside the envelope, but metadata is like the information on the outside – the sender’s address, recipient’s address, postage date, and package size. Even if nobody can read your letter, they can still see who you’re corresponding with and when. 

Examples of metadata include:

• Phone numbers of sender and receiver
• Time and date of messages or calls
• Duration of calls
• IP addresses showing your location
• Device information
• Whether messages were read or delivered

Arattai stores metadata including phone numbers, profile information, device IDs, IP addresses, and contact lists. Data is stored on Zoho servers located in India. The company states metadata is shared on a “need-to-know basis” with employees and service providers.

WhatsApp collects and stores metadata including who contacted whom, when communications occurred, IP addresses, and device information. While message content is encrypted, metadata is not protected and can be shared with law enforcement under valid legal requests. Metadata is stored on Meta’s global servers.

Signal minimizes metadata collection and implements a “sealed sender” feature that conceals sender identifiers from Signal’s servers. The service only stores the last connection date (reduced to day precision rather than hour/minute/second). Signal actively deletes metadata and maintains minimal server logs.

Prav stores metadata on XMPP servers, which typically retain less metadata compared to centralized platforms. As an open protocol, XMPP allows server administrators to control metadata retention policies. Prav is funded directly by users and explicitly states they don’t sell user data or metadata.

Element stores metadata on Matrix homeservers, and server administrators can access metadata including who is communicating with whom, even in encrypted rooms. The amount of metadata logged depends on the homeserver administrator’s policies. Matrix logs more metadata by default compared to Signal.

Centralized systems are like having one post office that handles all mail delivery. A single company controls all the servers, and every message must pass through their infrastructure. If that central server goes down, the entire network stops working. 

Decentralized (Federated) systems are like email – you can use Gmail to send messages to someone using Outlook. Multiple independent servers run by different organizations can communicate with each other using common protocols 

Arattai operates on a centralized architecture with Zoho controlling all servers. All data flows through Zoho’s infrastructure in India.

WhatsApp is a centralized service controlled entirely by Meta. All communications route through Meta’s global server infrastructure.

Signal operates on a centralized architecture with Signal Foundation controlling the servers. However, the protocol is open and can be independently implemented.

Prav is decentralized, built on the federated XMPP protocol. Users can communicate across different XMPP servers and providers without vendor lock-in.

Element is decentralized, based on the federated Matrix protocol. Users can self-host servers or use federated homeservers, enabling communication across different servers.

Open source software is software whose source code is freely available for anyone to view, use, modify, and share. It’s built on the idea of collaboration and transparency, allowing developers around the world to improve and adapt it according to their needs. 

Proprietary software is owned by an individual or company, and its source code is kept secret. Users can use the software only under specific terms, often by purchasing a license, but they cannot change or redistribute it. 

Arattai is proprietary software developed by Zoho Corporation. The source code is not publicly available for independent security audits.

WhatsApp is proprietary software owned by Meta. While it uses the open-source Signal Protocol for encryption, the app’s code is not open for public inspection.

Signal is fully open-source software. Both the app and the Signal Protocol are publicly available for third-party verification and security audits.

Prav is free/swatantra (open-source) software. The source code is publicly available on Codeberg for third-party verification and audits.

Element is open-source software built on the open Matrix protocol. The code is publicly available for security audits and has been positively audited by NCC Group.

This examines where user data is physically stored and which jurisdictions govern it

Arattai stores all data on servers located in India. Local device storage is used with server backups.

WhatsApp stores data locally on devices with optional cloud backups on Google Drive or iCloud. Meta hosts metadata on its global server infrastructure.

Signal stores minimal data on Signal’s servers, with most data residing locally on user devices. The service does not offer cloud backup.

Prav stores data on XMPP servers, with the specific location depending on the chosen service provider. The federated nature allows users to choose their hosting location.

Element stores data on Matrix homeservers, which can be self-hosted or provided by third parties. Element Matrix Services uses AWS for hosting.

This criteria details what personal information and usage data each platform collects.^[47][44]

Arattai collects profile names, phone numbers, country codes, profile pictures (optional), contacts (optional), device unique IDs, IP addresses, mobile operating system information, browser data, usage events, APIs, crash information, and diagnostic data. Analytics collection is user-controlled through settings.

WhatsApp collects phone numbers, profile information, contacts, device identifiers, IP addresses, transaction data, and extensive metadata about communication patterns. Business messaging features enable integration with Meta’s advertising ecosystem.

Signal collects only phone numbers (or usernames in newer versions) and the last connection date. The service explicitly follows a “no data collection” policy for message content, call logs, and contact lists.

Prav collects phone numbers for registration and contact discovery. The service is funded by users and explicitly states it doesn’t collect data for monetization.

Element collects account information, device data, and usage information depending on the homeserver used. Self-hosted instances allow full control over data collection policies.

Arattai uses collected data to authenticate users, facilitate communication, provide customer support, enable interactive features, detect and prevent technical issues, monitor usage, and improve the application. Analytics are optional and user-controlled.

WhatsApp uses data for authentication, service delivery, security, business messaging, and Meta advertising integration. Metadata supports platform functionality and law enforcement compliance.

Signal uses minimal data solely for service delivery and authentication. The platform has no advertising or affiliate marketing.

Prav uses data for authentication and service delivery. As a user-funded cooperative, there is no data monetization.

Element uses data for service delivery, authentication, and platform improvement. Self-hosted deployments give organizations complete control over data usage.^[39][54]

Arattai states it “may share information with governmental agencies to comply with applicable laws”. Without E2EE for messages, Zoho could provide message content to authorities upon legal request. 

WhatsApp cannot provide message content due to E2EE, but shares metadata with law enforcement under valid legal requests. The Law Enforcement Response Team (LERT) reviews all government requests for compliance. Metadata including communication patterns, device information, and account details can be disclosed.

Signal maintains a transparency report documenting all legal requests at signal.org/bigbrother. Due to minimal data collection and E2EE, Signal can only provide limited information like registration date and last connection date. The service has consistently refused to weaken encryption or expand data collection.

Prav operates as a cooperative with democratic decision-making on privacy policies. The decentralized XMPP architecture distributes data across multiple servers, limiting single-point access. Legal requests would need to target specific XMPP server administrators.

Element depends on the homeserver used for jurisdictional compliance. Self-hosted deployments give organizations complete control over data access and legal compliance. The default matrix.org server complies with relevant data protection regulations

Arattai explicitly states it is ad-free and does not monetize user data for commercial purposes. Zoho’s business model is based on paid enterprise services.

WhatsApp allows business messaging and enables Meta advertising integration based on usage patterns and metadata. While message content remains encrypted, metadata supports targeted advertising.

Signal has no advertising or data monetization. The nonprofit operates on donations and grants.

Prav is funded directly by users through subscriptions and donations. The service explicitly states it doesn’t sell user data or metadata.

Element does not monetize user data through advertising. The business model focuses on enterprise subscriptions and self-hosted deployments.

Arattai allows users to delete accounts permanently through settings. Users can control analytics sharing and manage notification preferences. However, without message E2EE, Zoho maintains access to message content on servers.^[

WhatsApp provides options to enable E2EE backups, manage privacy settings, and control who can see profile information. Users can download their data and delete accounts, though Meta retains metadata for operational purposes.

Signal gives users maximum control with disappearing messages, screen security, relay calls through Signal servers to hide IP addresses, and profile customization without mandatory personal information. The platform’s minimal data collection inherently limits what can be exposed.

Prav offers user control through its cooperative governance structure where users can vote on privacy policies and features. The federated architecture allows users to switch providers without losing contacts.

Element provides extensive user control, especially with self-hosted deployments. Users can choose their homeserver, control encryption settings, manage data retention policies, and export data. The open protocol ensures no vendor lock-in.