End-to-end encryption gets cited constantly as a reason to trust an app with sensitive conversations. But most people who use Signal, WhatsApp, or iMessage don’t actually know what it means or when it applies — and the gap matters.
What end-to-end encryption actually means
Encryption converts readable data into scrambled data that can only be read by someone with the decryption key. End-to-end encryption (E2EE) specifically means the keys are held only at the endpoints — your device and the recipient’s device. The service in the middle — the app company, their servers, their employees — doesn’t have the key and therefore can’t read the messages even if they wanted to.
Compare this to standard encryption in transit: the message is encrypted between you and the company’s servers (so it can’t be intercepted in transit), but the company can read it on their servers. Gmail is encrypted in transit but not end-to-end — Google can read your email. That’s how they scan it for spam and how they could respond to a government subpoena for your messages.
Signal — the gold standard
Signal is the clearest example of a properly implemented E2EE messaging app. All messages, calls, and file transfers are end-to-end encrypted by default, for every conversation. Signal’s encryption protocol (the Signal Protocol) is open source and has been extensively audited by independent security researchers. Signal itself is a nonprofit, which aligns its incentives away from data monetization.
Signal also collects minimal metadata. The company has received subpoenas and been able to provide only a user’s registration date and last connection time — because that’s all they actually store. This is the practical benefit of good encryption design: there’s nothing to hand over even under legal compulsion.
iMessage — E2EE with important caveats
iMessage between Apple devices is end-to-end encrypted. The blue bubbles are encrypted; the green bubbles (SMS/RCS to non-Apple devices) are not — those go through your carrier and have no meaningful encryption protection.
The major caveat with iMessage: if you have iCloud Backup enabled, your iMessages get backed up to iCloud, and Apple holds the encryption keys for iCloud Backup. This means Apple can access your backed-up messages under court order. If you’re on an iPhone and want the full protection of iMessage’s E2EE, enable Advanced Data Protection (Settings → [your name] → iCloud → Advanced Data Protection) — this makes iCloud Backup end-to-end encrypted too, so Apple can no longer access it.
WhatsApp — E2EE but owned by Meta
WhatsApp uses the Signal Protocol and message content is end-to-end encrypted. But WhatsApp is owned by Meta (Facebook), and while they can’t read message content, they collect substantial metadata: who you message, how often, when, from where, and so on. That metadata is used for advertising targeting.
WhatsApp also backs up chats to Google Drive or iCloud by default, and those backups historically weren’t E2EE — they were readable by Google or Apple. Meta has added optional E2EE backups; you have to enable it manually in WhatsApp Settings → Chats → Chat Backup → End-to-end encrypted backup. It’s not on by default.
What E2EE doesn’t protect against
E2EE protects messages in transit and on the server. It doesn’t protect messages on the device itself. If someone has access to your unlocked phone, they can read your Signal messages. If malware is installed on your device, it can read messages before they’re encrypted to send. And if the person you’re messaging with shares the conversation — screenshots, forwarding, showing their phone to someone — encryption is irrelevant.
E2EE also doesn’t protect metadata. Signal minimizes metadata collection by design. Other apps don’t — they may know exactly who you communicate with and when, even if the content is protected.
The bottom line
For genuinely private conversations, use Signal. For everyday messaging with people who won’t install Signal, iMessage (between Apple devices, with Advanced Data Protection enabled) is solid. WhatsApp encrypts content but collects metadata and requires manual setup to protect backups. Whatever you use, make sure the device itself is locked and secured — E2EE stops at your screen.