Sending a photo of your ID or a PDF of your bank statement through WhatsApp or Telegram feels natural. These are the apps we use every day. They claim to be secure. WhatsApp says it has end-to-end encryption. Telegram says it is "more secure than mass market messengers." But when it comes to sharing sensitive files, neither platform provides the protection most people assume.
WhatsApp uses the Signal protocol for end-to-end encryption. Messages and files are encrypted on the sender's device and decrypted on the recipient's device. WhatsApp's servers cannot read them in transit. This is genuine end-to-end encryption, and it works well — for the message itself.
The problem is everything that happens around the message.
WhatsApp offers cloud backups to Google Drive (Android) or iCloud (iPhone). For years, these backups were stored unencrypted. Every message, every photo, every file you shared was sitting in plaintext on Google's or Apple's servers.
In 2021, WhatsApp introduced optional encrypted backups. The key word is "optional." Users must manually enable this feature, and many do not. If either the sender or the recipient has unencrypted backups enabled, the file you shared exists in plaintext on a cloud server.
WhatsApp automatically downloads received media to the device's photo gallery or file system. That passport photo you sent is now in the recipient's camera roll, backed up to Google Photos or iCloud Photos, synced across all their devices, potentially shared in other galleries and accessible to any app with photo library permissions.
WhatsApp's parent company Meta collects extensive metadata even though it cannot read message contents:
For file sharing, this means Meta knows that you sent a file to a specific person at a specific time, even if it cannot see the file contents. In many contexts — legal, medical, financial — even this metadata is sensitive.
Once you send a file on WhatsApp, it lives in the chat history forever (or until someone manually deletes it). There is no TTL. There is no single-use download. There is no way to revoke access after sending. The "Delete for Everyone" feature only removes the message from the chat view — it does not delete downloaded files from the recipient's storage.
Telegram's security model is widely misunderstood. The critical fact that many users do not know:
| Chat Type | Encryption | Telegram servers can read? | Available on desktop? | Group support? |
|---|---|---|---|---|
| Regular chat | Client-server (MTProto) | Yes | Yes | Yes |
| Group chat | Client-server (MTProto) | Yes | Yes | Yes |
| Channel | Client-server (MTProto) | Yes | Yes | N/A |
| Secret Chat | End-to-end (MTProto 2.0) | No | No | No |
Secret Chats are device-specific (not synced across devices), not available on desktop and not supported in groups. The vast majority of Telegram usage — including file sharing — happens in regular chats where the server can access everything.
Telegram explicitly stores all files from regular chats on its servers. This is actually a feature — it allows you to access your messages from any device without local storage. But it means every file you send sits on Telegram's infrastructure indefinitely.
Telegram's servers are distributed across multiple jurisdictions (originally based in London, now registered in Dubai, with servers reportedly in the Netherlands and Singapore). Your file may be stored in any of these locations, subject to local laws.
Telegram uses its own encryption protocol, MTProto, rather than the widely reviewed Signal protocol or standard TLS. While MTProto has been audited and no critical flaws have been found, the security community generally views custom cryptographic protocols with skepticism. Standard protocols benefit from broader scrutiny and faster vulnerability detection.
Beyond their individual issues, WhatsApp and Telegram share several risks when used for sensitive file sharing:
Both platforms are tied to phone numbers. When you share a file, the recipient can see your phone number (and you see theirs). For professional file sharing — sending documents to a contractor, client or vendor — this unnecessarily exposes personal contact information.
Neither platform can prevent the recipient from taking screenshots or saving files to their device. Once the file is on their phone, it is outside your control entirely.
Both platforms use SMS-based authentication as a primary login method. SIM swapping attacks allow an attacker to take over a phone number and access the account. If the attacker gains access, they can see every file ever shared in non-secret chats (Telegram) or download them from the chat history (WhatsApp).
Neither platform tells you how many times a file was downloaded or accessed. You have no way to know if the file was forwarded, saved or shared with others.
| Feature | Telegram | Zero-Knowledge Link | |
|---|---|---|---|
| E2E encrypted by default | Yes (messages) | No (only Secret Chats) | Yes (always) |
| Backup bypass | Yes (unencrypted by default) | N/A (server stores all) | No backups |
| Server can read files | No (but backups can) | Yes (regular chats) | No |
| File expiration | No | No | 15 min to 7 days |
| Single-use download | View Once (photos only) | Self-destruct timer (Secret Chat only) | Yes |
| Download counter | No | No | Yes |
| Recipient needs account | Yes (WhatsApp) | Yes (Telegram) | No |
| Metadata collected | Extensive (Meta) | Moderate | Minimal (IP, size, timestamp) |
| Phone number required | Yes | Yes | No |
| Revoke access | No (file already downloaded) | No (server retains copy) | Yes (delete before TTL) |
Instead of attaching a sensitive file directly in WhatsApp or Telegram, encrypt it first and send the link through the messaging app. SecureSend in UnveilPass works exactly this way: the file is encrypted in the browser with AES-256-GCM, the key stays in the URL fragment (never sent to the server) and the link can be shared through any channel — including messaging apps.
The messaging app sees only a URL. Even if backups capture the link, the encrypted data on the server is automatically deleted after the TTL expires. With single-use download enabled, the file is gone after the first retrieval.
WhatsApp's end-to-end encryption is genuine but undermined by unencrypted backups, media auto-download and metadata collection. Telegram does not even offer end-to-end encryption by default — its servers store and can read files from regular chats. Neither platform offers file expiration, download tracking or access revocation.
For sensitive files, the safest approach is to encrypt before sharing through any channel. The delivery mechanism — whether email, WhatsApp, Telegram or carrier pigeon — becomes irrelevant when the file itself is encrypted with a key that only the intended recipient possesses.
Send files with end-to-end encryption. The server never sees your data. No account required to receive.
Get Started Free