In short: End-to-end encryption (E2E) hides the text of your messages, but not the metadata — who talked to whom, when, and from which IP. Different apps collect very different amounts of this data: Signal keeps it minimal, Telegram and WhatsApp noticeably more. A VPN does not change what the app itself collects, but it closes the network layer: your ISP and the Wi-Fi owner can no longer see which messenger you use or from which address, and on open networks the risk of interception disappears. Secure messaging comes down to three parts: a trustworthy app, account hygiene, and a VPN on untrusted networks.
Two layers of protection: content and metadata
When people say «secure messenger» they usually mean encryption. But encryption comes in different forms and does not cover everything. To see the real risks, it helps to split a conversation into two layers: the content (text, photos, voice notes) and the metadata (the technical record of the fact that you communicated at all).
End-to-end encryption (E2E) means a message is encrypted on your device and decrypted only on your contact's device. The server relays a «sealed envelope» and cannot read the text. That is how Signal, Telegram's secret chats, and WhatsApp by default work. The alternative is client-server encryption: the channel to the server is protected, but on the server itself the data is available in the clear. Telegram's ordinary cloud chats use this model.
What the messaging server sees
With E2E the server does not read the text, but it always sees the fact of contact: which accounts exchanged messages, when and how often, the size of attachments, which devices logged in. With client-server encryption you can add access to the content itself. That is why trust in the company behind the app matters as much as the algorithm.
What your network and ISP see
A separate observer is the network you use to reach the internet: your home ISP, mobile carrier, or the owner of a public Wi-Fi. They cannot read the content, but they do see which servers your phone connects to. From IP addresses and DNS requests it is easy to tell that you opened a specific messenger, at what time, and how much data you sent. We cover this in detail in what a VPN protects against.
Metadata — what leaks even with E2E
Encryption protects what you write. Metadata reveals who, when and how you communicate — and that is often no less sensitive. From a contact graph and activity timing one can reconstruct your social circle, your daily routine, and even the fact of a specific meeting, without ever reading a single message.
Message metadata includes:
- the phone number or account ID of sender and recipient;
- the date, time and frequency of messages;
- the IP address you connected from and an approximate location;
- the device model, app version and operating system;
- the size and type of attachments, and call durations;
- your contact list, if the app has access to your address book.
Services collect different amounts of this data and store it differently. Some apps are required to retain user information and hand it over on a lawful request — so the less metadata is tied to your identity, the better.
Messengers by privacy level: a comparison
No messenger is «the most secure» in every scenario at once — the right choice depends on what matters to you: minimal metadata, convenience, or independence from a phone number. A quick reference on the key parameters:
| Messenger | E2E by default | Metadata collected | Open source | Phone number |
|---|---|---|---|---|
| Signal | Yes | Minimal | Yes | Yes |
| Telegram | Secret chats only | Noticeable | Partial (clients) | Yes |
| Yes | High (metadata → owner) | No | Yes | |
| Threema | Yes | Low | Yes | No |
| Session | Yes | Minimal (no number) | Yes | No |
A practical approach is to keep one familiar messenger for everyday chat and one private app for sensitive topics, so you do not tie all of your activity to a single identifier.
What a VPN covers in this chain — and what it does not
A VPN works at the network level: it encrypts all of the device's traffic and routes it through an intermediate server. That affects messaging privacy in two ways.
A VPN covers this. Your ISP and the network owner can no longer see which servers you connect to — meaning they cannot tell which messenger you use or when. Your real IP address is hidden both from the network observer and from the messenger itself: it sees the VPN server's address instead. On open Wi-Fi, interception and traffic tampering become impossible.
A VPN does not cover this. It does not change what the app itself collects. If your account is tied to your phone number and stores a contact graph, a VPN will not undo that. Nor does it help when someone gains access to an unlocked phone. A VPN is a network layer of protection, not a substitute for choosing a trustworthy messenger and keeping your account secure. For the boundaries of what a VPN can do, see also free vs paid VPN comparison.
Open Wi-Fi: why your messenger needs a VPN
In a cafe, airport or hotel you join a network you do not control. Even if the conversation is encrypted, an open network allows man-in-the-middle attacks, rogue access points with the same name, and interception of unencrypted requests such as DNS. A VPN builds an encrypted tunnel from your phone to a trusted server, turning all of your traffic into an unreadable stream as far as the local network is concerned. This matters most when you open work chats or confirm a login by SMS on someone else's network. The same principle applies when you handle sensitive data with AI tools — see VPN and AI chatbots. On a phone it is convenient to keep the VPN on at all times so protection kicks in automatically as you switch networks.
How to secure the account itself
The strongest encryption is useless if someone else can log into your account. Basic hygiene closes most everyday risks:
- enable two-step verification (a cloud password) — without it an account can be hijacked by intercepting a single SMS code;
- review the list of active sessions regularly and end any you do not recognise;
- use secret chats with E2E and a self-destruct timer for sensitive topics;
- limit who can see your number, photo and last-seen time;
- do not grant address-book access unless you really need it;
- set a passcode or biometrics to open the app itself.
Many of these risks come not from the messenger but from the phone being tracked in general, and from the browser fingerprint if you use the web version of the app.
Checklist: secure messaging
- For sensitive topics, choose a messenger with E2E by default and minimal metadata collection.
- Enable two-step verification and set a separate, strong password.
- Turn on disappearing messages in chats with private topics.
- Review and close any stray active sessions across your devices.
- Hide your phone number, online status and last-seen time in privacy settings.
- Always turn on a VPN when joining someone else's or a public Wi-Fi.
- Never follow links from strangers and never forward verification codes.
- Compare plans and keep a VPN ready on your phone: LiMP plans.
Frequently asked questions
Do I need a VPN if my messenger already uses end-to-end encryption?
Yes, if network privacy matters to you. E2E hides the text, but it does not hide the fact and timing of messenger use from your ISP and the Wi-Fi owner, nor your IP address. That is exactly the layer a VPN closes.
Can a VPN make my messaging fully anonymous?
No. If the account is tied to your phone number, your identity is still known to the service. A VPN hides network traces and your IP, but it does not anonymise an account you registered in your own name.
Which is safer — the web version or the app?
The app is usually preferable: a browser adds the risks of extensions, fingerprinting and WebRTC. If you use the web version, do it in a trusted browser and end the session when you are done.
Does a VPN protect against account hacking?
No, these are different threats. Account takeover is prevented by two-step verification, a strong password and session control — not by a VPN. A VPN covers traffic on the network.
Should I trust a messenger with closed source code?
Closed source does not mean insecure, but an independent audit and open code increase trust, since outside experts can verify the encryption implementation. For the most sensitive topics, open-source apps are the common choice.
Does deleting a message on the other person's side help?
Deletion removes the message from the chat, but it does not guarantee the other person did not take a screenshot or a backup. For private topics it is safer to enable a self-destruct timer in advance and to share less.