• Some messaging apps handle link previews in a highly insecure manner.
• Instead of generating the link preview locally on the user’s own device, these apps choose to send links to a hosted service and generate the link preview remotely instead.
• This puts the remote link preview service in a position where it can see and potentially monitor which links people are sharing, who is sharing them, and when they were shared.

• Link Previews in Telegram are always generated remotely on Telegram’s servers.
• Telegram provides an option to completely disable Link Previews in Secret Chats. If this setting isn’t disabled, even URLs and websites that are exchanged in end-to-end encrypted chats are leaked to Telegram’s servers.
  • iOS: Telegram Settings > Privacy and Security > Data Settings > Link Previews
  • Android: Telegram Settings > Privacy and Security > Link Previews

• WhatsApp Desktop is available for macOS and Windows.
• WhatsApp Web can run in the web browser on other platforms.
  • The WhatsApp Code Verify web browser extension must be installed in order to mitigate possible man-in-the-middle attacks.

• Only “Cloud Chats” (which are not end-to-end encrypted) remain in sync across mobile and desktop.
• Telegram Secret Chats are not synchronized across devices.

• Reactions are completely disabled in Telegram’s optional end-to-end encrypted Secret Chats.

• Voice notes outside of Secret Chats are not end-to-end encrypted.
• Telegram Premium users can access a Voice-to-Text Conversion feature.
  • These transcriptions are generated remotely (and therefore insecurely) on Telegram’s servers using their voice message transcription API.

• Telegram users need to look at a “key visualization” and manually verify four emoji characters at the beginning of every call.
  • If this step is ever skipped, that conversation is at risk of being intercepted by a man-in-the-middle attack.
• One-on-one video calls in Telegram have only been end-to-end encrypted since August 2020.

• Messages for Web can relay messages between a phone and a web browser.
  • No browser extension is available to verify the evaluated code, so man-in-the-middle attacks are a possibility.
  • Messages for Web supports legacy message formats (e.g. SMS and MMS) that are not end-to-end encrypted.
• No desktop apps are available.

• Google Messages doesn’t include support for voice and video calls.
• Google Meet is a separate application that can optionally be installed on the same phone.
  • End-to-end encryption for voice and video calls can be enabled in Google Meet under certain conditions.

• End-to-end encryption is only enabled for Rich Communication Services (RCS) chats, and only if everyone in the conversation is also using the Google Messages app.
  • End-to-end encryption is not enabled when exchanging messages with other RCS apps (e.g. Samsung Messages).
• Legacy message formats like SMS and MMS are not end-to-end encrypted.

In addition to other group attributes that are end-to-end encrypted (such as group names, group descriptions, and group avatars), the Signal service also doesn’t have access to any information about which accounts are part of a group, which accounts are admins in a group, which accounts can add new people to a group, which accounts can approve requests to join a group, or which accounts can send messages in a group.