Few people realize how much data passes through messaging apps every day. Personal correspondence, work files, contacts, documents. We'll explore how all this is protected and where vulnerabilities remain. Finally, a checklist on how to protect your business from messaging app leaks and maintain digital hygiene.
What's Happening to Messenger Security in Russia
Communication security issues in Russia today extend far beyond personal correspondence. Companies use these services to discuss work tasks, transfer documents, and exchange personal data and confidential information. Therefore, requirements for the protection of digital communications are becoming increasingly stringent, both from businesses and from the government.
At the same time, practical risks are also growing. The threat involves hacking accounts, intercepting messages, and stealing metadata. Metadata is information about who is communicating, when, with whom, from what devices, and what files are being transferred. Even if the content of correspondence is protected by encryption, such data allows for the creation of detailed digital profiles of users and the analysis of communication links.
In response to these challenges, the state has strengthened its control over digital communications: in December 2024, Roskomnadzor WhatsApp*, Skype, Wire, Element, and KakaoTalk to the register of information dissemination organizers, requiring them to store user data and transfer it to authorized agencies upon request. A few months later, in August 2025, authorities introduced on WhatsApp* and Telegram calls, officially citing the need to combat fraud and terrorist threats.
Changes in Legislation and Import Substitution
Threats from using unsecured communication channels are systemic and affect both individuals and the corporate sector.
Legal regulation in this area is based on several key documents. Federal Law No. 152-FZ "On Personal Data" establishes basic requirements for the processing and protection of personal information, including rules for data storage in Russia. Government Resolution No. 1119 defines the levels of security of information systems and a list of measures that companies are required to implement to protect data. Federal Law No. 126-FZ "On Communications" regulates the activities of communications services, and No. 161-FZ "On the National Payment System" imposes additional requirements on platforms with financial functions. Violations are subject to administrative liability, including Articles 13.11 and 19.7 of the Code of Administrative Offenses of the Russian Federation.
Import substitution of communications tools - This is the main trend in Russian business, which will rapidly develop in 2026. Companies are abandoning foreign platforms in favor of domestic solutions to ensure data security and regulatory compliance. There are many examples - the state corporation Rosatom, which transferred employees to a Russian secure superapp, "Sportmaster", restaurant chain "Kofemania" and many others, especially in the public sector.
But the mere fact of switching to a Russian solution doesn't mean the security issue is resolved. When choosing a new communications platform, companies evaluate not only the product's origin but also its actual security. Next, we'll look at data protection methods.
What are the different data protection methods in messengers?
So, let's look at the technologies messenger developers use to secure user data and how they work:
End-to-end encryption (E2EE) vs. client-server encryption.
End-to-end encryption (E2EE) is a security method in which a message is encrypted on the sender's device and can only be decrypted on the recipient's device. Simply put, the text is rendered unreadable until it reaches the recipient. Even the server the message passes through can't see it.holding.
Unlike E2EE, client-server encryption protects data only between the user's device and the messenger server. After decryption on the server, the message can be stored in clear text and made available for analysis, indexing, or transfer to third parties at the request of regulators.
| Parameter | End-to-end encryption (E2EE) | Client-to-server encryption |
|---|---|---|
| Who sees the content | Sender and recipient only | Sender, recipient, provider |
| Stored on the server | Not stored or stored encrypted | Often stored decrypted |
| Access upon request from government agencies | Technically impossible without Access to devices | Possible with a legal basis |
| Backups | Require separate encryption settings | Often available in the cloud without additional protection |
What this means: If a messenger uses E2EE by default, the provider cannot read the messages even if they wanted to. If encryption is applied selectively, platform administrators theoretically have access to the content of messages.
Metadata Protection
Metadata is information "about the message," not the message itself: who, to whom, when, from what IP address, how long the conversation lasted, what files were transferred, the sender's geolocation. Even with end-to-end content encryption, metadata remains accessible: time and frequency of contact, sender's geolocation, session duration, and the size of files transferred. Based on these "digital traces," it is possible to reconstruct a user's social connections, identify behavioral patterns, and predict their actions.
Two-Factor Authentication
Two-factor authentication (2FA) is a login confirmation method that requires a second independent factor in addition to a password: a one-time code from an SMS or authenticator app, biometric data, or a hardware key. This protects against situations where an attacker gains access to a password through phishing or a database leak.
How 2FA works:
- The user enters their login and password.
- The system requests confirmation through a second channel (for example, a code in the Google Authenticator app).
- Access is granted only after the correct code is entered.
Additional session management mechanisms:
- Device linking: the ability to view a list of active sessions and terminate suspicious ones.
- Remote logout: force session termination on all devices when the password is changed or the device is lost.
- PIN and biometrics: local application protection on the device, preventing access in the event of physical seizure gadget.
In the corporate messenger eXpress, this approach is supplemented by three-factor authentication. Login can include confirmation via a corporate Active Directory account (pass-through authentication via NTLMv2), OpenID, or a one-time password from corporate email, followed by confirmation via a one-time SMS code linked to a phone number, as well as the user's personal password, which is inaccessible even to system administrators.
Data Storage: Local, Cloud, and Backups
Local storage means that data (messages, media files) is stored only on the user's device. This reduces the risk of a massive data leak if the server is compromised, but creates a vulnerability if the device is lost or stolen.
Cloud storage provides synchronization across devices and access to history from any device. However, it requires trust in the provider: who owns the encryption keys for cloud data? Who has access to the backups?
Backups are a separate risk area.Even when using E2EE in chat, a backup created via a cloud service (iCloud, Google Drive) can be stored in plaintext or with keys accessible to the provider. Some messaging apps allow you to encrypt backups with a separate password, but this feature is often disabled by default.
Open Source
Open source means that the program code is accessible to anyone: it can be studied, verified, modified, and even compiled. Transparency, not secrecy, becomes the foundation of trust.
But "open" doesn't mean secure. Code may be accessible to everyone, but that doesn't guarantee it's free of vulnerabilities. Most projects are maintained by a small team, and only a few perform real audits. A bug can linger in the repository for years until it's accidentally discovered. Plus, attackers also read open source code—and sometimes use it to find weaknesses.
Third-party audits work differently: independent experts or specialized companies specifically analyze the code, search for vulnerabilities, test the architecture, and publish reports. This process includes regular audits, bug bounty programs, and build verification. These audits are what turn the potential transparency of open source into real trust—but only if the project passes them and promptly fixes the issues found.
Additional Security Features
In addition to basic mechanisms, modern messengers offer auxiliary tools:
- Self-destructing messages: set a timer after which the message is deleted from the devices of all participants. Useful for discussing sensitive information that doesn't require long-term storage.
- Screenshot protection: Some enterprise solutions (eXpress) block screenshots in private chat mode on mobile devices, and also prevent message forwarding.
- Additional password/biometrics: Local app lock, requiring re-authentication each time the app is launched.
- Backup emails and recovery codes: Alternative access recovery channels if the primary device is lost. It's important to keep them separate from your main account.
- Secure file transfer: virus scanning of attachments, file encryption during transfer, file transfer type restrictions in corporate policies.
- Watermarks: Automatically add a user ID to transferred images, helping to track the source of leaks in a corporate environment.
- Remote data wipe on employee devices upon command from the server (in case of loss or termination).
- Location-based access control: prohibit login from specific regions or network segments.
- Integration with DLP and SIEM systems: Automatic monitoring of suspicious activity, blocking the transfer of sensitive data, and auditing security events.
How to protect your business from messaging leaks
In practice, many threats are not related to the vulnerability of the platform itself, but to human error. Employees click suspicious links, trust messages from familiar contacts, or transfer work communications to unsecured channels.
"Trust is higher in corporate environments than in the public sphere, and that's why employees become more vulnerable. Even if a message appears to be from a colleague, it doesn't guarantee security. Today, attackers actively use fake accounts, phishing links, and even deepfakes. The FakeBoss scenario, where an employee receives a video call from a "manager," has already become a real tool for attacking businesses," notes Maxim Ruban, Head of Information Security at the eXpress corporate communications platform.
Here are some basic digital hygiene rules that help reduce risks when working with corporate messaging apps.
Rule 1. Friend or foe? Check the sender before communicating.
If a chat requests confidential data, documents, or personal information, it's important to verify that the request actually came from the right person. The easiest way is to contact them directly by phone and confirm the request.
Rule 2. Check first, then click links.
Don't open suspicious links, QR codes, or attachments from unknown senders. One thoughtless click can lead to account compromise or data leakage.
Rule 3. Immediately notify the information security department about suspicious messages.
If the message raises any doubts, do not open any attachments or click any links. Report the situation to your manager or information security specialists.
Rule 4. Don't transfer work correspondence to personal messengers
If the other person offers to continue the conversation in a personal messenger, it's best to decline. Going beyond the corporate perimeter means losing control over communication security.
Rule 5. Don't disclose details of work processes
Even harmless information on social media can help attackers. Photos of the workplace, screenshots, mentions of internal processes or tools—all of this can be used to prepare an attack.
Rule 6. Don't use corporate accounts for personal tasks
Work and personal scenarios should be separated. Don't use corporate devices and accounts for personal tasks, use a VPN when working remotely, and never use the same passwords for work and personal services.
Attackers are constantly finding new ways to bypass security. But this doesn't mean risks can't be managed. A wise choice of platform and basic digital discipline significantly reduce the likelihood of incidents. Security in messaging apps is a combination of two things: security technologies and digital discipline. One doesn't work without the other.
If you're looking for a secure messenger for corporate communications or planning import substitution for communications services, try eXpress. Submit a consultation request and our specialists will help you choose the right implementation scenario based on your company's security requirements.
