Enable Two-Factor Authentication
Both apps let you add a PIN that's required when registering your phone number on a new device. Without this, someone who gets your SIM card can hijack your account.
WhatsApp: Settings → Account → Two-step verification → Enable. Pick a 6-digit PIN you'll remember.
Telegram: Settings → Privacy and Security → Two-Step Verification → Set Additional Password.
Write down your recovery email. If you forget the PIN, this is your only way back in.
Turn Off Read Receipts and Last Seen
By default, people can see when you read their messages and when you were last online. This creates pressure to respond immediately and reveals your activity patterns.
WhatsApp: Settings → Privacy → Read receipts (toggle off). Also set "Last seen" to "Nobody."
Telegram: Settings → Privacy and Security → Last Seen & Online → set to "Nobody" or "My Contacts."
Note: In WhatsApp, disabling read receipts means you won't see others' receipts either. In groups, read receipts always show.
Lock Your Chats with Biometrics
If someone gets physical access to your unlocked phone, they can read everything. App-level locks add a second barrier.
WhatsApp: Settings → Privacy → Screen Lock → enable fingerprint or Face ID. Set it to lock immediately.
Telegram: Settings → Privacy and Security → Passcode Lock. You can set a separate 4-digit code or use biometrics. Enable "Auto-Lock" for when the app goes to background.
Disable Cloud Backups (or Encrypt Them)
WhatsApp backs up to Google Drive or iCloud by default. These backups aren't end-to-end encrypted on WhatsApp unless you explicitly enable it.
WhatsApp: Settings → Chats → Chat backup → End-to-end encrypted backups → Turn on. Create a password or 64-digit key. Without this password, even you can't access the backup.
Alternatively, turn off backups entirely if you don't need them.
Telegram: Secret Chats aren't stored in the cloud at all. Regular chats are encrypted in transit but stored on Telegram's servers. For sensitive stuff, use Secret Chats (tap someone's name → three dots → Start Secret Chat).
Review Who Can Add You to Groups
Random people adding you to spam groups is annoying. Worse, it can be used for harassment or phishing.
WhatsApp: Settings → Privacy → Groups → change to "My Contacts" or "My Contacts Except..."
Telegram: Settings → Privacy and Security → Groups → change to "My Contacts" or "Nobody." When set to Nobody, people must send you an invite link instead.
Turn Off Link Previews for Sensitive Chats
When you send a URL, both apps fetch a preview. This tells the website someone visited from that chat, potentially leaking metadata.
WhatsApp: You can't disable this globally, but you can delete the preview before sending (tap the X on the preview card).
Telegram: Settings → Data and Storage → Auto-Download → turn off "Link Previews" for Secret Chats. For regular chats, you'll need to manually remove previews.
Set Messages to Self-Destruct
For truly sensitive conversations, use disappearing messages. They auto-delete after a set time.
WhatsApp: Open a chat → tap contact name → Disappearing messages → choose 24 hours, 7 days, or 90 days. This applies to all future messages in that chat.
Telegram: In a Secret Chat, tap the timer icon and choose 1 second to 1 week. You can set different timers for different messages. Regular chats also support auto-delete now (tap chat name → Clear History → Auto-Delete).
What These Settings Actually Protect
These steps won't make you invisible to government surveillance or protect against sophisticated attacks. Both WhatsApp and Telegram can be compelled to hand over metadata (who you talk to, when, how often).
What they do protect against:
- Someone physically grabbing your phone
- SIM swapping attacks
- Nosy family members or coworkers
- Accidental data leaks from cloud backups
- Spam and harassment via group adds
For higher-threat models, consider Signal (open source, minimal metadata) or Matrix (fully self-hostable). But for most people, these seven steps take WhatsApp and Telegram from "wide open" to "reasonably locked down" in about 10 minutes.
Set a calendar reminder to review these settings every six months. Apps update, defaults change, and old settings get reset.