Thoughts on Arattai

Published on 2025/10/05

Over the past week-ish there’s been relentless discourse online surrounding an app called Arattai. With significant government endorsements recently and a rapid surge in user sign-ups, it quickly became one of the top downloaded apps on both Android and iOS in India. The discourse around the app’s privacy and security claims is rife with misinformation, so I thought I’d take the time to write some thoughts down.

First, some quick things to give you context before I start my rant:

• Arattai is a new chat app by Zoho that’s been making the rounds here in India.
• They market themselves as a simple, secure, Indian-made alternative to WhatsApp.

So, what’s the problem?

For starters, Arattai doesn’t have End-to-End Encryption (E2EE) for chat messages. Although they’ve stated that E2EE is coming, we have no idea what that will look like or how robust it will be.

Given that messages are not encrypted right now, marketing the app as “secure” and “private” is misleading and potentially even dangerous. The average person in India does not have the technical know-how to understand why the absence of E2EE means their conversations aren’t truly safe. Most people will simply see a “Made in India” app aggresively promoted to them as secure and private and assume it is safe to use. They’ll trust the marketing claims without realizing their chats are vulnerable and possibly accessible by the company or third parties.

Why does encryption even matter?

Without E2EE for messages, Arattai stores user chats, photos, media, etc in a readable format on their servers. This is risky because any data that’s stored unencrypted can be accessed by anyone with sufficient access privileges.

This creates multiple risks:

• Employees or contractors might access sensitive data without user consent.
• Should the company face a data breach, attackers could gain direct access to unencrypted user content.
• Furthermore, without E2EE, it’s much easier for authorities to access user data through legal orders, bypassing any technical safeguards users might expect.

History has repeatedly shown that centralized storage of unprotected user data is vulnerable to both misuse and data breaches, jeopardizing the privacy of regular users.

Insufficient Evidence for Claims

Despite its strong marketing as “secure” and “privacy-first”, Arattai does not publicly share meaningful evidence to back up these claims. There are no visible third-party security audits, no transparent technical whitepapers, and no open documentation about how encryption is implemented (or will be implemented).

Promises of end-to-end encryption are vague, with no published roadmap, technical details, or industry-standard cryptographic standards referenced for incoming features.

In a field where peer review and openness define trustworthiness, this lack of proof makes their security and privacy claims seem more like marketing than fact.

Import of Sensitive Data Without Protection

Another thing that worries me is how Arattai encourages users to import their WhatsApp conversations, including years’ worth of sensitive, previously encrypted messages, directly into their platform. Since these chats will not be subject to E2EE after import, this move exposes users to a significant privacy downgrade.

Shifting private data from a protected context to a significantly less secure one without adequately warning or protecting users is deeply problematic.

Does this mean that adding encryption will fix everything?

Not quite. Just having encryption doesn’t automatically make things great. For example, Telegram has encryption, and their cryptography is widely known to be pretty bad. Even if we were to make the assumption that Telegram’s cryptography is incredible, the fact that it is optional and outright unavailable in groups disqualifies it as being “safe” in my books.

In contrast to Telegram, Signal is probably what I’d point to as the current gold standard when it comes to privacy and security. Signal’s cryptography has been battle-tested time and time again and the protocol has even been adopted by messengers like WhatsApp. Signal doesn’t allow for any unencrypted messages and they even go further by trying to obfuscate identities and communication patterns of users, further strengthening privacy.

How do you know what’s safe to use then?

Honestly, just use Signal. At the moment, there’s nothing that beats Signal when it comes to ease of use, security, and privacy.

However, if you want to know what you should look at when shopping for a new chat application, here’s what I think are the bare minimum requirements that an app must offer for it to qualify as secure and private:

• Open Source: There’s no privacy or security if you cannot verify it yourself. Security through obscurity is like bolting your door with a cheeto. If you cannot reproduce and audit the app’s code yourself, or use a client independently compiled from source, the app has no business claiming to be secure.

• End-to-End Encryption (E2EE): The app must use strong, well-audited cryptography that encrypts all messages and calls by default, with no option to send unencrypted plaintext. This means that only the communicating users can read the data and nobody else, not even the service provider. Many apps fail this crucial bar immediately.

• Cryptographic Soundness: The encryption protocols and their implementations must be based on well-established standards and thoroughly vetted by the security community. Homegrown or proprietary cryptography that hasn’t undergone rigorous auditing and peer review is a huge red flag and should be avoided.

Stay Vigilant

Look, I think we definitely should have more home grown apps and tech in general. I make no effort to hide my disdain for US tech and its increasingly predatory nature.

However, blindly choosing an app just because it is “made in India” without any scrutiny is not the way to go about it. Privacy and security require rigorous technical standards, transparency, and accountability regardless of where the app comes from.