Although it has to be said that Telegram does not offer true end-to-end encryption by default. For general-purpose usage, WhatsApp may actually be considered more secure than Telegram.
Indeed Telegram is not more secure than WhatsApp, but I usually take into account the position of each company and how that affects my particular use case.
Yes, the signal protocol and signal's implementation are both open source, but you have no way to actually verify that WA has actually implemented the protocol correctly and securely. Sure you could do some basic packet analysis but this wouldn't tell you about the presence of any remotely triggered backdoors.
The only way for you as a user to actually verify the security is by reading the source and compiling the software yourself, or reading the source and verifying the signature via reproducible builds.
I really don't understand the business decision process here. If they just copied Signal with OSS/FOSS code and reproducible builds they would just win outright and tech people wouldn't have anything to complain about. The value of the service is the network anyway -- why care so much about the client?
There are many ways that both WA and Telegram can be subverted/backdoored/messed up. What it really comes down to, is who do you trust? Do you trust WA or Telegram? Personally, I trust WA a lot more than Telegram since WA has Moxie on their team and Telegram says, "Trust us" and a very unreasonable security challenge. I naturally don't trust people that say "Trust us" and put up unreasonable security challenges.
You can just decompile the program. Binaries aren't a magic black box. Given how much FB stands to lose by lying, is imminent l unlikely they think they can get away with hiding stuff in an Android app. As much as I despise FB, this isn't one of the reasons. (Using WhatsApp still gives them metadata and contact info.)
While it is true that Telegram's clients are open-sourced, their server-side code is not. So we don't know how information is stored on the server (I do not think that it is encrypted).
Closed source servers are no problem in verifying E2E encryption if the client is open source. Whatsapp's issue is that the clients are closed source. Telegram's issue is that it's optional to encrypt your messages. That's the long and short of this whole Whatsapp versus Telegram discussion.
Using an unexamined and unpublished encryption algorithm. Encryption is hard and when someone says "trust us", you know they are implementing poor encryption.
If you think everything has to be "published" in the sense of a publication in a scientific paper, hacker news is probably a disappointing place. As for unexamined, the bounty for actually cracking the encryption is still open last I heard, and I know people have been trying.
As someone professionally involved in cyber security, I fully understand and agree with the criticism that the protocol is non-standard and does not follow several best practices. On the other hand, it cannot be ignored that it hasn't been cracked yet, despite Telegram being one of the bigger messaging services in the world (especially one attracting a tech-savvy audience) and receiving a lot of attention.
The very least Telegram-haters could do is acknowledge Whatsapp's equally big problem: we cannot verify a thing. Facebok could have either open sourced the clients or published the outer shell of the wire protocol so we can verify the E2E encryption. They chose to do neither.
I've always used Telegram for privacy purposes.
It was amazing to watch the flood of friends "just signing up".