Singapore’s trust in encrypted apps: A dangerous illusion

Every security leader BlackBerry surveyed in Singapore knew the same thing: consumer messaging apps are being used inside their organisation for sensitive work. All of them, 100 percent, acknowledged it, the only country in the study to reach complete awareness. And 94 percent confirmed the app in question is usually WhatsApp, well above the 83 percent global average and the highest rate anywhere surveyed.

That is the uncomfortable opening to “The State of Secure Communications 2026”, a BlackBerry Secure Communications study of 700 security decision-makers across government and critical infrastructure organisations in Singapore, Canada, the United Kingdom and the United States, conducted by OnePoll. For one of the world’s most digitally advanced markets, the Singapore findings describe a wide gap between how secure leaders feel and how exposed they actually are, and the report traces that gap to a single misunderstanding about what end-to-end encryption (E2EE) really protects.

The numbers behind the headline are stark. Some 40 percent of Singapore respondents estimate that more than half of their organisation’s mission-critical conversations took place on consumer apps over the past three months, against a global average of 27 percent. The average estimated share of sensitive conversations happening on consumer platforms is 36.9 percent, again the highest globally:

WhatsApp, in other words, has quietly become the default channel for work that should never have left a controlled environment, creating what the report calls a single point of failure on a foreign-controlled platform.

Encryption blindness

The thing holding this behaviour up is a belief that encryption has it covered. Across all four markets, 88 percent of security leaders said they were confident in their messaging apps, yet 90 percent of those relying on E2EE held at least one fundamental misconception about what it protects. Singapore’s misconception rate matched that of 90 percent, which BlackBerry frames bluntly in the interview version of the research, titled “88% Confident, 90% Misled”.

“The security industry has gradually allowed the label E2EE to become shorthand for secure,” said Jonathan Jackson, Field CISO for APAC at BlackBerry Secure Communications. “Consumer platforms built their entire marketing identity around that label. That doesn’t mean security professionals are failing. They’re responding rationally to the information they’ve been given.” The deeper problem, he said, is that encryption only protects one layer, message content in transit, while leaving identity, device integrity and metadata exposed. Adversaries do not need to break it. They work around it, through users, devices and verification.

What sets Singapore apart is the depth of the misunderstanding. Asked what E2EE actually does, 52 percent believed it prevents backdoor access, 51 percent thought it protects message content, and 49 percent assumed personal metadata is safeguarded. Some 70 percent believed E2EE alone makes a communications system secure, and 11 percent were unsure, nearly double the global average of 6 percent. The reality is narrower than any of that: E2EE secures content in transit, but it does not verify who you are talking to, stop impersonation or deepfakes, hide metadata, or protect a compromised device.

Christine Gadsby, BlackBerry’s Chief Security Advisor for Secure Communications, puts the identity gap in one line. “A phone number is not a verified identity,” she said. “Consumer messaging apps encrypt content in transit, but they don’t verify who you’re communicating with, a gap that recent global advisories show is already being exploited.”

The threats they fear are the ones encryption ignores

Here is the paradox at the centre of the Singapore data. The risks local leaders rank as their top concerns are precisely the ones E2EE does nothing about. Metadata leakage tops the list at 65 percent (against 55 percent globally), followed by impersonation and deepfakes at 59 percent (50 percent globally) and telecom infrastructure compromise, also 59 percent and the highest rate of any country. Confidence in protection against device compromise is the lowest in the study, with only 61 percent expressing net confidence versus a 72 percent global average, and just 10 percent saying they are very confident.

So the awareness is there. As the report puts it, this is not a lack of risk awareness but a behavioural gap: leaders clearly see the structural threats, yet day-to-day tool choices are still driven by immediacy, integration and cost, especially when a risk like metadata exposure feels indirect or probabilistic. Jackson breaks down what that gap costs when something goes wrong. On identity, an attacker who takes over an account inherits a trusted one, and every instruction or alert sent from it becomes suspect, which he calls operational paralysis rather than theoretical risk. On devices, encryption protects the channel, not the endpoint, so a compromised phone can leak plaintext before encryption is ever applied. And on metadata, even with content encrypted, who is talking to whom, when and how often can expose command structures and signal activity before a single message is read. For a government, a bank or an infrastructure operator, he notes, that metadata is itself an intelligence asset.

The threat is not theoretical here; it has already happened

Singapore’s situation is more difficult than most because the network beneath those apps has already been hit. In February 2026, the Cyber Security Agency of Singapore and the Infocomm Media Development Authority disclosed that the China-linked espionage group UNC3886 had run a deliberate, well-planned campaign against the country’s telecommunications sector, with all four major operators, M1, SIMBA Telecom, Singtel and StarHub, among those targeted. The disclosure followed Coordinating Minister for National Security K. Shanmugam’s July 2025 warning that an advanced persistent threat actor was inside the country’s critical infrastructure, and the multi-agency response was codenamed Operation Cyber Guardian. Investigators found the intruders accessed some systems but did not disrupt services or steal customer data.

That history shows up directly in the survey, where 59 percent of Singapore respondents worry their networks could be monitored or disrupted, the highest figure globally. Jackson reads the combination as awareness that has not yet changed behaviour. “Organisations know their telco infrastructure has been targeted, but the instinct is to treat that as an infrastructure problem rather than a communications tool problem,” he said. “The two are connected.” The 2026 threat picture, he argues, is a hybrid one: campaigns like Salt Typhoon, which sat undetected in US telecom networks for nearly two years harvesting calls, SMS and metadata, and UNC3886 targeted the network, while newer campaigns hit the app layer at the same time, run by the same state-backed actors.

Then there is the local, app-level proof. On 12 March 2026, Jackson said that the Singapore Police issued an advisory warning about active WhatsApp account takeovers through one-time password exploitation and social engineering, with attackers spreading laterally through trusted contacts. “The Singapore Police advisory is significant because it confirms this is active, real-world exploitation in the ASEAN region, and not a European or American problem being monitored from a distance,” he said. “Singapore organisations need to treat this as a domestic threat requiring a domestic response.”

Why nobody puts WhatsApp down

If the risk is this well understood, why does the behaviour persist? Jackson’s answer is an availability gap. “Knowing the risk doesn’t resolve the operational problem of what to use instead when partners, agencies, and supply chain contacts are all on WhatsApp,” he said. 

Consumer apps win by making it frictionless to message across organisational and jurisdictional lines, which is fine for friends and family but not for sensitive government or commercial work. A secure alternative, he argues, has to match that ease, or the behaviour will not shift, no matter how high the risk awareness climbs.

The encouraging signal in the Singapore data, he said, is that the appetite is there. Singapore leads the study on procurement rigour, with 67 percent prioritising certifications (against 61 percent globally) and 57 percent prioritising national directives (against 48 percent), and it shows the lowest reliance on vendor marketing claims at 33 percent. “The institutional appetite for purpose-built, sovereign communications is stronger in Singapore than almost anywhere else we surveyed,” Jackson said. In his view, readiness and the live threat environment create the conditions for change if a usable alternative is actually deployed.

Strong procurement, pointed at the wrong target

That procurement discipline comes with a catch, and it is where Jackson is most pointed. Certifications, he said, only matter if they validate the right design, and the rigour breaks down at the specification stage. “If procurement criteria specify E2EE certification and metadata protection isn’t in scope, the certification is silent on metadata. If identity verification isn’t specified, the certification doesn’t address it. You get exactly what you ask for.” His reference point is the recent wave of European intelligence guidance, which did not say Signal’s encryption was broken, but that, despite it, the app should not carry classified or sensitive information. The certification was accurate. What it certified was too narrow for the job.

The result is what the report calls a sovereignty paradox. While 55 percent of organisations globally say sovereign control is a priority, 47 percent of Singapore respondents prioritise full sovereign control over their communications infrastructure, the lowest of any country, and 39 percent prioritise ease of global connectivity, the highest. At the same time, 97 percent report using foreign-hosted consumer platforms. When choosing tools, Singapore organisations rank integration (59 percent, the highest globally) and cost (49 percent) above domestic or sovereign ownership (34 percent, the lowest). Jackson adds a governance dimension that should resonate locally: Europe’s shift is being driven as much by record-keeping as by security, because governments need to capture, audit and retrieve communications, and consumer apps sit outside that control, often under foreign jurisdiction. Singapore’s own data governance and freedom-of-information frameworks, he argues, create the same pull.

A correction happening in real time

Much of Jackson’s argument leans on what he describes as a fast, coordinated international correction through the first half of 2026. By his account, Germany’s BfV and BSI raised the alarm in February, Google’s Threat Intelligence Group documented Russia-aligned actors abusing Signal’s “linked devices” feature to gain persistent access, Portugal’s SIS and the Dutch MIVD followed, a joint CISA and FBI advisory landed on 20 March, and the UK’s NCSC issued its own on 31 March. The independent record backs the broad shape of this. 

In early April 2026, Politico reported that the European Commission ordered senior officials to shut down a Signal group chat over hacking fears, and that France, Germany, Poland, the Netherlands, Luxembourg and Belgium had begun rolling out their own government-controlled messengers, with the Commission aiming to complete its own transition by year’s end and NATO already running its own system. Belgium’s replacement is an app called BEAM; Germany is using technology from Wire.

For Jackson, the lesson for Singapore is a choice. “The question is whether they wait for a domestic incident of sufficient severity to drive the same response, or whether they treat the allied intelligence community’s coordinated warning as sufficient justification to act now,” he said. He is careful, when asked whether BlackBerry includes itself in the industry’s marketing critique, to point at the external bodies rather than the vendor: when independent agencies say these platforms should not carry sensitive work regardless of their encryption credentials, that is a correction no marketing can paper over. BlackBerry’s pitch, he said, is that its claims rest on the highest level of certifications from external government and standards bodies rather than self-attestation, and that it works with NATO and most of the G20 and ASEAN member nations. The report notes 38 percent of organisations still rely on vendor self-attestations rather than independent verification.

The exposure gets more acute in an emergency. Some 90 percent of respondents said they are confident in their crisis response, yet 51 percent lack a unified Critical Events Management platform and would coordinate a major incident over group chats and email threads. Group chats are the most common crisis tool at 56 percent, email threads next at 53 percent, and phone trees at 19 percent, each of them, Jackson notes, dependent on exactly the layers the advisories say are being targeted. He points to the European Commission’s Signal shutdown as a live example of the confidence gap in a real crisis. At the moment, senior officials most needed a channel, the channel had to be abandoned because there was no secure alternative ready.

Layered on top is the longer game. The report describes a “harvest now, decrypt later” threat that is already operational, with state actors collecting encrypted traffic today to read once quantum decryption becomes viable. Some 61 percent of respondents expect quantum computing threats within five years, yet 78 percent have not implemented post-quantum cryptography. The relevant question, Jackson argues, is not when quantum arrives but how long today’s data needs to stay secret, and when it first became a target for collection, which, for diplomatic, financial and infrastructure data in Singapore, could be years or decades.

What to do before the next compromise

For organisations that cannot swap platforms overnight, Jackson’s single most useful step is to act on the public advisory guidance now, without waiting for a procurement decision. Audit the linked and registered devices on every messaging platform in use and remove any you do not recognise, since the Signal “linked devices” feature is active by default on every installation. Do not share verification codes or scan unknown QR links, verify suspicious messages through a separate channel, and watch for unfamiliar devices or unexpected group participants. Then map your metadata exposure, identify your highest-risk conversations and what a compromise of each would cost, and move those onto a more controlled channel even before any full migration.

There is one more Singapore data point that frames the whole report. Asked whether they would be surprised if their sensitive communications were compromised tomorrow, only 78 percent of Singapore respondents said yes, the lowest rate globally against an 86 percent average. Many already expect their current tools to fall short. The pattern the study lands on is consistent: heavy use of consumer apps for sensitive work, a misunderstanding of what encryption protects, and continued exposure to the high risks leaders say worry them most. Closing it, BlackBerry argues, takes more than encryption. The open question is whether organisations move first or wait until a compromise makes the decision for them.