In the age of Pegasus spyware, billion-dollar data leaks, and governments thirsting for surveillance, one promise matters above all: real end-to-end encryption (E2EE). But Zoho’s Arattai — which markets itself as a “Made in india secure messenger” — still hasn’t delivered that promise for its most basic function: regular chats. Instead, your private conversations take a pit stop at Zoho’s servers, decrypted in plain text before being repackaged for delivery. If that doesn’t make you uncomfortable, wait till you see Zoho’s history of catastrophic server-side exploits.
This isn’t paranoia. This is pattern recognition.
1. E2EE Is Selective — And That’s a red Flag
While WhatsApp, Signal, and iMessage encrypt every chat by default, Arattai applies E2EE only to audio/video calls and “secret chats.” Regular conversations? They’re decrypted on Zoho’s cloud before they reach your friend’s phone. Translation: Zoho can technically read them. Hackers who breach Zoho’s servers can read them. Governments with leverage over Zoho can read them. That’s not end-to-end. That’s end-to-Zoho-to-end.
2. “Trust Us” Is Not a Security Protocol
Zoho has built its brand on the word “trust.” But security isn’t a marketing slogan; it’s math and architecture. Encryption either exists end-to-end, or it doesn’t. By asking users to simply believe, Zoho is offering blind faith where cryptographic proof should stand. In cybersecurity, trust without verification is a weapon against the user, not protection for them.
3. The Pattern of Breaches That Can’t Be Ignored
Zoho’s track record isn’t a one-off accident. It’s a recurring nightmare:
• CVE-2021-40539 (ADSelfService Plus): Authentication bypass → Remote Code Execution. Exploited by advanced persistent threat (APT) groups. CISA had to step in.• CVE-2022-47966: A SAML flaw across multiple ManageEngine products → Remote Code Execution. Corporate networks left exposed.
• CVE-2025-1723: Session flaw in ADSelfService Plus → Possible unauthorized access to user data. Fresh proof that the lessons still aren’t being learned.
When the company running your messaging servers has a reputation for Swiss-cheese security, should you really trust them to hold unencrypted versions of your chats?
4. The Illusion of “Indian WhatsApp”
Arattai positions itself as the patriotic alternative to foreign apps. But privacy isn’t about nationalism; it’s about mathematics. An app with half-baked encryption is a ticking bomb, whether it’s coded in Palo Alto, Beijing, or Chennai. The hard truth: data leaks don’t carry passports.
5. Until Every Chat Is E2EE, Users Are Exposed
Security isn’t negotiable. Either every chat, every call, every file is protected by default — or it’s a gaping hole waiting to be abused. Arattai users deserve to know that until Zoho switches on true, universal E2EE, their privacy is built on a foundation of sand.
⚡ Bottom Line:
Zoho wants you to trust. But cybersecurity is not religion — it’s mathematics. Until Arattai encrypts everything, by default, from device to device, every message is at risk. The choice is clear: demand accountability or accept vulnerability.
click and follow Indiaherald WhatsApp channel