Published Jun 28, 2023 by Xiph
WhatsApp is trusted by over 2 billion active users and is the top encrypted cross-platform messaging app in the world by market share. The Meta-owned service provides free messaging and end-to-end encryption on all communications, but how safe is it really?
WhatsApp is safer than SMS
WhatsApp was founded by former Yahoo employees and gradually replaced SMS, thanks in part to its low cost and international service reliability. WhatsApp is also far more secure than regular non-encrypted text messaging because of its built-in end-to-end encryption. Unlike SMS, WhatsApp doesn’t rely on a cellular network to operate but an internet connection.
WhatsApp privacy encryption and privacy features
WhatsApp is backed by end-to-end encryption which means all messages are encrypted (i.e. scrambled into indecipherable code) while in transit and can only be decrypted by the sender(s) and recipient(s). Nobody in between, not even WhatsApp, can access the content of your communications. The same security applies to voice and video calls, plus photos, static images, and videos sent via WhatsApp. End-to-end encryption also protects your messages from Wi-Fi snooping and man-in-the-middle attacks, but hackers can still try to hack your WhatsApp account by cracking your password or via brute force with trial-and-error to guess login information.
Other security features of WhatsApp include two-factor authentication (optional), automatic spam detection, device verification if any suspicious or unauthorised attempts to log into an account are detected, and Account Protect when switching any WhatsApp account to a new device.
Other messaging apps that offer end-to-end encryption security include Telegram and Signal.
WhatsApp main security issues
WhatsApp is one of the most secure messaging apps, but there are some security risks to be aware of.
WhatsApp has been hacked in the past
WhatsApp previously had the data of about 500 million users worldwide compromised, including the phone numbers of 7.3 million Australians. A group of hackers behind the breach subsequently tried to sell select datasets on the dark web to other malicious actors for fraud and identity theft. This is what may be behind the increase in smishing (SMS phishing) and vishing (voice phishing) attacks on the platform. WhatsApp also previously discovered a system vulnerability whereby hackers would infect phones with spyware by calling victims through the app.
WhatsApp is widely used by scammers
WhatsApp is one of the most widely used messaging apps globally, making it the ideal platform for hackers and malicious actors to find potential victims under the cloak of end-to-end encryption. Scammers use WhatsApp to circulate 'viral' scams like sweepstakes, competitions, or freebies. There are also more elaborate scams including smishing and verification codes, impersonation, romance scams, and blackmail.
Unencrypted backups
It’s important to note that while all communications on WhatsApp are encrypted from end to end, any backups of your messages and media on Android or iOS may not be. Any backup files stored on iCloud or Google Drive may also contain decrypted versions of all your messages. Your data will be managed by your cloud service provider which means there are risks of a breach. WhatsApp does offer end-to-end encrypted backups but that’s a feature users must opt in for.
Facebook data sharing
Not everything you do on WhatsApp is private. Since WhatsApp is owned by Meta (the parent company of Facebook), it allows data sharing with Facebook and other Meta companies. This includes account registration information (and therefore your phone number, transaction data (i.e. if you used WhatsApp Shop), and other service-related information. WhatsApp also collects data on how users interact with others, and the time, frequency and duration of communications and interactions.
Fake news and hoaxes
Social media platforms are notorious for fake news and misinformation and WhatsApp is no exception. Since WhatsApp’s communications are encrypted, it’s impossible to moderate all false information shared between groups. However, the messaging app does have a feature that curbs the spread of information – good or bad. For example, it doesn’t allow users to forward a message to more than one person or group at a time if it’s already been forwarded more than five times.
Advanced security tips for WhatsApp
Here are some steps users can take to minimise security risks.
Encrypt your backups
Be sure to enable encryption for your WhatsApp backups. This will encrypt your messages and media stored in the cloud with a 64-digit encryption key. You can also password-protect your backups for extra safety.
Read more: The basics of cloud security for businesses
Add a PIN to your WhatsApp
You can add a six-digit PIN to secure your WhatsApp account. This will help to retrieve your account if it gets hacked or lost. It would also prevent hackers from getting into your account, even if they get their hands on the SMS code that activates your account on another device.
Disable autosave
Disable the autosave function that saves the images, videos, or audio messages you send over WhatsApp to your phone’s library. These only remain encrypted while in transit between the sender and recipient, but not when they’re saved to your device or the cloud.
Use a virtual private network (VPN)
Use a VPN to access WhatsApp from anywhere in the world and hide your IP address. This essentially conceals your WhatsApp usage. WhatsApp does not forbid using a VPN to access its services. Just ensure your VPN is configured properly.
A final word
WhatsApp may be one of the most secure messaging apps on the market, but it’s not foolproof and it comes with its own security challenges. For one thing, the app is not immune to hacking and is often used as an attack vector by scammers since all chats are encrypted and impossible to trace. Secondly, WhatsApp’s championing of privacy only extends to communication between users, not to usage or personal information that it shares with its parent company Facebook. For more information, contact us via email: enquiries@xiphcyber.com.
Posted in: Security