WhatsApp security system: the truth about the end-to-end encryption

How safe is WhatsApp really? I want to take a look at that question throughout this guide. You can take this opportunity to get to know more about whether your calls and messages are actually safe.

WhatsApp Security

Hey, it’s Frankie (author of the blog) here again. I am an expert and tester of messaging apps and I am passionate about hacking techniques and tips to help you make the most of your experience.

Now more than ever, personal security and privacy for your data is growing more and more pressing and needed.

For this reason, I wrote this article to talk exclusively about WhatsApp security. I wanted to answer many of the questions that readers have asked me from the internet. Some of these include:

Are we sure the messages and media we send are actually safe? No one can access them?

Can WhatsApp get hacked?

The bottom line is needing an answer to a general question: Is WhatsApp safe?

I am going to answer that in several ways, including:

  • How Secure is WhatsApp? What You Need to Know About End-to-End Encryption
  • Security Threats of WhatsApp You Need to Know
  • How You Can Make WhatsApp Safer

Let’s not waste any more time and get right into the meat of the dish.

How Secure is WhatsApp?

Let’s begin with some urgent news.

Most of the users on WhatsApp believe that the application is fully secure, but this is not the case unfortunately.

Don’t panic just yet.

I will clear this up a little bit.

WhatsApp does provide several barriers and features designed to protect your privacy, such as hiding your last login, your profile photo, and more. It also has a weak spot with its end-to-end encryption.

What is End-to-End Encryption?

This system is a means of communication designed to that only those involved in the conversation can read the messages or view the media. This decryption is done via a built-in key.

Let me show you how it works:

When you add a contact to your list, the apps on either end of this connection on both devices generate a set of keys designed only to pair with one another.

These generated keys are private, and the application itself cannot even see them.

This is valuable because messages and media must pass through WhatsApp servers, but these messages cannot get deciphered on its way to its destination because of the encryption.

END-TO-END ENCRYPTION

Want to know more about end-to-end encryption on WhatsApp? They have an entire FAQ page devoted to all of the information you might want to know.

The inclusion of end-to-end encryption in messaging apps greatly improves safe communication for everything.

There are two distinct advantages of this encryption for its users:

  • Hackers breaching the WhatsApp server cannot see private keys or access messages.
  • Messages or only visible on your account or the recipient’s. In this way, WhatsApp cannot store or save conversations and therefore cannot share them with anyone else – even law enforcement.

With this information, you might believe that your account and its conversations are safer, but this is not the case.

The Limits of End-to-End Encryption

One of the first limitations is that WhatsApp saves a time, date, and phone number stamp for every successfully delivered or received message on their servers for legal purposes.

This information comes directly from the Privacy Policy on the WhatsApp website, stating:

“WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect”

Another shortcoming is that while this encryption is very secure, it is also true that it is not perfect. No security system is fully infallible.

If a hacker cannot decode a message encrypted in this way, they can access your conversations in other, less direct, paths.

One of these methods is social engineering, which access is the backups of conversations that you have. They can install a keylogger on the devices you use through a virus that records the inputs (such as passwords) that you enter. They could even spy on your phone with specific software. I can explain that one a little later.

Frankie-Caruso


Frankie’s Take:

You should never consider the security on any website or application to be impenetrable. The system might be increasingly more secure with several layers of protection, in a gradual system of security rather than absolutes like safe or unsafe. Using this perspective, end-to-end encryption on messages is a big step towards a safer experience for users. It does not protect your accounts from all present dangers, so I would suggest a reputable antivirus and cybersecurity suite for your phone.

Security Threats to WhatsApp – 3 Things You Need to Know

As far as I can see it, there are three main glaring issues with WhatsApp security and these are:

1. Backups Are Not Encrypted

As I mentioned earlier, messages send on WhatsApp through the servers are protected with encryption. This means that only you and the message recipient can read these messages.

Once they have been decrypted however, this level of protection no longer exists.

This is where the trouble starts.

Let me clarify:

WhatsApp provides you the option of backing up your messages, media, and files sent and received through the service. This essential feature allows you to recover older chats you might have deleted erroneously or transfer content from one mobile phone to another when changing devices.

WhatsApp performs two different backups of this information, one in your smartphone (local) and one to a cloud. If you are using an Android phone, this saves to Google Drive. On iPhones, the information saves to your iCloud.

A backup file stored on iCloud or Google Drive is not encrypted. Since this file contains the full conversations and exchanges from your conversations, it is vulnerable to viewing and, in the right hands, puts the end-to-end encryption at serious risk.

Accessing the backup of your conversations is easier than you might think. There are several methods, most of which do not require the hacker to have IT skills or tech savviness.

Programs like mSpy, for instance, can allow you to access backup copies and read full WhatsApp conversation from anyone for only a few dollars.

Frankie-Caruso


Frankie’s Take:

There is no alternative to backing up this information. The only way to protect yourself really is to not make a copy of all your conversations. This leads to significant drawbacks. This leads to significant drawbacks. One of these is if you change your mobile device, you cannot find old conversations and you will lose them forever.

2. WhatsApp Web: Malware or Spyware

For many years, WhatsApp has given users the option to use their service from a computer through WhatsApp Web or a standalone app called WhatsApp Desktop.

The Desktop version is very secure, much like the actual service that you use on your phone. The same cannot be said, however, for the web service.

Allow me to explain:

For a hacker, accessing WhatsApp Web is not complicated at all. They can use malware that can ‘disguise itself’ as WhatsApp Web and steal your information to spy on your chats. So, you think you are on WhatsApp Web, because the malware has a good graphical interface that’s the same as a web version of WhatsApp, but you are using a different program entirely.

Also, the bad guys could just use spyware. You can install this remotely to a PC, and then record what gets typed on the keyboard.

So, you can see, conversations are not as secure as you might think.

Frankie-Caruso


Frankie’s Take:

If you intend to use WhatsApp from your PC, I would suggest downloading the official client Desktop version. If you can’t because the computer is not yours, or its too old to support the software, only access WhatsApp Web from its official website: web.whatsapp.com – make sure you always have a good antivirus installed on your PC that detects and prevents new infections.

3. Sharing Your Personal Data

What information is WhatsApp collecting about you?

I have already divulged that with end-to-end encryption, no one can read the content of your messages except for the two parties involved (or the members of a group).

However, there are certain pieces of information that are not encrypted that WhatsApp can share with Facebook or other companies in this same grouping (Instagram, Oculus, and more.)

I will give you a list of data that WhatsApp is authorized to collect that is not protected:

Information provided by the user:

  • Mobile phone number and numbers in your contact list
  • User connections such as favorite contacts, groups, and broadcasts

Automatically collected information:

  • Usage and access (log files, diagnostic reports, crash reports, website and performance)
  • Information regarding your device and connection, including: smartphone model, operating system, browser, IP, mobile network and device location.
  • Cookies – For more information about cookies and the information that it collects you can check out the official section on the WhatsApp website: (https://www.whatsapp.com/legal/#cookies)
  • Your status information, including whether you are online , the last time used the services, and the last time you updated your status.

Third party information:

  • User information given by others in your contact list, such as those that have your number in their phone book.
  • External parties, such as companies that distribute the app. In some cases, these parties provide WhatsApp with user information. They may divulge reports for diagnostics and troubleshooting.
  • Third party services – when WhatsApp services are used alongside other applications, WhatsApp may receive information about you from these services. An example might be when you use WhatsApp share button in a news service or other app on your phone. This is also applicable to promotions from your mobile carrier or device vendor.
Frankie-Caruso


Frankie’s Take:

Most software collects user data in order to improve the experience of its services for its customers. With WhatsApp, the question is: is it OK that other services like Facebook and Instagram get my information just because they are part of the same company? It is up to you to decide whether the data collected by WhatsApp is valuable to you or not. If it is, stop using the app and switch to a different messaging service such as Telegram or Signal.

How to Make WhatsApp More Secure

How to Make WhatsApp More Secure

Now that you have seen the pros and cons of encryption services and threats to your security, it is time for some valuable advice on making your account more secure.

1. Activate Security Notifications

If you don’t know what I’m talking about, allow me to explain. As I have already mentioned multiple times, messages that you share with your contacts are protected by an encryption key. This key is unique to you and your contact exclusively.

However, it may happen that the contact changes their mobile phone or installs WhatsApp again. In these situations, the encryption key now changes. Keeping the security notifications active will send you an alert every time this key gets changed.

Activating the alerts is fairly simple:

  1. Open WhatsApp settings
  2. Tap Account > Security
  3. Now you can enable security notifications by tapping Show Security Notifications

2. Enable Two-Step Verification

Another step that you can take to make your WhatsApp account more secure is to enable two step verification.

Every time someone then tries to access your account from either a browser or mobile device that you do not normally use, they’re asked to enter a special access code or or you are asked to confirm this access attempt.

The objective here is to prevent anyone accessing your WhatsApp account without your permission.

Activating it is simple.

Settings > Account > Two-Step Verification > Enable

Follow the steps that now pop up to create a 6-digit PIN code that you can easily remember. Most importantly, and insert your email address to recover that code in case you forget it. You can find more information on enabling two step verification on WhatsApp with iPhones and Android phones with the guide I created.

3. Disable Cloud Backup

Still another approach that you can take is to disable the cloud backup of your conversations.

Warning: there are cons as well as pros to choosing this route. While it will protect your information from hackers that could read your conversations, it also prevents you from recovering or save chats in case you change your phone or have to reinstall WhatsApp.

As I explained, WhatsApp backs up chats to Google Drive or your iCloud. This backup is unfortunately not protected by the end to end encryption used on the app. If somebody gets ahold of this information, they will have free access to all of your conversations stored.

If you are interested in disabling automatic cloud backups, proceed as follows:

Android: Settings > Chat > Chat Backup > Never

iPhone: Settings > Chat > Chat Backup > Auto Backup > Off

These are the three main measures that you can take to protect your WhatsApp account and make it more secure. You can find even more tips and tricks on boosting your security and a guide I wrote about protecting WhatsApp privacy on your iPhone and Android device. I suggest that you check it out.

FAQ

Many of you have had a lot of questions about the security of your WhatsApp or Messenger account.

I decided to pick some of these questions and answer them here based on their frequency.

QUESTION 1

What kind of personal content can I send through WhatsApp?

To have some peace of mind, you should never send any of your most sensitive information through WhatsApp. Any type of message you feel contains overly sensitive information, such as your bank account details, should not be sent on a messaging app like WhatsApp, but rather a more secure option such as Telegram or Signal.

QUESTION 2

How long are WhatsApp messages stored?

According to WhatsApp, messages are delivered to the recipient and they are deleted from the server. This also applies to photos, videos, and other media that you send to contacts. As a rule of thumb, you should avoid sending content that is too personal.

QUESTION 3

Can a Hacker Spy on My WhatsApp Chats with Just My Phone Number?

No, they cannot. In order to access your WhatsApp account remotely and read your messages, a hacker must connect to your phone or access the backup to one of the cloud services. To do that, they need to know more information than just your number.

QUESTION 4

How Can I Tell if I Have Been Hacked?

You can check your mobile phone for spy applications fairly easily. I have written a detailed guide on the subject. I suggest you take a look for more information on how to find spyware on your phone.

Conclusion

I hope that now I’ve given you some insight and been helpful I’m protecting your WhatsApp account. I understand that times it might have gotten lengthy, but I wanted to fully expand on the subject as much as possible.

Just because the information that I’ve given you seems comprehensive, I would like to take a moment to briefly recap what we’ve discussed before we officially say goodbye.

in the first chapter, I showed you how WhatsApp is secure through encryption. However, this service has its limitations. Chance are saved as backups and not encrypted. Even an inexperienced hacker with a little bit of time could access these without substantial trouble.

In the second chapter, I listed three security threats common to WhatsApp. These included:

  • Backups not being encrypted
  • WhatsApp Web being vulnerable to malware
  • WhatsApp sharing collected data with other platforms like Instagram or Facebook

Finally, the last part of this guide showed you how to make your WhatsApp account more secure.

That is pretty much all I have for now.

Come back soon and check on the blog. If you have any doubts or questions, do not hesitate to comment on the post below. I will get back to you as soon as possible.

Stay alert my friends.

With a hug,

PS – now that you know that WhatsApp is not fully secure, why not take a look at how to improve your privacy across the board? Check out my guide.

PS II – If you like movies, and are interested in this topic, I would suggest that you watch The Imitation Game. The movie came out in 2014, and chronicled the life of Alan Turing, as portrayed by the talented Benedict Cumberbatch.

Share this article!
About Frankie Caruso

Hello! I am Frankie Caruso and I love to fiddle with all of the popular messaging applications with the hacking techniques that I love. I want to find out how to breach the defenses of these apps and exploit weaknesses.