Upgrading WhatsApp Security

Image for post
Image for post

With over a billion users, there’s a good chance you have friends on WhatsApp, an easy-to-use mobile messenger. With some tweaks, you can make it much more secure for routine conversations.

WhatsApp offers free encrypted voice calls, video calls, and messaging. It uses data, which can help save money on phone and SMS message charges. With WhatsApp, conversations are end-to-end encrypted, meaning that no one except the conversational participants can read the messages. Its encryption is publicly viewable, allowing security specialists to look closely for potential holes. All of these features make WhatsApp a decent option for securing your conversations.

While WhatsApp’s encryption is strong, there are nonetheless privacy and security tradeoffs to consider. WhatsApp is owned by Facebook, and it shares users’ phone numbers and analytics data with the company. Many of its security features are not activated by default, and you’ll need to change some security settings to get the most out of the app. So let’s talk about how to get WhatsApp, and how to make it as secure as possible for everyday use.

Getting started

First, find WhatsApp for iPhone or Android here, or search for it in the App Store or Google Play store.

When you first launch the app, it will ask you to accept their terms of use and privacy policy, and will ask you for contact and notification permissions. To grant permissions, iPhone users can click “OK” while Android users click “Continue.” Next, it will ask to verify your phone number.

iPhone users: Type your phone number and tap “Done.” To confirm the phone number is correct, click “Yes.” You will then receive an SMS text message with a six-digit confirmation code. Type the code in the app.

Android users: Type in your phone number and tap the green arrow to continue. To confirm the phone number is correct, click “OK.” You will then receive an SMS text message with a six-digit confirmation code. Type the code in the app. You can also give the app permission to automatically read the SMS code to verify your phone number.

From here, you can chat with your contacts who are also on WhatsApp. Click contacts, and find someone you want to chat with. (If you try to click on someone who is not on WhatsApp, you will have the option to invite them to download it.) Click “Send Message” to open a conversation. You can also click on any of the message, video call, or voice call icons.

Get fancy with privacy and security

You can change some settings to better control your data.

Make sure cloud backups are off
WhatsApp allows you to make backups of your messages to the cloud. The problem is that they are not secured when sharing with the cloud provider, effectively undermining the main privacy advantage of the app. The good news is that you can turn this off.

iPhone users change settings in two places:
WhatsApp Settings > Chats > Chat Backup > Auto Backup > Off

Exit WhatsApp, then navigate to…
System Settings > iCloud > Storage > Manage Storage > WhatsApp > Backup

Android users: Menu (three dots) > Settings > Chats > Chat Backup > Back up to Google Drive > Never

If you have already backed up WhatsApp chats with iCloud or Google Drive, you can delete those too.

iPhone users: Exit WhatsApp > iOS Settings > iCloud > Storage > Manage Storage > WhatsApp Messenger > Edit > Delete All

Android users: Log in to https://drive.google.com. Click to the gear icon at the top right corner and choose Settings > Managing Apps > scroll to WhatsApp Messenger. From here, go to Options > Delete data. You can also disconnect the app from Google Drive if you choose.

Remember that anyone you chat with may also back up to the cloud, so if this is a concern for you, have them turn off chat backups as well.

When you take a picture with WhatsApp, your pictures are also stored in your phone’s camera roll. If you use cloud storage to back up images on your device, consider turning off backups outside of WhatsApp as well.

Just remember that when you turn off backups, you won’t be able to recover your conversations if you lose your phone. (That’s the point— no copies of your chats!)

Adjust your privacy settings
By default, anyone can see when you’ve last been online, your profile photo, and current status. Consider changing each setting to “My Contacts,” so only your contacts can see you. Here’s how you can change your privacy settings.

iPhone users: Settings > Account > Privacy
Android users: Menu icon (three dots) > Settings > Account > Privacy

Change the settings for the time you were last seen, your profile photo, and your status. If you choose, you can also change your audience to “Nobody,” but it will be more difficult for your friends to find you on the app.

Make messages automatically disappear
Normally when you send a message, it sticks around on WhatsApp indefinitely, and when someone deletes a message it is only deleted on their device. If you would prefer to delete aging messages in a conversation by default, there’s a way to do that.

iPhone users: Open a conversation > Click your conversation partner’s name at the top of the screen > Disappearing Messages > On
Android users: Open a conversation > Menu icon (three dots) > View contact > Disappearing Messages > On

Messages will be deleted from all devices in conversation after 7 days.

Something strange happen with your encryption? Get notified

By default, WhatsApp does not tell you whether your conversational partner’s encryption keys changed. What does this mean? If the encryption key for a conversation changes, it could mean that your partner got a new phone or reinstalled the app, effectively changing how your messages will be encrypted to them moving forward. For more high-risk users, such as an activist targeted by their government, it could also mean that someone is deliberately messing with your encryption. You can have WhatsApp notify you when a key changes in your conversation:

iPhone users: Settings > Account > Security > Show Security Notifications
Android users: Menu (Three dots) > Settings > Account > Security > Show Security Notifications

Note that the notification will let you know of a key change, but will not prevent your messages from being sent when your partner’s key changes.

Use session verification
For most messengers, there is no way to know that your message isn’t intercepted by a third party, but WhatsApp allows you to verify that your conversation is secure. Consider verifying your session when having sensitive conversations.

iPhone users: Click on your partner’s name at the top of the screen to get to their contact information. Tap “Encryption.” This will bring up their security code.
Android users: Click the menu icon (three dots) > View contact > Encryption. This will bring up their security code.

If you and your conversational partner are seeing the same code, your session is secure. You should verify that your numbers match on a different channel — for example, over Twitter DMs, Google Hangouts, or an ordinary phone call.

If you’re hanging out in person with someone, one of you can tap “Scan code.” Scan their QR code with your camera to verify that your codes match.

Security hygiene

Perhaps it goes without saying, but encryption won’t help with someone who has physical access to your unlocked phone. If you haven’t done so, password protect your device. Exit WhatsApp and turn on your passcode.

iPhone users: Settings app > Face / Touch ID & Passcode
Android users: Settings app > Security > Screen lock

Remember that strong encryption won’t help if your device or your partner’s device is compromised with malware. For example, some kinds of malware are designed to send screenshots of your messages to a remote hacker. The best defense is to simply install new software updates for WhatsApp and your device itself. These updates usually contain valuable security patches; get them as soon as possible.

If your phone is ever lost or stolen, thieves can copy and read data off the device, including your encrypted messages. Luckily it’s pretty easy to protect your device with disk encryption. If you use a modern password-protected iPhone, your device is already encrypted. A few Android devices are encrypted by default (the Pixel and some phones in the Nexus line). Android users can enable disk encryption in minutes.

You’re caught up!

If you’re interested in learning more about secure messaging software, check out Signal and read Signal for Beginners. To learn more about differences between Signal and WhatsApp for security, read this article by Micah Lee. And to learn more about digital security more broadly, get started with Securing Your Digital Life Like a Normal Person. For more advanced users concerned about targeted surveillance, check out Operational WhatsApp. Feel free to reach out with thoughts or suggestions.

Parts of this article are adapted from one of my related articles, Signal for Beginners.

Major thanks to Zeynep Tufekci for her thoughtful feedback on this article.

Written by

Writing about security for journalists, as well as beginners. Principal researcher at @freedomofpress. freedom.press/training

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store