Upgrading WhatsApp Security
With more than 2 billion users, there’s a good chance you know a lot of people using WhatsApp, a free app for voice calls, video calls and messaging. With some tweaks, you can make it much more secure for your conversations.
In WhatsApp, conversations are end-to-end encrypted, meaning that no one except the conversational participants can read the messages without permission from someone in the conversation. Its encryption is publicly viewable, allowing security specialists to look closely for potential holes. Likewise, because it’s so popular, you and your contacts may already have it on your devices. All of these features make WhatsApp a decent option for securing your conversations.
However, there are still some privacy and security tradeoffs to consider. WhatsApp is owned by Meta, formerly known as Facebook, and it shares users’ phone numbers and analytics data with the company. It may therefore not be appropriate for journalists who are, say, talking to employees at Meta or Facebook-owned companies about their work. Likewise, responsive to a valid legal request, courts may compel Meta to share data about your conversations. (Indeed, WhatsApp conversation records have been used in the prosecution of a Treasury Department whistleblower.) Finally, many of WhatsApp’s security features are not activated by default, and you’ll need to change some security settings to get the most out of the app.
There are ways to make WhatsApp as secure as possible for everyday use.
Getting started
First, find WhatsApp for iPhone here, or search for it in the App Store or Google Play store.
When you first launch the app, it will ask you to accept their terms of use and privacy policy, and will ask you for contact and notification permissions. To grant permissions, iPhone users can press “OK” while Android users press “Continue.” Next, it will ask to verify your phone number.
iPhone users: Type your phone number and tap “Done.” To confirm the phone number is correct, press “Yes.” You will then receive an SMS text message with a 6-digit confirmation code. Type the code in the app.
Android users: Type in your phone number and tap the green arrow to continue. To confirm the phone number is correct, press “OK.” You will then receive an SMS text message with a 6-digit confirmation code. Type the code in the app. You can also give the app permission to automatically read the SMS code to verify your phone number.
From here, you can chat with your contacts who are also on WhatsApp. Press contacts, and find someone you want to chat with. (If you try to press on someone who is not on WhatsApp, you will have the option to invite them to download it.) Press “Send Message” to open a conversation. You can also press on any of the message, video call or voice call icons.
Get fancy with privacy and security
You can change some settings to better control your data.
Make sure cloud backups are off
WhatsApp allows you to make backups of your messages to the cloud. The problem is that they are not secured when sharing with the cloud provider, which really undermines the main privacy advantage of the app. The good news is that you can turn this off.
iPhone users: Change your settings within WhatsApp and your iCloud settings to disable backups.
WhatsApp Settings > Chats > Chat Backup > Auto Backup > Off
Exit WhatsApp, then navigate to…
iPhone Settings > [Your name] > iCloud > Storage > Manage Storage > WhatsApp > Disable
Android users: Menu (three dots) > Settings > Chats > Chat Backup > Back up to Google Drive > Never
If you have already backed up WhatsApp chats with iCloud or Google Drive, you can delete those too.
iPhone users: Exit WhatsApp > iOS Settings > [Your name] > iCloud > Storage > Manage Storage > WhatsApp Messenger > Edit > Delete All
Android users: Log in to https://drive.google.com through a browser on your computer. Press to the gear icon at the top right corner and choose Settings > Managing Apps > scroll to WhatsApp Messenger. From here, go to Options > Delete data. You can also disconnect the app from Google Drive if you choose.
Important: Remember that anyone you chat with may also back up to the cloud, so if this is a concern for you, have them turn off chat backups as well.
When you take a picture with WhatsApp, your pictures are also stored in your phone’s camera roll. If you use cloud storage to back up images on your device, consider turning off backups outside of WhatsApp as well.
Just remember that when you turn off backups, you won’t be able to recover your conversations if you lose your phone. That’s the point — no copies of your chats!
If you really need backups, consider using WhatsApp’s end-to-end encrypted backups (which can be accessed from the same menu described above). With end-to-end encrypted backups, no one, including WhatsApp, can read your backed up messages. If you choose to enable this feature, WhatsApp will ask you to secure these backups with a password or a 64-digit encryption key, which will appear to be a long, random set of numbers and letters. Whichever you choose, keep a copy of your password or key somewhere safe, such as a password manager or a physical note in a secure location, because your backups cannot be recovered without this information. To access these backups, you will need to have this password or encryption key in the future.
Adjust your privacy settings
By default, anyone can see when you’ve last been online, your profile photo, and current status. Consider changing each setting to “My Contacts,” so only your contacts can see you. Here’s how you can change your privacy settings.
iPhone users: Settings > Account > Privacy
Android users: Menu icon (three dots) > Settings > Account > Privacy
Change the settings for the time you were last seen, your profile photo, and your status. If you choose, you can also change your audience to “Nobody,” but it will be more difficult for your friends to find you on the app.
Make messages automatically disappear
Normally when you send a message, it sticks around on WhatsApp indefinitely, and when someone deletes a message it is only deleted on their device. If you would prefer to delete aging messages in a conversation by default, there’s a way to do that.
iPhone users: Open a conversation > Click your conversation partner’s name at the top of the screen > Disappearing Messages
Android users: Open a conversation > Menu icon (three dots) > View contact > Disappearing Messages
Choose how long you would like your messages to appear on the device. From this screen you can also enable the message timer to be enabled by default.
Something strange happen with your encryption? Get notified
By default, WhatsApp does not tell you whether your conversational partner’s encryption keys changed. What does this mean? If the encryption key for a conversation changes, it could mean that your partner got a new phone or reinstalled the app, effectively changing how your messages will be encrypted to them moving forward. For more high-risk users, it could also mean that someone is deliberately messing with your encryption. You can have WhatsApp notify you when a key changes in your conversation:
iPhone users: Settings > Account > Security > Show Security Notifications Android users: Menu (Three dots) > Settings > Account > Security > Show Security Notifications
Note that the notification will let you know of a key change, but will not prevent your messages from being sent when your partner’s key changes.
Use session verification
For most messengers, there is no way to know that your message isn’t intercepted by a third party, but WhatsApp allows you to verify that your conversation is secure. Consider verifying your session when having sensitive conversations.
iPhone users: View your partner’s contact information by clicking their name at the top. Tap “Encryption.” This will bring up their security code. Android users: Click the menu icon (three dots) > View contact > Encryption. This will bring up their security code.
If you and your conversational partner are seeing the same code, your session is secure. You should verify that your numbers match on a different channel — for example, over Twitter DMs, Google Meet, or an ordinary phone call.
If you’re meeting in person, one of you can tap “Scan code.” Scan their QR code with your camera to verify that your codes match.
Enable two-step verification to protect your WhatsApp account
When you set up WhatsApp, you likely registered your account with your phone number. But if you ever lose access to this number (e.g., when switching to a new phone service), whoever controls your phone number can register your number on WhatsApp. Why’s this a problem? If someone else registers your WhatsApp number, now it’s their number and you’ll lose access. To ensure no one else can re-register the account, you can require future registrations to require a PIN code. This is sometimes called two-step verification. iPhone users: Settings > Account > Two-step verification Android users: Settings > Account > Two-step verification
This PIN will help protect your account, but you’ll have to remember it or store it somewhere safe. This might be a physically hidden notebook, or password management software. To ensure you still remember it, WhatsApp will occasionally prompt you to re-enter your PIN.
iPhone users: Ensure your WhatsApp photos stay in WhatsApp, and not your camera roll
When you take a photo or save an image to your smartphone, it’s normally saved to your phone’s camera roll. This also allows apps to access your photo gallery. Chances are, your default photo app is tightly integrated in the operating system, such as the Google Photos app on Android, or the Photos app on iPhones. These apps are designed to allow you to easily back up photos in cloud tools, such as Google Drive or iCloud, which can be convenient if you want access to photos across all of your devices. But what if you don’t want your WhatsApp photos to be accessible to apps beyond WhatsApp? And what if you don’t want backups?
iPhone users: Settings > Chats > Save to Camera Roll > Disable
Security hygiene
Perhaps it goes without saying, but encryption won’t help with someone who has physical access to your unlocked phone. If you haven’t done so, password protect your device. Exit WhatsApp and turn on your passcode.
iPhone users: Settings app > Face / Touch ID & Passcode
Android users (may be slightly different, depending on your Android version): Settings app > Security > Screen lock
Remember that strong encryption won’t help if your device or your partner’s device is compromised with malware. For example, some kinds of malware are designed to send screenshots of your messages to a remote hacker. The best defense is to simply install new software updates for WhatsApp and your device itself. These updates usually contain valuable security patches; get them as soon as possible.
If your phone is ever lost or stolen, thieves can copy and read data off the device, including your encrypted messages. Luckily it’s pretty easy to protect your device with disk encryption. If you use a modern password-protected iPhone, your device is already encrypted. Many Android devices are encrypted by default (e.g., the Pixel line), but Android users should ensure disk encryption is enabled within their settings.
You’re caught up!
If you’re interested in learning more about secure messaging software, check out Signal and read about Signal for beginners. And to learn more about digital security more broadly, get started with securing your digital life like a normal person.
Parts of this article are adapted from one of my related articles, Signal for Beginners.
Major thanks to Zeynep Tufekci for her thoughtful feedback on this article.