Upgrading WhatsApp Security

Header image reading, “Upgrading WhatsApp security.”

With more than two billion users, there’s a good chance you know a lot of people using WhatsApp, a free app for voice calls, video calls, and messaging. With some tweaks, you can make it much more secure for your conversations.

In WhatsApp, conversations are end-to-end encrypted, meaning that no one except the conversational participants can read the messages permission from someone in the conversation. Its encryption is publicly viewable, allowing security specialists to look closely for potential holes. Likewise, because it’s so popular, you and your contacts may already have it on your devices. All of these features make WhatsApp a decent option for securing your conversations.

However, there are still some privacy and security tradeoffs to consider. WhatsApp is owned by Facebook, and it shares users’ phone numbers and analytics data with the company. It may therefore not be appropriate for journalists who are, say, talking to employees at Facebook or Facebook-owned companies about their work. Likewise, responsive to a valid legal request, courts may compel Facebook to share data about your conversations. (Indeed, WhatsApp conversation records have been used in the prosecution of a Treasury Department whistleblower.) Finally, many of WhatsApp’s security features are not activated by default, and you’ll need to change some security settings to get the most out of the app.

So let’s talk about how to get WhatsApp, and how to make it as secure as possible for everyday use.

Getting started

When you first launch the app, it will ask you to accept their terms of use and privacy policy, and will ask you for contact and notification permissions. To grant permissions, iPhone users can click “OK” while Android users click “Continue.” Next, it will ask to verify your phone number.

iPhone users: Type your phone number and tap “Done.” To confirm the phone number is correct, click “Yes.” You will then receive an SMS text message with a six-digit confirmation code. Type the code in the app.

Android users: Type in your phone number and tap the green arrow to continue. To confirm the phone number is correct, click “OK.” You will then receive an SMS text message with a six-digit confirmation code. Type the code in the app. You can also give the app permission to automatically read the SMS code to verify your phone number.

Screenshot of a WhatsApp conversation, showing two people sharing their greetings.
Screenshot of a WhatsApp conversation, showing two people sharing their greetings.

From here, you can chat with your contacts who are also on WhatsApp. Click contacts, and find someone you want to chat with. (If you try to click on someone who is not on WhatsApp, you will have the option to invite them to download it.) Click “Send Message” to open a conversation. You can also click on any of the message, video call, or voice call icons.

Get fancy with privacy and security

Make sure cloud backups are off

iPhone users: Change your settings within WhatsApp and your iCloud settings to disable backups.

WhatsApp Settings > Chats > Chat Backup > Auto Backup > Off

Exit WhatsApp, then navigate to… iPhone Settings > [Your name] > iCloud > Storage > Manage Storage > WhatsApp > Disable

Android users: Menu (three dots) > Settings > Chats > Chat Backup > Back up to Google Drive > Never

Screenshot of “chat backup” settings.
Screenshot of “chat backup” settings.

If you have already backed up WhatsApp chats with iCloud or Google Drive, you can delete those too.

iPhone users: Exit WhatsApp > iOS Settings > [Your name] > iCloud > Storage > Manage Storage > WhatsApp Messenger > Edit > Delete All

Android users: Log in to https://drive.google.com. Click to the gear icon at the top right corner and choose Settings > Managing Apps > scroll to WhatsApp Messenger. From here, go to Options > Delete data. You can also disconnect the app from Google Drive if you choose.

Important: Remember that anyone you chat with may also back up to the cloud, so if this is a concern for you, have them turn off chat backups as well.

When you take a picture with WhatsApp, your pictures are also stored in your phone’s camera roll. If you use cloud storage to back up images on your device, consider turning off backups outside of WhatsApp as well.

Just remember that when you turn off backups, you won’t be able to recover your conversations if you lose your phone. (That’s the point — no copies of your chats!)

Adjust your privacy settings

iPhone users: Settings > Account > Privacy
Android users: Menu icon (three dots) > Settings > Account > Privacy

Change the settings for the time you were last seen, your profile photo, and your status. If you choose, you can also change your audience to “Nobody,” but it will be more difficult for your friends to find you on the app.

Make messages automatically disappear

iPhone users: Open a conversation > Click your conversation partner’s name at the top of the screen > Disappearing Messages > On
Android users: Open a conversation > Menu icon (three dots) > View contact > Disappearing Messages > On

Messages will be deleted from all devices in conversation after 7 days.

Something strange happen with your encryption? Get notified

Scxreenshot of the security settings page, with the “Show security notifications” settings toggle in the “enabled” position.
Scxreenshot of the security settings page, with the “Show security notifications” settings toggle in the “enabled” position.

By default, WhatsApp does not tell you whether your conversational partner’s encryption keys changed. What does this mean? If the encryption key for a conversation changes, it could mean that your partner got a new phone or reinstalled the app, effectively changing how your messages will be encrypted to them moving forward. For more high-risk users, it could also mean that someone is deliberately messing with your encryption. You can have WhatsApp notify you when a key changes in your conversation:

iPhone users: Settings > Account > Security > Show Security Notifications Android users: Menu (Three dots) > Settings > Account > Security > Show Security Notifications

Note that the notification will let you know of a key change, but will not prevent your messages from being sent when your partner’s key changes.

Use session verification

Screenshot of a “Vertify security code” settings screen, displaying a numeric code and QR code.
Screenshot of a “Vertify security code” settings screen, displaying a numeric code and QR code.

iPhone users: View your partner’s contact information by clicking their name at the top. Tap “Encryption.” This will bring up their security code. Android users: Click the menu icon (three dots) > View contact > Encryption. This will bring up their security code.

If you and your conversational partner are seeing the same code, your session is secure. You should verify that your numbers match on a different channel — for example, over Twitter DMs, Google Meet, or an ordinary phone call.

If you’re meeting in person, one of you can tap “Scan code.” Scan their QR code with your camera to verify that your codes match.

Enable two-step verification to protect your WhatsApp account

A screenshot of the WhatsApp two-step verification screen, prompting the user to enable a PIN to re-register for future registration of their WhatsApp account.
A screenshot of the WhatsApp two-step verification screen, prompting the user to enable a PIN to re-register for future registration of their WhatsApp account.

This PIN will help protect your account, but you’ll have to remember it or store it somewhere safe. This might be a physically hidden notebook, or password management software. To ensure you still remember it, WhatsApp will occasionally prompt you to re-enter your PIN.

iPhone users: Ensure your WhatsApp photos stay in WhatsApp, and not your camera roll

iPhone users: Settings > Chats > Save to Camera Roll > Disable

Security hygiene

iPhone users: Settings app > Face / Touch ID & Passcode
Android users (may be slightly different, depending on your Android version): Settings app > Security > Screen lock

Remember that strong encryption won’t help if your device or your partner’s device is compromised with malware. For example, some kinds of malware are designed to send screenshots of your messages to a remote hacker. The best defense is to simply install new software updates for WhatsApp and your device itself. These updates usually contain valuable security patches; get them as soon as possible.

If your phone is ever lost or stolen, thieves can copy and read data off the device, including your encrypted messages. Luckily it’s pretty easy to protect your device with disk encryption. If you use a modern password-protected iPhone, your device is already encrypted. Many Android devices are encrypted by default (e.g., the Pixel line), but Android users should ensure disk encryption is enabled within their settings.

You’re caught up!

Parts of this article are adapted from one of my related articles, Signal for Beginners.

Major thanks to Zeynep Tufekci for her thoughtful feedback on this article.

Writing about security for journalists, as well as beginners. Principal researcher at @freedomofpress. freedom.press/training