WhatsApp is arguably the most popular voice and messaging app today, sending over 100 billion messages daily. It claims to be a secure messaging app that encrypts your conversations. However, WhatsApp is owned by Meta, Facebook’s parent company. So, can it really be private and secure?
This post examines WhatsApp in depth to determine whether it is private and secure and whether you should trust it with your communications.
Overview
WhatsApp was created in 2009 by two former Yahoo! employees, Brian Acton and Jan Koum. The app was originally designed to display users’ statuses in smartphones’ contacts menus but integrated a messaging component later that year.
In 2012, WhatsApp introduced encrypted messages (without disclosing the protocol used) and rolled out phone calling in 2013. By then, its user base had exploded to 200,000,000 active users.
In 2014, Meta (formerly known as Facebook Inc.) acquired WhatsApp. End-to-end encryption (using the Signal protocol) was implemented roughly a year after the acquisition in 2015. Since then, WhatsApp has rolled out group messaging, communities, and broadcasts, all of which are end-to-end encrypted, alongside one-to-one chats and voice calls.
So, the app’s resiliency relies on the Signal protocol. Let’s take a quick look at how it works.
The Signal protocol
The Signal protocol is a distributed (i.e., decentralized) cryptographic protocol that provides end-to-end encryption for voice and instant messaging applications. It was developed by Open Whisper Systems in 2013 and first introduced in the open-source messaging app Signal. As mentioned above, the Signal protocol was integrated into WhatsApp in 2014.
Now, let’s get a bit technical…
To provide end-to-end encryption (E2EE), the Signal protocol uses the Double Ratchet Algorithm, prekeys, and a triple Elliptic-curve Diffie–Hellman (3-DH) handshake while using Curve25519, AES-256, and HMAC-SHA256 as primitives. If the above is over your head (and I wouldn’t blame you), the lowdown is that the Signal protocol is exceptionally secure and uses some of the latest open-source cryptographic schemes.
However, unlike the Signal app, WhatsApp does not encrypt message metadata. That means it can collect things like your account name, IP address, and message timestamps – data that can be (and is) correlated to your Facebook data.
We’ll explore WhatsApp’s security further, providing an overview of its features and tips for a more secure experience. But first, let’s compare WhatsApp to other popular, secure messaging apps.
WhatsApp vs. Telegram vs. Signal
All of the above apps use E2EE, but are they all equal?
Telegram
Telegram is a secure messaging app that I can recommend. However, it comes with two sizable caveats:
E2EE isn’t enabled by default. You need to convert a regular chat into an encrypted chat manually. Telegram uses its own proprietary encryption protocol. While limited security audits have deemed it secure, you just have to cross your fingers that there are no exploitable vulnerabilities as time goes by.
WhatsApp has a better encryption scheme (the Signal protocol) despite collecting more data, which correlates with your Facebook data.
Related: Best VPNs for Telegram
Contrary to Telegram, WhatsApp encrypts all messages by default. There are no hoops to jump through for encrypted communications. However, as mentioned multiple times in this post, your messages’ metadata is not encrypted, and WhatsApp collects that along with your message timestamps and IP addresses. WhatsApp shares that data and correlates it with your Facebook data.
WhatsApp also uses the Signal protocol for its encryption, which is open-source and widely considered the best messaging encryption protocol. So WhatsApp actually does better than Telegram on the encryption front.
One thing to be aware of: if you turn off your phone or don’t have an internet connection, then WhatsApp has the capacity to renegotiate your encryption keys. Renegotiating your keys is convenient for retrieving old messages when you switch to a new phone, but it involves breaking Signal’s end-to-end encryption scheme. If someone’s phone is offline for whatever reason, WhatsApp could conceivably fake a new phone and private key to retrieve backed-up messages and decrypt them. That’s something Telegram cannot do with encrypted chats.
Related: Best VPNs for WhatsApp
Signal
Signal is the clear winner of the encrypted communications contest. It uses its open-source encryption protocol (Signal protocol), in which E2EE encrypts all your messages, voice conversations, attachments, and stickers.
Signal also keeps its data collection to an absolute minimum, collecting only what’s necessary to provide its service. Because Signal only supports encrypted chats, only encrypted gibberish is ever stored on its servers, keeping even Signal itself from decrypting your conversations.
One-to-one chats
Every messaging app defaults to one-to-one chats between you and a single recipient, and end-to-end encryption is used by default. That means that the contents of your messages (and your recipient’s replies) can only be read by you and your intended recipient. Not even WhatsApp can access them (in theory—more on that later).
However, WhatsApp will know who you messaged and at what time you message them (giving the company access to your messaging frequency) and your IP address, which provides WhatsApp access to your approximate location, even if location services are disabled on your device.
How to start a one-to-one chat:
- Click the Chat icon at the bottom right of the UI. The Chat menu is displayed.
- Click the + sign at the top right of the UI. The New Chat page is displayed.
- Select the contact you want to message. The Chat window is displayed.
- Send messages.
Group chats
Group chats are just that: chats between multiple people in a group. They are many-to-many. That means that all messages are public (within the group), and any group member can reply to any message sent inside the group—and those replies will also be public (again, within the group). Groups can have up to 1024 participants.
Group chats, like one-to-one chats, are end-to-end encrypted. Only group members can see the messages being sent. WhatsApp cannot. Just like in one-to-one chats, metadata is not encrypted and is collected by WhatsApp. So, the company gets the group name, group member names and IP addresses, and members’ approximate locations.
Also, each group member’s phone number is public within the group, and every member can see every other member’s phone number.
How to start a group chat:
- Click the Chat icon at the bottom right of the UI. The Chat menu is displayed.
- Click the + sign at the top right of the UI. The New Chat page is displayed.
- Select New Group. You’re prompted to select group members.
- Select the contacts you want to add to the group and click Next at the top right of the UI. You’re prompted to enter a group name.
- Enter a name for your group and click Create at the top right of the UI.
- The Group Chat window is displayed, and you can start messaging group members.
Communities
Communities are groups of groups. You can add multiple groups to a community and its sub-members, all of whom can communicate with others in the community. If they want to chat with members of other groups within the community they’re not yet a part of, all they need to do is join those groups.
A community can have up to 50 groups and 5000 members, plus an Announcements group that gets created by default. Only admins (typically the community’s creator and other group members they’ve designated as admins) can send out announcements. All members see announcements of the community.
As with one-to-one and group chats, messages sent within a community are end-to-end encrypted (aside from the metadata, as in the latter cases).
How to create a community:
- Click the Chat icon at the bottom right of the UI. The Chat menu is displayed.
- Select New Community. The Create a new community page is displayed.
- Click Get Started. You’re prompted to name your new community. Enter a name and click Create Community.
- Your community has been created. The Announcements group is displayed at the top.
- Click + Add Group. You’re prompted to either create a new group or add an existing group. Select Add Existing Group. We will add the group we created previously.
- Your existing groups are displayed, and you’re prompted to select groups to add to the community. I will select Group 1 (your name may be different). Once selected, click Add at the top right of the UI.
- The group has been added to the community, which now displays both the Announcement group and Group 1.
Community members can switch between groups using the Groups toggle at the top right of the UI.
Broadcasts
While group chats are many-to-many, Broadcasts are one-to-many. Broadcasts are used to send a message to many recipients at once. Each recipient can reply back to you but not to each other. Your recipients don’t even know who the other recipients are (if any). In many ways, broadcasts resemble the Announcements group that is automatically added when you create a community and they serve a similar purpose (sending announcements). However, broadcasts are sent to individual users you select, regardless of any group or community membership.
Again, these messages are end-to-end encrypted, excluding metadata that’s unencrypted and collected by WhatsApp.
How to create a broadcast:
- Click the Chat icon at the bottom right of the UI. The Chat menu is displayed.
- Click the + sign at the top right of the UI. The New Chat page is displayed.
- Select New Broadcast. You’re prompted to select recipients for your broadcast.
- Select the users you want as recipients for your broadcast and click Create at the top right of the UI.
- The broadcast chat page is displayed, and you can broadcast whatever you like to your recipients.
Tips and tricks for a more secure WhatsApp experience
Now, let’s look at a few things we can do to “harden” WhatsApp and make it a bit more private and secure than it is with its default settings.
Security notifications
When you use WhatsApp, you’re assigned a security number. Security numbers are like fingerprints for your contacts – they are unique for each contact and should not change under normal circumstances. If the security number of one of your WhatsApp contacts changes, it could mean that your contact’s communications are being tampered with, and you may not be communicating with who you think you are.
While the most common reason your contacts’ security number changes will be because they’ve got a new phone, enabling security notifications is good security advice. It could make you hold off sharing sensitive information with that contact until you’ve confirmed the reason for the change with them outside of WhatsApp (ideally in person).
How to enable security notifications:
- Click the Settings icon at the bottom right of the UI. The Settings menu is displayed.
- Select Account.
- Select Security Notifications. The Security Notifications page is displayed.
- Enable the Show Security Notifications on This Phone toggle. Security notifications are now enabled on your device, and you’ll receive a notification if any of your contacts’ security numbers change.
Two-step verification
In this context, two-step verification isn’t entering a one-time password to use WhatsApp. It adds a layer of security to your account if you ever switch phones or want to register your WhatsApp account on an additional device. To proceed, you’ll need to supply the PIN you set up for two-step verification.
To set up two-step verification:
- Click the Settings icon at the bottom right of the UI. The Settings menu is displayed. Select Account.
- Select Two-Step Verification. The Two-Step Verification page is displayed.
- Click Turn On. You’re prompted to enter a six-digit PIN.
- Enter a PIN. You’re prompted to confirm your PIN.
- Confirm your PIN and click Next at the top right of the UI.
- You’re prompted to enter an email address to reset your PIN if necessary. This is optional; you can click Skip to skip this step.
- After entering your email or skipping the step, two-step verification is enabled.
Privacy settings
WhatsApp also has basic privacy settings you can use to configure things like which WhatsApp users can see your status, blocked users, and read receipts, among other things.
To access and configure privacy settings:
Click the Settings icon at the bottom right of the UI. The Settings menu is displayed.
Select Privacy. The Privacy page is displayed.
You can customize your privacy settings from here.
Do I recommend WhatsApp?
Yes, I do. But that doesn’t mean I believe it to be the best secure messaging app available. Despite both apps using the Signal encryption protocol, Signal does better than WhatsApp on privacy and security.
Then, WhatsApp collects more data than other secure messengers (Signal and Telegram) and shares that data with Facebook. Being owned by Facebook’s parent company, Meta, isn’t going to win WhatsApp any privacy awards.
WhatsApp still uses the best messaging encryption protocol available, and the contents of your messages are off-limits, even to WhatsApp. Also, WhatsApp is much more secure than regular SMS, so you should definitely favor WhatsApp over that.
So, is WhatsApp the be-all-end-all of encrypted messaging? No. Should you still use it? Yes, in a heartbeat. WhatsApp will give you an excellent messaging experience and protect your data (to an extent). And to that extent, it’s recommended.
Related:Â