How to make your WhatsApp even more private and secure

Bob covello
Bob Covello
@
@BobCovello

How to make your WhatsApp privacy stronger

The hugely popular messaging platform WhatsApp made big news in the security community when they announced earlier this month that they were now providing end-to-end encryption for all of their one billion plus members.

This is an incredibly positive development for privacy advocates. The best part about this new feature is that WhatsApp users did not have to do anything in order to take advantage of this new feature. It is rare that security improvements are this easy.

Even though one need not do anything to take advantage of WhatsApp’s new end-to-end encryption, there is a way to make your WhatsApp conversations even more secure when chatting with folks you know personally.

Sign up to our free newsletter.
Security news, advice, and tips.

WhatsAppThe problem is this. When exchanging private communications with someone, you can never be 100% certain that the person on the other end of that communication is who they purport to be.

The “last mile” that ensures that you are communicating with the person whom you think you are communicating with requires that you meet that person face-to-face. This is true of all encryption mechanisms.

The first setting that you should enable, therefore, is the one that notifies you if a WhatsApp friend changes their device.

Why would you care about such a setting? Well, because if someone removes the SIM card from your friend’s phone and uses it in another device, they could impersonate your friend on WhatsApp. Enabling a setting in WhatsApp will give you notice that you may be communicating with an imposter.

The way to protect yourself is to go to the “Settings” icon at the bottom right of your WhatsApp screen, open up the Account settings area, and turn on the “Show Security Notifications” setting.

Whatsapp settings

But wait, there’s more!

The next time you are face-to-face with your WhatsApp friend, and you want to increase your WhatsApp security even more, here are the simple steps to do so.

First, make sure that WhatsApp has access to your camera. You may have already allowed this when you installed WhatsApp, but if you did not, it is an easy setting in your Applications area of your phone.

Next, open a conversation with your friend in WhatsApp and then select the person’s name at the top of the conversation. This will open the contact window for that person. Near the bottom of that screen you will see a setting for Encryption.

Whatsapp settings

Tap on the encryption field, and you will be presented with a screen that displays a QR code as well as a 60-digit decimal code that represents the contents of that QR code.

Whatsapp QR code

At the bottom of the QR code screen, there is a link that will enable you to scan your friend’s code, and they can do the same for your code. This is why you need to allow camera access in WhatsApp, even if only temporarily.

That is all there is to it. Now, when you communicate with your friend, you can be more confident that they are who they say they are – although, of course, it’s always possible that the person you are speaking to has failed to keep a close eye on their smartphone or has failed to set a strong passcode.

In my view, you should tighten security like this with as many of your WhatsApp friends as possible.

WhatsApp has performed a magnificent feat in bringing end-to-end encryption for all communications to so many people. For those of us who wish to have authenticity when communicating, WhatsApp has gone that extra step to ensure that as well.

Well done, WhatsApp!


Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

14 comments on “How to make your WhatsApp even more private and secure”

  1. Bob

    I agree that it's a very good idea to activate security notifications and to verify contacts out-of-band however it doesn't "…make your WhatsApp even more private…" because you get exactly the same level of encryption whether you verify your friends keys or not.

    Manually verifying your contacts will give you greater confidence that a MiTM isn't reading your conversations. A problem with WhatsApp is that it doesn't have an indicator to confirm who you've verified and who you haven't.

    Activating security notifications will alert you whenever your friends security codes have been changed (such as a fresh install of WhatsApp, a new phone, a new number or a MiTM).

    Therefore activating these options will only make a difference if both parties:

    understand the circumstances when WhatsApp will change your security code
    and, if they have verified their security codes prior to exchanging any confidential information
    and, assuming that the individual isn't subject to any side channel attack.

  2. Droopy

    This article is a joke. i decompile whatsapp code and see many bugs, remote exploits and even server could alter the encryption on demand, which means a ZERO security product. Totally intercepted and without any security. Fake security.

    1. Bob · in reply to Droopy

      Droopy:
      Please show us your work!

      1. Stephen F. Green · in reply to Bob
    2. Bob · in reply to Droopy

      A secure, respected alternative is Signal which is made by Open Whisper Systems. Signal is also open source so anybody can examine the code.

      The other alternative is Telegram which has apps for the:

      desktop (Windows, Mac, Linux)
      mobile (Android, iOS, Windows Phone, Firefox OS)
      internet (website, Chrome Extension)
      command line (Linux)

      https://telegram.org/apps

      ___________

      https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en

      https://itunes.apple.com/us/app/signal-private-messenger/id874139669

      https://github.com/WhisperSystems/Signal-iOS
      ___________

  3. YuckFou

    No, what's a joke is thinking FB have any interest in your data being private.

    A secure alternate would be to utilise a XMPP based protocol that hasn't been neutered of security or privacy and typically doesn't carry extended metadata not required to actually deliver the service.

    Something like XMPP maybe? Supported by many clients on many platforms if you've no trust for the server's SSL cert then(aside from maintaining your own XMPP server) you can readily wrap conversations client side with layers of GPG and OTR – unless you've a really poor client. As the servers – unless set to specifically exhibit to the contrary – can cleanly communicate across the interwebs then a user being logged in to a server doesn't prevent communication to other users on other servers(unless that server isolates itself), can maintain your own part of effectively a distributed meshnet.

    It's(XMPP) reasonably unstoppable, the protocol is thoroughly resilient in terms of data delivery, and displays assault resilience. Used securely it can provide for protections of it's contents on a level that is feasibly impossible to counter.

    Being XML based it can carry anything able to be represented in an XML stanza – which is basically anything. It's not impossible – esp when playing with the open source servers – to build "bridges" and have cross protocol interactions. Say an interaction layer that sets the users' account(on demand) on an IRC server, granting the user access to a completely independant protocol.

    As things like whatsapp are based on XMPP I'd suggest building a bridge between the two that offers enhanced security as an internal layer for supporting clients and 'legacy'(read:neutered) behaviour for any clients without sane features.

  4. Rick

    I have heard that Mobile phone service providers in some territories are required to retain copies of all emails, whatsapp, messages, sms's etc for a defined period of time.
    A question is whether a whatsapp message copy retained by them would be in an un-encrypted or encrypted format? If it is encrypted is there a "backdoor" way of decrypting the message?

    The Whatsapp privacy doc states "The contents of any delivered messages are not kept or retained by WhatsApp — the only records of the content of any delivered messages reside directly on the sender’s and recipient’s mobile devices (and which may be deleted at the user’s option)."
    In the case described above, the messages would also reside on the service provider servers so THEY COULD NOT BE DELETED AT THE USERS OPTION?

    1. Bob · in reply to Rick

      Rick:
      Yes, there are legal challenges to the way that WhatsApp operates. Some governments are attempting to force providers to hold on to content. We will have to see how this plays out over time.
      The people at WhatsApp are very serious about the fact that they do not retain any content. (This is why WhatsApp keeps getting shut down in Brazil.)
      If you are using WhatsAPP, or any other messaging service, it is always best to delete all the conversations from the device. If you clear your conversations on the device, and the provider also says that they do not store the information, then it should leave no trace, and if it does exist (for whatever reason), it would be encrypted and of no value.

  5. Mahmoud Badran

    how possible is it for a hacker to seal the private key from your device? wouldnt that be a flaw? since you keep the keys at the device , which can be already rooted or having a malicious software that can access those private keys

  6. Ilya

    Let's make people think more about their security.

    "make sure that WhatsApp has access to your camera"

    No. No I willl not.

    1. Graham CluleyGraham Cluley · in reply to Ilya

      I suspect you may have already chosen not to choose WhatsApp at all (no complaints from me on that front)

      But if you are a WhatsApp addict, you may wish to secure your account better and – as Bob says – *temporarily* granting access to the camera to set up the security may be a reasonable course of action.

  7. Tae Kim

    Hello sir
    I had a whatsapp account and I deleted the account, and I just make my whatsapp again with that previous phone number. so I want to know that if I block someone, and make a private whatsapp account will he or she can see that 'I have a whatsapp account again'.?

  8. James Trevelyan

    I use WhatsApp in Pakistan and after sending a message with certain keywords (that security agencies would regard as being sensitive politically) I received a cautionary message seemingly from WhatsApp warning of the potential legal consequences of sending messages on a certain (related) sensitive topic. The caution message appeared within a few seconds of sending the original message, in which the sensitive words appeared both as text and in an image. I have not turned off the option that allows Facebook access to my WhatsApp data… maybe this is the pathway being exploited here. But this experience does suggest that security agencies can see more than most people might think when messages are said to have end-end encryption.

    1. Bob Covello · in reply to James Trevelyan

      James:
      Have you saved any screen shots of those warning messages?
      That would be fascinating to see (and write about).
      Thanks.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.