The hugely popular messaging platform WhatsApp made big news in the security community when they announced earlier this month that they were now providing end-to-end encryption for all of their one billion plus members.
This is an incredibly positive development for privacy advocates. The best part about this new feature is that WhatsApp users did not have to do anything in order to take advantage of this new feature. It is rare that security improvements are this easy.
Even though one need not do anything to take advantage of WhatsApp’s new end-to-end encryption, there is a way to make your WhatsApp conversations even more secure when chatting with folks you know personally.
The problem is this. When exchanging private communications with someone, you can never be 100% certain that the person on the other end of that communication is who they purport to be.
The “last mile” that ensures that you are communicating with the person whom you think you are communicating with requires that you meet that person face-to-face. This is true of all encryption mechanisms.
The first setting that you should enable, therefore, is the one that notifies you if a WhatsApp friend changes their device.
Why would you care about such a setting? Well, because if someone removes the SIM card from your friend’s phone and uses it in another device, they could impersonate your friend on WhatsApp. Enabling a setting in WhatsApp will give you notice that you may be communicating with an imposter.
The way to protect yourself is to go to the “Settings” icon at the bottom right of your WhatsApp screen, open up the Account settings area, and turn on the “Show Security Notifications” setting.
But wait, there’s more!
The next time you are face-to-face with your WhatsApp friend, and you want to increase your WhatsApp security even more, here are the simple steps to do so.
First, make sure that WhatsApp has access to your camera. You may have already allowed this when you installed WhatsApp, but if you did not, it is an easy setting in your Applications area of your phone.
Next, open a conversation with your friend in WhatsApp and then select the person’s name at the top of the conversation. This will open the contact window for that person. Near the bottom of that screen you will see a setting for Encryption.
Tap on the encryption field, and you will be presented with a screen that displays a QR code as well as a 60-digit decimal code that represents the contents of that QR code.
At the bottom of the QR code screen, there is a link that will enable you to scan your friend’s code, and they can do the same for your code. This is why you need to allow camera access in WhatsApp, even if only temporarily.
That is all there is to it. Now, when you communicate with your friend, you can be more confident that they are who they say they are – although, of course, it’s always possible that the person you are speaking to has failed to keep a close eye on their smartphone or has failed to set a strong passcode.
In my view, you should tighten security like this with as many of your WhatsApp friends as possible.
WhatsApp has performed a magnificent feat in bringing end-to-end encryption for all communications to so many people. For those of us who wish to have authenticity when communicating, WhatsApp has gone that extra step to ensure that as well.
Well done, WhatsApp!
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
14 comments on “How to make your WhatsApp even more private and secure”
I agree that it's a very good idea to activate security notifications and to verify contacts out-of-band however it doesn't "…make your WhatsApp even more private…" because you get exactly the same level of encryption whether you verify your friends keys or not.
Manually verifying your contacts will give you greater confidence that a MiTM isn't reading your conversations. A problem with WhatsApp is that it doesn't have an indicator to confirm who you've verified and who you haven't.
Activating security notifications will alert you whenever your friends security codes have been changed (such as a fresh install of WhatsApp, a new phone, a new number or a MiTM).
Therefore activating these options will only make a difference if both parties:
understand the circumstances when WhatsApp will change your security code
and, if they have verified their security codes prior to exchanging any confidential information
and, assuming that the individual isn't subject to any side channel attack.
This article is a joke. i decompile whatsapp code and see many bugs, remote exploits and even server could alter the encryption on demand, which means a ZERO security product. Totally intercepted and without any security. Fake security.
Please show us your work!
yes please do..
A secure, respected alternative is Signal which is made by Open Whisper Systems. Signal is also open source so anybody can examine the code.
The other alternative is Telegram which has apps for the:
desktop (Windows, Mac, Linux)
mobile (Android, iOS, Windows Phone, Firefox OS)
internet (website, Chrome Extension)
command line (Linux)
No, what's a joke is thinking FB have any interest in your data being private.
A secure alternate would be to utilise a XMPP based protocol that hasn't been neutered of security or privacy and typically doesn't carry extended metadata not required to actually deliver the service.
Something like XMPP maybe? Supported by many clients on many platforms if you've no trust for the server's SSL cert then(aside from maintaining your own XMPP server) you can readily wrap conversations client side with layers of GPG and OTR – unless you've a really poor client. As the servers – unless set to specifically exhibit to the contrary – can cleanly communicate across the interwebs then a user being logged in to a server doesn't prevent communication to other users on other servers(unless that server isolates itself), can maintain your own part of effectively a distributed meshnet.
It's(XMPP) reasonably unstoppable, the protocol is thoroughly resilient in terms of data delivery, and displays assault resilience. Used securely it can provide for protections of it's contents on a level that is feasibly impossible to counter.
Being XML based it can carry anything able to be represented in an XML stanza – which is basically anything. It's not impossible – esp when playing with the open source servers – to build "bridges" and have cross protocol interactions. Say an interaction layer that sets the users' account(on demand) on an IRC server, granting the user access to a completely independant protocol.
As things like whatsapp are based on XMPP I'd suggest building a bridge between the two that offers enhanced security as an internal layer for supporting clients and 'legacy'(read:neutered) behaviour for any clients without sane features.
I have heard that Mobile phone service providers in some territories are required to retain copies of all emails, whatsapp, messages, sms's etc for a defined period of time.
A question is whether a whatsapp message copy retained by them would be in an un-encrypted or encrypted format? If it is encrypted is there a "backdoor" way of decrypting the message?
The Whatsapp privacy doc states "The contents of any delivered messages are not kept or retained by WhatsApp — the only records of the content of any delivered messages reside directly on the sender’s and recipient’s mobile devices (and which may be deleted at the user’s option)."
In the case described above, the messages would also reside on the service provider servers so THEY COULD NOT BE DELETED AT THE USERS OPTION?
Yes, there are legal challenges to the way that WhatsApp operates. Some governments are attempting to force providers to hold on to content. We will have to see how this plays out over time.
The people at WhatsApp are very serious about the fact that they do not retain any content. (This is why WhatsApp keeps getting shut down in Brazil.)
If you are using WhatsAPP, or any other messaging service, it is always best to delete all the conversations from the device. If you clear your conversations on the device, and the provider also says that they do not store the information, then it should leave no trace, and if it does exist (for whatever reason), it would be encrypted and of no value.
how possible is it for a hacker to seal the private key from your device? wouldnt that be a flaw? since you keep the keys at the device , which can be already rooted or having a malicious software that can access those private keys
Let's make people think more about their security.
"make sure that WhatsApp has access to your camera"
No. No I willl not.
I suspect you may have already chosen not to choose WhatsApp at all (no complaints from me on that front)
But if you are a WhatsApp addict, you may wish to secure your account better and – as Bob says – *temporarily* granting access to the camera to set up the security may be a reasonable course of action.
I had a whatsapp account and I deleted the account, and I just make my whatsapp again with that previous phone number. so I want to know that if I block someone, and make a private whatsapp account will he or she can see that 'I have a whatsapp account again'.?
I use WhatsApp in Pakistan and after sending a message with certain keywords (that security agencies would regard as being sensitive politically) I received a cautionary message seemingly from WhatsApp warning of the potential legal consequences of sending messages on a certain (related) sensitive topic. The caution message appeared within a few seconds of sending the original message, in which the sensitive words appeared both as text and in an image. I have not turned off the option that allows Facebook access to my WhatsApp data… maybe this is the pathway being exploited here. But this experience does suggest that security agencies can see more than most people might think when messages are said to have end-end encryption.
Have you saved any screen shots of those warning messages?
That would be fascinating to see (and write about).