Is WhatsApp safe to use? How does its end-to-end encryption work?

WhatsApp is easily the single most used chat app in the world, handily surpassing rivals like Messenger, Signal, and Telegram. Given how much sensitive data we tend to share in online conversations, is the app safe to use? Moreover, should you be worried about potential hacks or data leaks, even with the encryption WhatsApp claims to offer?

So to answer those questions, let’s take a closer look at WhatsApp’s security measures, including the end-to-end encryption it claims to offer. Later, we’ll also discuss some additional features you can take advantage of to keep your chats safe from prying eyes.

Is WhatsApp safe? What is end-to-end encryption?

Instant messaging has been around since the dawn of the internet, but early implementations were far from secure. For one, many of them exchanged messages over the internet in plain text. This meant that anyone with access to the company’s servers could read your messages, as could any intermediaries or malicious actors down the line. And even though many services implemented encryption-in-transit in the late 2000s, the companies operating chat apps usually held the keys to decrypt user communications. Put simply, your chats were never truly private.

More recently, however, many platforms have adopted end-to-end encryption (E2EE) to improve message confidentiality and user privacy. In an end-to-end encrypted communication channel, only the sender and receiver have the keys necessary to decrypt each other’s messages. Nobody else — including the platform, your ISP, or even a hacker with access to the encrypted data — can read your messages.

Since 2014, WhatsApp’s end-to-end encryption system has relied on Open Whisper Systems’ open-source Signal protocol. You may know the company as the developers of chat app Signal, a WhatsApp competitor that prides itself on putting security and privacy first.

According to WhatsApp’s documentation, virtually all of your communication on the platform is secured with end-to-end encryption. This includes messages, media, voice notes, calls, and even status updates.

How safe is WhatsApp? Encryption explained

The Signal encryption protocol used by WhatsApp combines multiple cryptographic techniques, starting with public-key encryption. Put simply, it involves each user owning a pair of randomly generated keys — one that stays private and another that gets distributed publicly.

The idea here is that a sender uses the recipient’s public key to encrypt messages. On the other end, the recipient uses their private key to decrypt it. Since your device generates the private key, WhatsApp never has access to it. This simple cryptographic technique has been used for decades now, with modified versions securing everything from emails to cryptocurrency wallets.

However, standard public-key encryption isn’t secure enough on its own. It suffers from a single point of failure. If your private key ever gets compromised, an attacker could decrypt your past, present, and future chats completely unchecked. To remedy this, the developers behind Signal’s protocol devised a novel technique called double ratchet encryption.

Instead of using a static set of keys for each user, the protocol uses a mix of permanent and temporary keys. The latter changes every time you send a new message. This means that if a theoretical attacker were to gain access to one particular key, they wouldn’t be able to decrypt more than a few messages. Constantly renewing keys seems like an overkill solution, but it’s also simple enough that our smartphones can handle it effortlessly.

Of course, there’s a lot more to WhatsApp’s encryption system — which you can find in the company’s technical white paper on the subject. However, the crux of the matter is that the encryption is sound and robust enough to ward off eavesdropping and similar basic attacks.

Is WhatsApp safe from hackers? What do the experts think?

WhatsApp lets you verify that your individual chats and calls are end-to-end encrypted. Simply open a chat within the app, tap on the contact’s name, and, finally, the “Encryption” label. You’ll find yourself presented with a QR code and a 60-digit number. Now, follow the same steps on the recipient’s phone and compare the values.

As long as the number matches on both devices, your chat is properly end-to-end encrypted. WhatsApp calls this a “security code,” but it’s just an easier way to represent the public key we spoke about earlier. Completing this step also helps ensure that your communication is reaching the right person and not a malicious imposter pretending to be your contact. It also keeps WhatsApp accountable — if the keys don’t match, it would place the company under tremendous scrutiny.

Having said that, WhatsApp isn’t perfect — it records a fair amount of information about you outside of the chat interface. The data collected includes your contact list, location, device identifiers, and transaction history, among others. However, Signal is the only alternative that claims to collect less data and emphasizes security with independent security audits. Other popular chat applications like Messenger and Telegram don’t even offer end-to-end encryption by default.

For this reason, security researchers recommend WhatsApp over most of the competition. The Electronic Frontier Foundation is a vocal critic of the app’s data-sharing practices. However, it maintains that “WhatsApp still uses strong end-to-end encryption, and there is no reason to doubt the security of the contents of your messages on WhatsApp.”

Signal co-founder and renowned cryptographer Moxie Marlinspike has also vouched for the app in the past. In a 2017 blog post, he said, “We [Signal] believe that WhatsApp remains a great choice for users concerned with the privacy of their message content.”

How does WhatsApp collect and use my data?

By now, it’s clear that WhatsApp does not store your chats, media, and other private data. But what else does the app know about you and how does it store this data? We combed through WhatsApp’s Privacy Policy and here are the highlights in simplified form:

• You provide your phone number and basic data about yourself like a name, status, and profile picture when signing up for a WhatsApp account.
• If you agree to the location permission and use a feature like Live Location, WhatsApp can potentially see and collect geolocation data. It can also deduce your approximate location based on your internet connection and phone number’s region code.
• If you use WhatsApp Payments, the platform can see transaction data like the recipient, shipping details, and amount.
• The platform does not collect or store your contact list. However, it does keep a record once it detects a contact already has a WhatsApp account.
• WhatsApp collects details about usage activity like Last Seen, online activity, device model, signal strength, and time zone.

Most of this information seems harmless on the surface. However, WhatsApp is only one of many Meta platforms. So even basic data can go a long way toward identifying you as an individual when combined with your Facebook and Instagram profiles. For example, Meta can use phone numbers to recommend new friends on Facebook based on frequent WhatsApp conversations. Sure, it cannot see the contents of your messages, but it still knows that some communication took place.

How to keep your WhatsApp safe from hackers

Your WhatsApp chats stay encrypted and confidential at all times. However, there are still some potential security pitfalls that you should be aware of. While your chats won’t ever get intercepted on their way to you, they’re pretty exposed once they reach their destination. In other words, your phone and any recipient’s device are far easier targets for potential attacks.

If you lose your smartphone, for example, an attacker with physical access to it could copy your WhatsApp message database off the device. Thankfully, WhatsApp encrypts this file, and recovering the key requires root access on Android. If you don’t know what that is, you likely have nothing to worry about. That said, they could still access media files such as images and videos. All of this can be easily remedied with a simple screen lock on your smartphone.

Another well-publicized potential attack vector involves cloud backups to Google Drive and iCloud. By default, WhatsApp will back up your chats to these services without any encryption whatsoever. This means that if an attacker somehow gains access to your cloud storage account, they could also theoretically get their hands on your WhatsApp data.

Luckily, WhatsApp has already rolled out the ability to encrypt chat backups with a password or encryption key. The latter is a randomly generated 64-digit key. You can store it in a password manager for maximum security. This is an opt-in feature, so make sure that you enable it under Settings > Chats > Chat backup within the WhatsApp app on Android.

On the subject of WhatsApp’s optional security features, consider turning on two-factor authentication as well. You can find it under WhatsApp Settings > Account > Two-step verification. This will require you to enter a PIN when registering your account on a new phone. It won’t prevent data leaks but could prevent fraudulent login attempts from malicious actors.

FAQs