As you know WhatsApp is Facebook-owned messaging platform and is one of the world’s most popular messaging apps. Just like most other apps, there are some vulnerabilities in WhatsApp which you need to know about them. It is estimated that over one billion people use the app, sending over 65 billion messages per day. It’s no surprise then that security concerns, malware threats, and spam have begun to appear. Here’s everything you need to know about WhatsApp security issues.
Here are 5 WhatsApp Security Issues
1. Unencrypted Backups
The messages you send on WhatsApp are end-to-end encrypted. This means that only your device, and that of the recipient, can decode them. The feature prevents your messages from being intercepted during transmission, even by Facebook themselves. However, this doesn’t secure them once they are decrypted on your device.
WhatsApp allows you to back up your messages and media on Android and iOS. This is an essential feature as it allows you to recover accidentally deleted WhatsApp messages. There is a local backup on your device in addition to a cloud-based backup. On Android, you can back up your WhatsApp data to Google Drive. If you are using an iPhone, then your backup destination is iCloud. These backups contain the decrypted messages from your device.
The backup file stored on iCloud or Google Drive is not encrypted. As this file contains decrypted versions of all your messages, it is theoretically vulnerable and undermines WhatsApp’s end-to-end encryption.
As you have no choice in backup location, you are at the mercy of the cloud providers to keep your data secure. Although no large-scale hacks have affected iCloud or Google Drive to date, that doesn’t mean that it isn’t possible. There are other means that attackers could use to gain access to your cloud storage accounts too.
One of the supposed benefits of encryption is, for better or worse, being able to prevent government and law enforcement from accessing your data. As the unencrypted backup is stored on one of two U.S.-based cloud storage providers, all it would take is a warrant, and they would have unfettered access to your messages. If you do choose to back up your WhatsApp data to the cloud, it largely undermines the service’s end-to-end encryption.
2. WhatsApp Status
For many years, WhatsApp’s status feature, a brief line of text, was the only way for you to broadcast what you were doing at the time. This morphed into WhatsApp Status, a clone of the popular Instagram Stories feature.
As you know Instagram is a platform that is designed to be public. But you can make your profile private if you want to. On the other hand, WhatsApp is a more intimate service, and mostly people use it for communicating with friends and family. So, you may assume that sharing a Status on WhatsApp is private too.
However, that isn’t the case. Anyone in your WhatsApp contacts can view your Status. Fortunately, it is quite easy to control who you share your Status with.
Navigate to Settings > Account > Privacy > Status and it will show you three privacy choices for your Status updates:
- My contacts
- My contacts except…
- Only share with…
Despite this simplicity, WhatsApp doesn’t make it clear if your blocked contacts can view your Status. However, the company has done the sensible thing, and your blocked contacts are unable to view your Status regardless of your privacy settings. As with Instagram Stories, any videos and photos added to your Status will disappear after 24 hours.
3. Fake News
One of the other WhatsApp security issues can be spreading fake news. Through recent years, some social media companies have been criticized for allowing fake news and misinformation to spread on their platforms. In particularly, Facebook has been condemned for its role in spreading misinformation throughout the 2016 U.S. Presidential campaign. WhatsApp has also been subject to those same forces.
Two of the most notable cases have been in India and Brazil. WhatsApp was implicated in the widespread violence that occurred in India during 2017 and 2018. Messages containing details of fabricated child abductions were forwarded and spread across the platform, customized with local information. These messages were widely shared across people’s networks and resulted in the defaming of those accused of these fake crimes.
In Brazil, WhatsApp was the primary source of fake news throughout the 2018 elections. As this kind of misinformation was so easy to spread, business people in Brazil set up companies that created illegal WhatsApp misinformation campaigns against candidates. They were able to do this as your phone number is your username on WhatsApp. So they purchased lists of phone numbers to target.
Both issues were ongoing through 2018, a year that was infamously terrible for Facebook. Digital misinformation is a difficult problem to deal with, but many viewed WhatsApp’s response to these events as apathetic.
However, the company did implement a few changes. WhatsApp put limits on forwarding, so that you can only forward to five groups, rather than the previous limit of 250. The company also removed the forwarding shortcut button in a number of regions, too.
4. Facebook Data Sharing
In recent years, Facebook has been the subject of much criticism. One of those criticisms is of Facebook’s effective market monopoly and anti-competitive actions. Regulators attempt to minimize anti-competitive behavior by evaluating any takeover attempts.
Therefore, when Facebook decided that it wanted to add WhatsApp to the “Facebook Family,” the European Union (EU) only approved the deal after Facebook assured them that the two companies, and their data, would be kept separate.
They also stated that none of your information would publicly visible on Facebook, implying that it would instead be hidden in Facebook’s inaccessible profile of you. Following the backlash to this announcement, WhatsApp allowed users to opt-out of this data sharing arrangement. However, in the intervening years, they quietly removed this option.
This is likely in preparation for Facebook’s future plans. According to a January 2019 report in the New York Times, Facebook is starting to create one unified infrastructure for all of their messaging platforms. This would incorporate Facebook, Instagram, and WhatsApp. So, while each service would continue as a standalone app, the messages would all be sent on the same network.
5. WhatsApp Web Malware
WhatsApp’s enormous user base make it an obvious target for cybercriminals, many of which center around WhatsApp Web. This can be considered as one of the other WhatsApp security issues. For years, WhatsApp has allowed you to open a website, or download a desktop app, scan a code with the app on your phone, and use WhatsApp on your computer.
The app store on your phone—the App Store on iOS and Google Play on Android—are more carefully regulated than the internet at large. When you search for WhatsApp on those stores, it’s generally clear which app is the official one. That isn’t true of the wider internet.
Criminals, hackers, and scammers have all taken advantage of this. There have been instances of attackers passing off malicious software as WhatsApp desktop applications. If you are unfortunate enough to have downloaded one of these, the installation can distribute malware or otherwise compromise your computer.
Others tried a different approach, creating phishing websites to trick you into handing over personal information. Some of these websites pretend as WhatsApp Web, asking for you to enter your phone number to connect to the service. However, they actually use that number to bombard you with spam or correlate with other leaked or hacked data on the internet.
To be on the safe side, the best way to stay secure is to use only apps and services from official sources. WhatsApp offers a web client for you to use on any computer, known as WhatsApp Web. There are also official apps for Android, iPhone, macOS, and Windows devices.
WhatsApp Security Issues: What to Do in the End?
WhatsApp is a confusing platform. On the one hand, the company implemented end-to-end encryption in one of the world’s most popular apps; a definite security upside.
However, there are many WhatsApp security concerns. One of the primary issues is that it is owned by Facebook, and suffers many of the same privacy dangers and misinformation campaigns as their parent company.
If these reasons challenge your messaging app allegiance, there are WhatsApp alternatives that guard your privacy.
WhatsApp Alternatives to be Protected against WhatsApp Security Issues
One of the best WhatsApp alternatives for you to protect yourself against WhatsApp security issues is Telegram. Telegram offers support for text, photos, videos, audio, and documents. You can set a timer for your message to self-destruct, erasing it from the receiving device, but this is optional. Telegram looks like a text-messaging client with read receipts. You have the option of changing the message background to inject some variety into your messaging, as well.
Because the group behind Telegram is a non-profit organization, the app costs nothing and is ad-free. Their website says that they’re “building a messenger for the people,” and that if the group runs out of money, they’ll add a link to the app for donations or create some non-essential paid options. You can also get desktop clients for Telegram, which is very convenient.
Telegram’s encryption is “based on 256-bit symmetric AES encryption, 2048-bit RSA encryption, and Diffie–Hellman secure key exchange.” The method of encryption, was created specifically for this project, and is open-source. Telegram offers the ability to start “secret chats,” which use full end-to-end encryption, aren’t stored on the Telegram servers, and self-destruct after a set time for sending extra-secure data. Actually, this encryption doesn’t slow down the sending of messages.
One of the cool features of Threema is that you can send your location. You only need to tap on the “attach” button and you’ll send a geographic marker to your recipient. Once they receive it, they can just tap on it to get your location on a map. This is great when you’re trying to meet up with someone or describe where you are.
Threema isn’t free, but at $2.99 it’s still very affordable, and there’s no subscription fee. There are no plans to introduce ads or start charging for use. So you don’t have to worry about the app changing once you buy it.
Threema provides true end-to-end encryption. Therefore, your message is encrypted right on your device, and only the receiver’s device can decrypt it. The decryption key can’t be accessed by the company’s servers. Threema uses Elliptical Curve Cryptography, which is equivalent to 2048-bit RSA encryption. For further security, you don’t have to link your phone number, e-mail address or anything else to the app. You can also add a PIN lock to the app. Even if someone gets into your phone, they’ll still have to get past that to get to your messages.
Messaging on Threema is quite fast. Simple text messages are sent in a matter of seconds. During testing, it took about 30 seconds to upload, encrypt, and send a 3.9-MB photo from Dropbox.
A self-destructing message app, Wickr transfers control of mobile messaging from the receiver to the sender. This means that you get to decide how long your message sticks around. Before you send it, you can choose a self-destruct time ranging from a few seconds to more than five days. Once the timer runs out, your message will be erased from the recipient’s phone.
The user interface is quite simple. When you open a new message, just tap the lock icon to start the self-destruct timer. Each message has a live countdown so you know how long you have until it disappears. Your messages can contain text, images, video, audio, or attached files. Wickr includes convenient integration with Box, Dropbox, and Google Drive, so you can send files directly from your cloud storage.
Wickr searches your contacts for people you know that also use the app and automatically adds them to your contacts list. However, you can open a Wickr account without a phone number or e-mail address, and one of your contacts hasn’t added this information, you’ll have to add them by their username.
Even with this level of security, messages are encrypted and sent quickly. It only took a few seconds to encrypt a text message with a 2MB photo, and it was delivered just as fast.
You can absolutely trust Signal to safeguard your privacy. And the app itself couldn’t be simpler. You can send messages that include all sorts of files and even make encrypted calls. All for free.
The fact that you don’t need another username is a big bonus for usability. Just sign up with your phone number, and you’re set to go. Open Whisper Systems, the creators of Signal, don’t have access to any of your messages or your encrypted calls, ensuring total security.
It is hard to beat Signal for ease of use. It’s a dead simple app that anyone who has ever sent a text message will be able to use. It’s totally free, and highly secure. There’s really no downside.
To be protected against WhatsApp Security Issues, Which One Is the Best for You?
All four of these apps are great options for replacing WhatsApp if you’re worried about information privacy. The organizations behind them are committed to security, they offer high-grade encryption, and you maintain full control over who sees your information.
If all of these apps sound good to you, I’d recommend going with Telegram. It has a large number of users, and the ability to send messages from your desktop is really fantastic.