WhatsApp’s popularity is astounding. The messaging app claims over 2.7 billion users — more than 25 percent of the world’s population — who send 100 billion messages through the platform every day.
With that volume of activity, any security breach can have profound implications. In early 2023, for example, CyberNews reported a WhatsApp data leak that involved nearly 500 million up-to-date mobile phone numbers.
WhatsApp’s answer to security concerns is end-to-end encryption, which is designed to secure data while it is being transferred. Experts, however, are quick to point out that encryption alone is not enough to keep users’ personal data private and secure.
According to Yashin Manraj, CEO of Pvotal Technologies, it would be extremely naive for people to assume that any free-to-use communication platform or app that collects and monetizes their data would offer suitable privacy. “For any technology or platform that becomes as widespread in global use as WhatsApp, we must assume that hackers will eventually, inevitably, find a way to crack its encryption to obtain users’ data,” he says.
Pvotal leverages state-of-the-art technologies to help its clients build efficient and reliable digital infrastructure with customized, hyper-scalable solutions that empower growth and ability that go hand in hand with security. A core component of its security strategy is automating processes to remove vulnerabilities that can be introduced by human involvement.
Understanding the risk landscape of WhatsApp
To fully appreciate the risks of using WhatsApp, users must understand that they are creating both data (i.e., the messages they are sending) and metadata — the behind-the-scenes details about the messages they are sending. As Manraj explains, metadata includes how often and for how long you use the app, the device you are using to access the app, and where you are when you are using it.
“”All activity from WhatsApp users is collected as data within the app and significantly impacts their privacy,” says Manraj. “The app can gather extensive information—such as location, usage and behavioral patterns, contacts and communication mediums, and frequency of use—based on the phone’s privacy and data settings. Consequently, WhatsApp can make precise internal predictions about each user, including their geographical location, activity patterns, marital status, race, age, ethnicity, and more.”
For users, the app’s ability to not only collect this data but also create assumptions about certain aspects of their identity or behavior poses significant risks. While companies generally utilize metadata for performance optimization and monetization purposes, making it extremely valuable to organizations like government intelligence agencies and advertisers, it also becomes an attractive target for hackers and other bad actors.
“Should anyone get ahold of this information with malicious intent, the ramifications could be detrimental to an individual whose data is breached,” Manraj notes.
Understanding and applying security best practices
Luckily for WhatsApp’s users, there have yet to be any reports of its end-to-end encryption being breached. However, while Manraj does point out that there have still been several occurrences when some users’ data logs were obtained and leaked without their prior knowledge or consent, the most common cause of such leaks is user error.
“A general lack of security awareness is a major contributor to cybersecurity breaches, both within WhatsApp and beyond,” explains Manraj. “Leaks often occur when recipients with authorized access to information in messages share screenshots or conversations, either intentionally or inadvertently, with less trusted individuals who then spread the information more broadly. In recent years, numerous WhatsApp scandals have highlighted the tendency of users to share screenshots of sensitive conversations via text, Telegram, or other unencrypted communication channels.”
Manraj’s advice for avoiding that type of exposure is simple: “If you have information you don’t want to see become public knowledge, then you shouldn’t be sharing it via WhatsApp.”
Manraj also warns about the risks associated with WhatsApp data transfers during backup processes. Scheduled backups to Google Drive and other third-party locations can pose a security risk if not properly managed.
“About 10 percent of WhatsApp leaks on the dark web stem from unencrypted transfer files, which become vulnerable during phone upgrades,” Manraj reports. “This issue is particularly prevalent when using third-party services or untrained agents who retain copies of the data.”
WhatsApp users can achieve the highest level of security by first maximizing the controls the app offers. This includes enabling two-step verification, end-to-end encryption, and disappearing messages. Ensuring your account is linked to an active email account is also important for maintaining control of accounts that come under attack.
Second, users should maximize the overall security of their phone. Activating a pin or passcode to ensure your phone is locked when not in use is a simple way to keep WhatsApp, as well as your other apps, secure if the phone is lost or stolen.
“By understanding that the human component is often the single point of failure in a security breach,” Manraj concludes, “they can better equip themselves with the automated security provisions both WhatsApp and their phones provide to keep their data private and secure.”