WhatsApp is the most widespread messaging app on the planet right now. This also means that there is a considerable number of hacking attempts going on. Do you use WhatsApp on your iPhone and worry about your messages being hacked?
A security researcher, who goes under the nickname ‘thegrugq’, has posted a guide for secure WhatsApp messaging on iOS. The following is the essence of their guide for protecting WhatsApp from hacking.
The following is the essence of the guide for protecting WhatsApp from hacking.
WhatsApp is incredibly widespread and easy to use, so you can message basically anyone using this app. Recently they have rolled out high quality encryption which is enabled by default. The encryption works on text messages, media and documents transferred via this app.
But not all is shiny in the kingdom of WhatsApp. Let’s look at some security problems with the app.
We divide WhatsApp weaknesses into two categories: weaknesses that can be exploited by a simple attacker, such as a family member or a small-time hacker; and weaknesses that can be exploited by powerful entities like corporations, governments and strong hacking teams.
Weaknesses exploitable by a “limited attacker”
- WhatsApp might be configured to automatically back up all messages on the iCloud. The backup is stored in plain text (i.e. without encryption), so that if someone knows your iCloud username and password, they can access your messages. For example, a mobile monitoring app called mSpy can easily monitor WhatsApp messages if given your password.
- WhatsApp automatically saves received images and videos in the Camera Roll, which is usually automatically backed up to iCloud. Even if your messages are not backed up to iCloud, your WhatsApp photos are accessible to anyone who knows your password!
- WhatsApp has no application level passcode. If your “limited attacker” knows the passcode to your iPhone, they can simply read your messages while you’re taking a nap.
- WhatsApp displays notifications when messages arrive. While the text of the message is not shown, sender’s name will be displayed even if you don’t necessarily want to make it available to the person, who is staring at your phone.
- When you switch from using WhatsApp to another app or lock the screen while in WhatsApp, iOS by default captures the screen and saves it to disk. Even if you think that your super private message is deleted, your storage might contain a screen capture of it. Needless to say, this screen capture can be obtained using various data recovery tools.
Weaknesses exploitable by a “powerful attacker”
- WhatsApp doesn’t have an automatic feature deletion and it needs to read your whole contact list for the app to work.
- All WhatsApp metadata is available to Facebook, the owner of WhatsApp. Metadata is the information about your messaging, for example timestamps of your messages and locations from which they were sent. A powerful attacker can get a lot of information from the metadata, even if they are unable to break the encryption. By knowing and comparing timestamps of different messages, they can find out who you’ve been talking to and for how long.
Your contact list and your metadata are exposed by WhatsApp to powerful entities, like governments, but we are focusing here on measures against simple attacks. Securing your messages from the government is out of scope.
How to Protect Your WhatsApp Privacy on iOS?
Here are the measures that you should take to maximize your WhatsApp security:
- The most important part is to disable WhatsApp iCloud backup from the main iOS settings.
Settings > iCloud > Storage > Manage Storage > This iPhone > Show All
WhatsApp: OFF (Turn Off & Delete)
This ensures that WhatsApp messages are not copied to the iCloud and monitoring apps like mSpy cannot spy on WhatsApp conversations (unless your iPhone is jailbroken and a monitoring app is installed on it). If you suspect that a monitoring app is installed on your phone, follow the guide to secure your phone from being tapped.
- Configure your WhatsApp account privacy under WhatsApp settings
Settings >> Account >> Privacy
Last Seen: My Contacts
Profile Photo: My Contacts
Status: My Contacts
Read Receipts: OFF
- Configure WhatsApp Account security under WhatsApp Settings:
Settings >> Account >> Security
Show Security Notifications: ON
- Disable messages preview under WhatsApp settings
Settings >> Notifications
Show Preview: OFF
(unfortunately, this still displays the sender’s name)
- Disable chat backup and saving media under WhatsApp settings
Settings >> Chats
Save Incoming Media: OFF
Chat Backup >> Auto Backup: OFF
- Periodically go to Settings >> Chats >> Chat history and delete all chats to protect them from snooping eyes.
WhatsApp offers strong encryption for your messaging but it’s also weak to hacking by anyone who knows your iCloud password. You have to proactively secure WhatsApp on your iPhone by maxing out your security settings and disabling any kind of iCloud backup for WhatsApp.