Can people snoop on our WhatsApp messages?

The app is more secure than you’d expect, but precautions can minimize risks

A WhatsApp user writes a message on his smartphone. Karl-Josef Hildenbrand (Picture alliance/Getty Images)

Is there anyone who doesn’t use WhatsApp? If someone were to access an account on this popular messaging platform, they could build a detailed personal profile. This includes photos, messages, audio and even writing style. Our lives revolve around WhatsApp notifications, but can we have confidence in the security of our information on WhatsApp?

To begin, let’s understand what happens when you send a WhatsApp message. The app uses a client-server model, where messages are first encrypted and sent to the platform’s servers before being delivered to the recipient. This end-to-end encryption ensures that only the intended receiver can decode and read the message, guaranteeing privacy and security. There is a risk that conversations could be intercepted and read, but it would be very difficult. “It is not impossible, but it does require a significant effort,” said Ángela G. Valdés, from Spain’s National Cybersecurity Institute (INCIBE). “Generally, the threat is more likely to come from individuals with specific interests in our communications, rather than cybercrime networks.”

Cybercriminals usually try to circumvent the platform’s security measures by resorting to deception. They pretend to be someone with an urgent problem who needs a code that will be sent to the phone of the WhatsApp user. “The most common inquiries we receive regarding risks and fraud associated with WhatsApp include account theft and fake messages impersonating family members or friends, requesting money,” said Valdés.

If you receive this type of message, do not click on any links or respond. ”It’s important to be cautious about any links or files sent through WhatsApp, text messages, emails or any other channels,” said Luis Suárez, a sales engineer at Fortinet. “Always update your phone’s system software and its applications, and don’t leave your device unattended where someone can install malicious software.”

How can you tell if your WhatsApp account has been compromised? As mentioned, hacking a WhatsApp account is extremely difficult due to end-to-end encryption. However, criminals often use very subtle tactics, leading one to wonder if their WhatsApp accounts have been compromised. “If the goal of the attacker is to spy on the victim, they’ll do everything possible to go unnoticed,” said Suárez, who recommends keeping an eye on app settings. “Attackers will turn off the timestamp and message received/read settings (two blue checkmarks) in WhatsApp to avoid raising suspicions.”

Suárez also recommends regularly reviewing active sessions on WhatsApp Web and closing inactive ones, particularly on shared computers. However, there are additional signs that can indicate a compromised WhatsApp account, like abnormal battery consumption when the device isn’t in use. Suárez suggests periodically checking battery usage (on Android: go to Settings/ Battery/ Battery Usage; on iPhone: go to Settings/ Battery) and verifying if the resource consumption of each application aligns with actual usage.

Service providers are the most interested parties in ensuring user security. WhatsApp, for instance, provides a service for swiftly verifying account privacy. Users are required to activate two-factor authentication, app protection via biometric systems, and receive enhanced privacy recommendations.

How to protect yourself

Although WhatsApp is a very secure platform, it is not impregnable. Users can maximize security by following these simple tips.

Keep software updated: Software developers and platforms constantly repeat this recommendation. Why? Because developers are always working to fix potential system weaknesses, and updated software ensures that you have the version with the latest security patches, says Juan Manzano from Stratesys. He recently identified and resolved two significant vulnerabilities in WhatsApp through which attackers could remotely execute code by exploiting the Video File Handler component. “One security breach happened during a manipulated video call and the other through a malicious video file.”

Avoid clicking on links or sending codes: In cybersecurity, once you’ve installed the latest platform version, the next crucial protection is being cautious and using common sense. Never click on links unless you’re absolutely certain of the sender’s authenticity. But if you accidentally click on one, there’s still another layer of defense – malware detection systems. Manzano suggests installing an antimalware application that keeps your phone updated and continuously protected by detecting and blocking any malicious elements.

Password-protect WhatsApp and keep your phone close: Bad guys are well aware of human frailties, and overconfidence is one of them. Leaving your phone unlocked on a table while you go get a drink from the bar can be disastrous. It’s always best to keep your phone in sight and locked when not in use. WhatsApp provides a password lock feature, and can even lock individual chats, adding an extra layer of security.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition


More information

Archived In