(NL versie vind je hier: https://identityunderground.wordpress.com/2021/06/07/whatsapp-security-dichttimmeren-stap-voor-stapnl/)
Are you using WhatsApp, or considering (or invited to, by contacts)?
Then the checklist below should provide you with detailed steps to
- consider if it’s worth using WhatsApp
- lock down the security of your WhatsApp to keep as secure as possible
At the end of this article, you can also find the download link for an offline version of this article.
If you really care about privacy and it’s paramount…
As explained below you surely can lockdown WhatsApp, but they still have your data and metadata and they define the rules by which WhatsApp runs the show. And that can change, whenever they want.
And you should know that WhatsApp is owned and managed by Facebook.
And Facebook already has proven to maintain a really bad reputation when it comes down to privacy…
If you really do not want to give in on privacy, better check for alternatives that are not built by companies that make money with your personal data… (see end of this article).
It’s up to you to decide what risk you want to take. If you want to balance the use of WhatsApp and your privacy with the best possible security, continue to read.
If you care about privacy and still want to use Whatsapp
The good news is, WhatsApp is using an end-to-end encryption.
And although Facebook or other parties might not listen in on your conversations, the contact data, the meta data (the data about your conversations) might be intercepted, and is owned/managed by Facebook/WhatsApp.
Furthermore it’s important to know that encryption DOES NOT apply to the WhatsApp backups.
So, as explained below, you might consider disabling WhatsApp backup to protect your data.
And if you still want to choose to use WhatsApp, better lock down the privacy and security in all layers of the application.
General security rules
Minimize your data
In general it’s always smart, to minimize your data in the application.
- Don’t give away personal data
- keep your profile data to the minimum needed
Go to the WhatsApp status tab
then click “Settings”
Also, very important, limit personal data sharing, there is a specific set of options in the Privacy section.
- only share your profile with trusted contacts
- Disable the publication of
- “last seen” time stamp
- profile photo
- live location
For each of these options set the right choice to disable sharing.
Choose “Only Share with…” > do not select any contacts (or a limited set of trusted contacts)
Also make sure to enable the “Fingerprint lock” if available on your smartphone.
Buyers tip: for next smartphone purchase you must consider the availability of a fingerprint scanner on your phone.
Keep the app up to date
Continuously update your apps, incl. WhatsApp, to the latest version, to make sure that all security bugs or security issues are fixed right away.
Most of security breaches or hacks do specifically target outdated software.
How to lock down your WhatsApp security, the check list
Without security configuration it’s fairly easy to hijack a WhatsApp account, as the initial registration is only based on mobile number registration and/or SMS (short message).
This makes the initial WhatsApp user extremely sensitive to account take over. Don’t be the next victim, and lock down WhatsApp from the first use.
Enable Whatsapp Two-step (2FA) or multifactor authentication (MFA)
First of all you need to enable MFA, it’s a must.
When you enable 2FA/MFA on the WhatsApp settings, you avoid that someone else simply can take over your phone number or WhatsApp account.
Use phone strong authentication
Register email address to the account
Set a pin/password
Be aware that the PIN in WhatsApp is not a login method but a recovery/reinstallation feature.
More info: https://faq.whatsapp.com/android/security-and-privacy/adding-a-password/?lang=en
But you can use the smartphone security to enable application access security.
It’s strongly suggested to enable 2FA or MFA (multifactor authentication, as explained in previous paragraphs.
Enable Whatsapp Two-step or multifactor authentication
Use phone strong authentication
Within the privacy settings, you can find the option “Fingerprint lock” (if your smartphone has the fingerprint scanner on board).
To enable the fingerprint lock, Go to Settings > Account > Privacy
Then select the last option (Fingerprint lock)
In this Fingerprint lock menu, you can enable the unlock and choose the time-out period. Keep it short.
(Maybe immediately is a bit inconvenient…)
Enable the security notifications
In the account settings
there is a security option
Make sure to enable the “Show Security notifications” option.
This will make sure you get notifications when the security code of your contacts change.
Lock down the privacy settings
Remove redundant personal data from your profile
There is not a lot of info you can add to your profile yourself.
Keep it to the strict minimum, and I also would suggest not to add a personal photo, but rather a general photo.
In the privacy settings, disable all publication of your profile data.
Stop location tracking
An important option in previous list is also to disable location tracking (“Live location”).
Although WhatsApp is using end-to-end encryption for it’s messaging, the encryption is not maintained when the data is stored in the backup
If you really are concerned about privacy and security, you disable the backup.
By the way, if you activate message expiration, the backup is redundant anyway…
Select the “Chats” option
In the chats option, choose the “Chat backup” option
In the Google drive settings (at least for Android devices), select “Backup to Google Drive” and then select “‘Never”.
Enable message expiration (disappearing messages)
To enable message expiration, you’ll need to set it on the account level of your contact or on group level
There is no general security setting, nor can you set it on the message level.
Please be aware that disappearing messages in WhatsApp might have some issues: https://www.androidauthority.com/whatsapp-disappearing-messages-feature-1173692/
On contact level
Enable message expiration on group level
You can set the same options on group level too.
It’s highly suggested to enable these group options, and make sure information is not kept longer as needed.
Other operational security tasks
Remove obsolete members from groups
It’s quite important to monitor groups you manage and remove redundant members as soon as possible.
This way you avoid ‘leaking’ data to participants who do not need that information.
Leave groups you don’t use anymore
Monitor groups you are member of, and you should quit/exit these groups if you do not need them anymore, or you do not want to share information anymore, or if you don’t want members to see your information/messages.
This way you avoid ‘leaking’ data to participants to see you or track you.
Data access request
If you want to check the information that WhatsApp knows about you, you can request a copy of that infromation
Go to your account settings
And then click the “Request Information option”
Consider to use other tools, some alternatives
If you really do not want to give in on privacy, better check for alternatives that are not built by companies that make money with your personal data…, like
- Signal (free) (https://signal.org/)
- Threema (which has versions… check https://threema.ch/en)
- WhatsApp Security: https://www.whatsapp.com/security/
- About end-to-end encryption: https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/?lang=en
- WhatsApp Encryption Overview: http://www.cdn.whatsapp.net/security/WhatsApp-Security-Whitepaper.pdf
- WhatsApp Stolen Accounts: https://faq.whatsapp.com/general/account-and-profile/stolen-accounts/?lang=en
Protecting yourself from WhatsApp hacking
Recover your stolen account
Other sources – additional references you can check
- 8 Tips to Make WhatsApp More Secure and Private: https://www.makeuseof.com/tag/whatsapp-secure-tips/
The current article is available for download here: https://identityunderground.files.wordpress.com/2021/06/whatsapp-security-lockdown-step-by-step.pdf