Whatsapp security lockdown step-by-step

(NL versie vind je hier: https://identityunderground.wordpress.com/2021/06/07/whatsapp-security-dichttimmeren-stap-voor-stapnl/)

Are you using WhatsApp, or considering (or invited to, by contacts)?

Then the checklist below should provide you with detailed steps to

• consider if it’s worth using WhatsApp
• lock down the security of your WhatsApp to keep as secure as possible

Download this article

At the end of this article, you can also find the download link for an offline version of this article.

If you really care about privacy and it’s paramount…

As explained below you surely can lockdown WhatsApp, but they still have your data and metadata and they define the rules by which WhatsApp runs the show. And that can change, whenever they want.

And you should know that WhatsApp is owned and managed by Facebook.
And Facebook already has proven to maintain a really bad reputation when it comes down to privacy…

If you really do not want to give in on privacy, better check for alternatives that are not built by companies that make money with your personal data… (see end of this article).

It’s up to you to decide what risk you want to take. If you want to balance the use of WhatsApp and your privacy with the best possible security, continue to read.

If you care about privacy and still want to use Whatsapp

End-to-end encryption

The good news is, WhatsApp is using an end-to-end encryption.

And although Facebook or other parties might not listen in on your conversations, the contact data, the meta data (the data about your conversations) might be intercepted, and is owned/managed by Facebook/WhatsApp.

Furthermore it’s important to know that encryption DOES NOT apply to the WhatsApp backups.

So, as explained below, you might consider disabling WhatsApp backup to protect your data.

And if you still want to choose to use WhatsApp, better lock down the privacy and security in all layers of the application.

General security rules

Minimize your data

In general it’s always smart, to minimize your data in the application.

• Don’t give away personal data
• keep your profile data to the minimum needed

Go to the WhatsApp status tab

then click “Settings”

Also, very important, limit personal data sharing, there is a specific set of options in the Privacy section.

• only share your profile with trusted contacts
• Disable the publication of
  • “last seen” time stamp
  • profile photo
  • status
  • groups
  • live location
  • …

For each of these options set the right choice to disable sharing.

Choose “Only Share with…” > do not select any contacts (or a limited set of trusted contacts)

Result

Also make sure to enable the “Fingerprint lock” if available on your smartphone.

Buyers tip: for next smartphone purchase you must consider the availability of a fingerprint scanner on your phone.

Keep the app up to date

Continuously update your apps, incl. WhatsApp, to the latest version, to make sure that all security bugs or security issues are fixed right away.

Most of security breaches or hacks do specifically target outdated software.

How to lock down your WhatsApp security, the check list

Without security configuration it’s fairly easy to hijack a WhatsApp account, as the initial registration is only based on mobile number registration and/or SMS (short message).

This makes the initial WhatsApp user extremely sensitive to account take over. Don’t be the next victim, and lock down WhatsApp from the first use.

Enable Whatsapp Two-step (2FA) or multifactor authentication (MFA)

First of all you need to enable MFA, it’s a must.

When you enable 2FA/MFA on the WhatsApp settings, you avoid that someone else simply can take over your phone number or WhatsApp account.

Use phone strong authentication

Register email address to the account

Set a pin/password

Be aware that the PIN in WhatsApp is not a login method but a recovery/reinstallation feature.

More info: https://faq.whatsapp.com/android/security-and-privacy/adding-a-password/?lang=en

But you can use the smartphone security to enable application access security.

It’s strongly suggested to enable 2FA or MFA (multifactor authentication, as explained in previous paragraphs.

Enable Whatsapp Two-step or multifactor authentication

Use phone strong authentication

Finger print

Within the privacy settings, you can find the option “Fingerprint lock” (if your smartphone has the fingerprint scanner on board).

To enable the fingerprint lock, Go to Settings > Account > Privacy

Then select the last option (Fingerprint lock)

In this Fingerprint lock menu, you can enable the unlock and choose the time-out period. Keep it short.

(Maybe immediately is a bit inconvenient…)

Enable the security notifications

In the account settings

there is a security option

Make sure to enable the “Show Security notifications” option.

This will make sure you get notifications when the security code of your contacts change.

Lock down the privacy settings

Remove redundant personal data from your profile

There is not a lot of info you can add to your profile yourself.

Keep it to the strict minimum, and I also would suggest not to add a personal photo, but rather a general photo.

In the privacy settings, disable all publication of your profile data.

Stop location tracking

An important option in previous list is also to disable location tracking (“Live location”).

Disable backup

Although WhatsApp is using end-to-end encryption for it’s messaging, the encryption is not maintained when the data is stored in the backup

If you really are concerned about privacy and security, you disable the backup.

By the way, if you activate message expiration, the backup is redundant anyway…

Select the “Chats” option

In the chats option, choose the “Chat backup” option

In the Google drive settings (at least for Android devices), select “Backup to Google Drive” and then select “‘Never”.

Enable message expiration (disappearing messages)

To enable message expiration, you’ll need to set it on the account level of your contact or on group level

There is no general security setting, nor can you set it on the message level.

Warning

Please be aware that disappearing messages in WhatsApp might have some issues: https://www.androidauthority.com/whatsapp-disappearing-messages-feature-1173692/

On contact level

Enable message expiration on group level

You can set the same options on group level too.

It’s highly suggested to enable these group options, and make sure information is not kept longer as needed.

Other operational security tasks

Remove obsolete members from groups

It’s quite important to monitor groups you manage and remove redundant members as soon as possible.

This way you avoid ‘leaking’ data to participants who do not need that information.

Leave groups you don’t use anymore

Monitor groups you are member of, and you should quit/exit these groups if you do not need them anymore, or you do not want to share information anymore, or if you don’t want members to see your information/messages.

This way you avoid ‘leaking’ data to participants to see you or track you.

Data access request

If you want to check the information that WhatsApp knows about you, you can request a copy of that infromation

Go to your account settings

And then click the “Request Information option”

Consider to use other tools, some alternatives

Source:

• https://www.makeuseof.com/tag/forget-whatsapp-6-secure-communication-apps-youve-probably-never-heard/

If you really do not want to give in on privacy, better check for alternatives that are not built by companies that make money with your personal data…, like

• Signal (free) (https://signal.org/)
• Threema (which has versions… check https://threema.ch/en)

Reference

Whatsapp

• WhatsApp Security: https://www.whatsapp.com/security/
• About end-to-end encryption: https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/?lang=en
• https://www.whatsapp.com/safety
• WhatsApp Encryption Overview: http://www.cdn.whatsapp.net/security/WhatsApp-Security-Whitepaper.pdf
• WhatsApp Stolen Accounts: https://faq.whatsapp.com/general/account-and-profile/stolen-accounts/?lang=en

Protecting yourself from WhatsApp hacking

• https://www.csa.gov.sg/singcert/advisories/ad-2020-007

Recover your stolen account

• https://www.thequint.com/tech-and-auto/tech-news/whatsapp-account-hacked-here-is-how-you-can-recover
• https://indianexpress.com/article/technology/social/whatsapp-account-stolen-hacked-how-to-recover-6470640/

Other sources – additional references you can check

• https://www.theverge.com/2020/1/23/21068815/whatsapp-two-factor-authentication-how-to-security-privacy-hacking-pin-backup
• https://learn.tibcert.org/knowledge-base/best-practices-to-make-whatsapp-more-secure-and-private/
• https://www.wired.co.uk/article/whatsapp-privacy-security-settings
• https://www.forbes.com/sites/zakdoffman/2020/11/29/stop-using-dangerous-whatsapp-settings-on-apple-iphone-and-google-android/
• https://www.howtogeek.com/658977/how-to-secure-your-whatsapp-account/
• 8 Tips to Make WhatsApp More Secure and Private: https://www.makeuseof.com/tag/whatsapp-secure-tips/

Download

The current article is available for download here: https://identityunderground.files.wordpress.com/2021/06/whatsapp-security-lockdown-step-by-step.pdf