WhatsApp Security: A Complete Guide to How Your Chats Are Protected

WhatsApp Security

WhatsApp is the default messaging app for roughly 3 billion people, which makes it one of the largest privacy surfaces on the internet. Its core protection is end to end encryption based on the Signal Protocol, applied by default to personal chats, calls, and most media. On top of that baseline, WhatsApp has added passkey based login, passkey encrypted cloud backups, on device AI processing, and a set of granular chat privacy controls that most users never turn on.

This guide is for four groups: everyday users who want to lock down their account in the next ten minutes, IT and security teams evaluating WhatsApp for business communication, journalists and activists whose threat model goes beyond a random attacker, and anyone comparing WhatsApp against Signal, Telegram, or iMessage. It explains what is actually encrypted and what is not, what recent legal cases reveal about how the system behaves under real world attack, where the genuine risks sit (mostly metadata and device compromise, not the encryption math itself), and how to configure the app correctly step by step.

At a Glance: What WhatsApp Protects and What It Doesn’t

Category

Protected by end to end encryption

Notes

1:1 and group text messages

Yes

Signal Protocol, keys never leave the device

Voice and video calls

Yes

Same encryption layer as messages

Photos, videos, documents, voice notes

Yes

Encrypted in transit and at rest on device

Status updates

Yes

Encrypted, though visibility settings still matter

Chat backups (iCloud / Google Drive)

Optional, off by default until enabled

Must be turned on manually; can use password, 64 digit key, or passkey

Messages to a business account

Often, but not guaranteed

Depends on whether the business uses the WhatsApp Business app or a Meta hosted solution

Group metadata (who is in a group, when it was created, admin actions)

No

Visible to WhatsApp’s infrastructure even though message text is not

Metadata (who you message, when, how often, group membership)

No

Not covered by end to end encryption; used for spam detection and can be requested by law enforcement

Payments

No

Bank and card details are encrypted separately but the transaction itself is not end to end encrypted, since financial institutions need transaction data to process it

Key takeaway: the content of your conversations is very well protected by default. The metadata around those conversations, and anything you choose to back up unencrypted, is not. Most real world WhatsApp privacy incidents come from unlocked phones, weak backup settings, or social engineering, not from anyone breaking the encryption itself. Even the most sophisticated attacks on record, discussed below, worked around the encryption rather than through it.

How WhatsApp’s Encryption Actually Works

WhatsApp licenses the Signal Protocol, the same cryptographic system used by Signal itself. Every message is locked on the sender’s device using a key that only the recipient’s device holds, and a new key is generated for each message so that compromising one message does not expose the rest of the conversation. This property is called forward secrecy, and it means that even if an attacker eventually recovers one encryption key, past messages remain unreadable.

Three details matter for anyone who wants more than a marketing level understanding:

  • The server never holds a readable copy. Meta’s servers route encrypted messages but cannot decrypt them, even under a valid legal request, because Meta does not hold the keys. This is the technical basis for WhatsApp’s claim that it cannot hand over message content, only metadata.

  • Verification is optional but available. Every one to one encrypted chat has a unique security code, shown as a QR code or a 60 digit number under the contact’s encryption details. Comparing this code in person or over a separate channel confirms that no one is intercepting the conversation, a practice security professionals call “out of band verification.”

  • Group encryption works differently under the hood. In group chats, each member’s device independently manages encryption keys for the group using a sender key model, so adding or removing a member triggers a key rotation. This is efficient at scale but means group security depends heavily on who WhatsApp or a group admin allows to join, since a malicious added member can read new messages from that point forward.

A 2023 addition called key transparency lets the app automatically check that the encryption keys it is using for a contact are legitimate, reducing, though not eliminating, the value of manually checking security codes for most users. In 2025 and 2026, WhatsApp extended passkey support beyond login into chat backup encryption, letting a fingerprint or face scan replace the old choice between a password you might forget and a 64 digit key you might mishandle.

Security Features You Can Control

WhatsApp’s encryption is automatic, but most of its stronger privacy protections require the user to opt in. The table below separates “on by default” from “you have to turn this on yourself.”

Feature

Default state

What it does

End to end encryption for chats and calls

On

Cannot be disabled

Two step verification (PIN or passkey)

Off

Adds a second factor so a stolen SIM or number alone cannot take over the account

Encrypted chat backups

Off

Without it, backups sit in iCloud or Google Drive protected only by that platform’s own security

Chat Lock (passcode or biometric per chat)

Off

Hides a specific conversation behind Face ID, fingerprint, or a separate passcode

Disappearing messages

Off

Messages auto delete after a set window (24 hours, 7 days, or 90 days)

View once media

Off, set per message

Photos and videos that disappear after being opened

Hide “last seen” and online status

Off (visible to everyone by default in most configurations)

Limits who can see your activity

Block screenshots on view once media

On for view once content

Not foolproof against a second device photographing the screen

Silence unknown callers

Off

Filters spam and scam calls automatically

Chat export blocking (Advanced Chat Privacy)

Off

Prevents anyone in a chat from exporting the conversation history

Blocking automatic media downloads

Off

Reduces exposure to malware delivered through images or documents in group chats

Restrict who can add you to groups

Off

Limits unsolicited group invites, which are a common phishing and spam vector

Insight

The Default vs Maximum Security Gap

The gap between WhatsApp’s default security and its maximum security is unusually wide compared to competitors like Signal, where the strongest privacy settings are closer to the default. WhatsApp optimizes its defaults for ease of onboarding across three billion users, which means the meaningful security upgrade for most people is not switching apps, it is spending five minutes in Settings > Privacy and Settings > Account.

The Pegasus Case: What a Real World Attack Actually Looked Like

Understanding WhatsApp security in the abstract is useful, but the clearest public evidence of how the system holds up under attack came from a six year legal battle between WhatsApp and the Israeli spyware vendor NSO Group. In 2019, WhatsApp’s engineers discovered that NSO had exploited a flaw in WhatsApp’s call infrastructure to deliver its Pegasus spyware to roughly 1,400 devices, including phones belonging to journalists, human rights activists, and diplomats, without the targets clicking on anything.

Several facts from the resulting litigation are directly useful for understanding WhatsApp’s real world security posture:

  • The attack did not break the Signal Protocol encryption itself. It exploited a vulnerability in WhatsApp’s calling stack to install spyware directly on the device, which then read messages after they were decrypted, the same “read it after decryption” pattern described earlier as the most realistic threat to encrypted messaging.

  • In May 2025, a federal jury found NSO liable and initially awarded WhatsApp over 167 million dollars in damages; a judge later reduced that figure to 4 million dollars while still granting a permanent injunction barring NSO from ever targeting WhatsApp infrastructure again.

  • Court testimony revealed NSO continued developing new exploit methods even after the lawsuit was filed, and that the company actively looks for attack paths across browsers, operating systems, and other apps, not just WhatsApp, underscoring that device level compromise is a threat that extends beyond any single messaging app.

  • Separately, in early 2026, a new class action was filed alleging that Meta staff can access WhatsApp message content through an internal system, a claim still in early litigation as of this writing and not yet substantiated in court. It is a useful reminder that legal claims about encrypted messaging apps should be tracked over time rather than assumed to be resolved.

Insight

The Endpoint Vulnerability Reality

The Pegasus case is often cited loosely as proof that “WhatsApp isn’t really encrypted,” which is not what it demonstrated. It demonstrated that encryption protects content in transit extremely well, but that a sufficiently resourced attacker will simply target the endpoint, the phone itself, instead. This is why device hygiene (updates, avoiding unknown links, restricting app permissions) matters as much as any setting inside WhatsApp.

Setting Up WhatsApp Correctly: A Practical Checklist

Follow this order, since later steps depend on earlier ones being in place.

  • Turn on two step verification. Go to Settings > Account > Two step verification and enable it with a passkey if your device supports one, or a PIN if it does not. This is the single highest impact setting, since it blocks the most common WhatsApp takeover method: a SIM swap or a stolen verification code.

  • Enable encrypted chat backups. Go to Settings > Chats > Chat backup > End to end encrypted backup. Choose passkey encryption if available; it removes the need to store a 64 digit key somewhere insecure, which was previously the biggest weak point in the backup system.

  • Lock sensitive individual chats. Open the chat, tap the contact name, and enable Chat Lock. This matters most for shared devices or households.

  • Review who can see your status information. Settings > Privacy lets you restrict last seen, profile photo, about, and status to specific contacts rather than everyone.

  • Turn on Advanced Chat Privacy for sensitive or large groups. This blocks message export, restricts automatic media downloads, and limits AI feature access inside that chat.

  • Restrict who can add you to groups. Set group privacy to “my contacts” or “my contacts except” to cut down on spam invites and reduce exposure to scam links shared in unfamiliar groups.

  • Verify security codes for high stakes contacts. For a small number of conversations where confidentiality genuinely matters (legal, medical, financial, journalistic sources), compare the 60 digit security code through a separate channel at least once.

  • Audit linked devices regularly. Settings > Linked Devices shows every browser or desktop session tied to your account. Remove anything you do not recognize immediately.

  • Keep the app and operating system updated. Security patches for messaging apps and mobile operating systems are shipped frequently, and delayed updates are a recurring theme in mobile malware and spyware research, including the Pegasus case above.

Where the Real Risks Are

Encryption protects message content, but it does not protect against every threat model. The main risk categories worth understanding:

  • Device level compromise. If a phone is unlocked, jailbroken, or infected with spyware, encryption is irrelevant because the attacker reads the message the same way you do, after decryption. This is by far the most common way WhatsApp conversations are actually exposed, and it is exactly what happened in the Pegasus case.

  • Metadata exposure. WhatsApp knows who you talk to, how often, and roughly when, even though it cannot read what you said. For most users this is a minor concern; for journalists, activists, or anyone under targeted surveillance, metadata alone can reveal a great deal, including social networks and patterns of activity.

  • Business chat exceptions. Messages to a business account are treated as end to end encrypted only when the business uses the standard WhatsApp Business app or manages messages itself. Businesses that opt into Meta hosted message storage give Meta and the business’s own staff access to those conversations, and the business can use the content for its own purposes, including marketing.

  • Social engineering and scam links. Because message content is encrypted, most large scale WhatsApp fraud campaigns rely on tricking the user directly, through fake customer support numbers, prize scams, or malicious links in unfamiliar group chats, rather than attacking the encryption.

  • Unverified legal claims. As the 2026 whistleblower lawsuit shows, allegations about internal access to encrypted content do surface periodically. Users concerned about this should track credible reporting and court outcomes rather than treat early stage litigation as settled fact in either direction.

Insight

The Threat Model Question

The “is WhatsApp safe” question usually gets answered as a yes/no on encryption, but the more useful framing is a threat model question. Against a random attacker intercepting network traffic, WhatsApp is extremely strong. Against a targeted attacker who can compromise your device, exploit a zero click vulnerability, or subpoena metadata, encryption alone will not save you, and no consumer messaging app fully solves that problem.

WhatsApp vs. Signal vs. Telegram vs. iMessage

App

Default encryption

Encrypted by default or opt in

Metadata collected

Backup encryption

Open source clients

WhatsApp

Signal Protocol

Default for chats and calls

Yes, used for spam detection and business analytics

Opt in, passkey/password/64 digit key

No, closed source app with published protocol documentation

Signal

Signal Protocol

Default for everything, including group metadata protections

Minimal by design

Opt in local backup with passphrase

Yes

Telegram

Not end to end by default in regular chats; only in “Secret Chats”

Opt in for true end to end encryption

Yes, more extensive than WhatsApp in regular chats

Cloud chats stored server side, not end to end encrypted

Client code partially open, server code closed

iMessage

End to end for device to device iMessage traffic

Default between Apple devices, falls back to unencrypted SMS with non Apple devices

Some, tied to Apple ID and iCloud

iCloud backups encrypted, historically with Apple holding a recovery key unless Advanced Data Protection is enabled

No

Insight

The Telegram Misconception

Telegram’s reputation as the “more private” alternative to WhatsApp is largely inaccurate for its default mode. Regular Telegram cloud chats are not end to end encrypted, only the optional Secret Chats feature provides that protection, and Secret Chats do not sync across devices or support groups. For raw encryption strength and coverage, WhatsApp’s default configuration is closer to Signal than to Telegram’s default configuration. The genuine gap between WhatsApp and Signal is not encryption strength but metadata minimization and transparency.

WhatsApp Security for Business and Teams

Organizations evaluating WhatsApp for customer support or internal coordination should treat it differently from personal use:

  • Confirm the business solution type. Confirm whether the business number in question uses the WhatsApp Business app (message content stays end to end encrypted) or a Meta hosted business solution (message content is stored and processed by Meta and, if applicable, the business’s chosen vendor).

  • Require two step verification and device level biometric locks on any phone used for a shared business WhatsApp account.

  • Treat WhatsApp as a communication channel, not a system of record. Sensitive business data, contracts, and credentials should not live permanently inside chat history, since chat export and backup settings are easy to misconfigure across a team.

  • Audit linked devices on shared or departmental accounts on a fixed schedule, since a former employee’s still linked session is a common and easily overlooked exposure point.

  • Check compliance frameworks for regulated industries. For regulated industries (finance, healthcare, legal), check whether WhatsApp’s data handling and retention model satisfies your specific compliance framework before adopting it as a primary support channel, since encryption alone does not equal regulatory compliance.

  • Train staff on scam recognition. Because encryption blocks interception, the realistic attack path against a business WhatsApp account is a convincing impersonation message or a compromised device, not a broken cipher.

Common Myths About WhatsApp Security

  • “WhatsApp reads my messages for ads.” Message content is end to end encrypted and is not used to target ads within WhatsApp itself. Meta does use limited account level data, such as phone number and interactions with business accounts, for ad relevance elsewhere in its products.

  • “Backups are automatically encrypted the same way chats are.” They are not, unless the user manually enables end to end encrypted backups. An unencrypted backup sitting in iCloud or Google Drive is a real and commonly overlooked gap.

  • “Deleting a message for everyone erases all trace of it.” It removes the message from the chat interface on devices that received the deletion request while online, but a device that already saved a copy, took a screenshot, or was offline at the time keeps its own record.

  • “If NSO could hack WhatsApp, the encryption must be broken.” The Pegasus attacks exploited software vulnerabilities to compromise the device itself, not the underlying Signal Protocol encryption, which remains unbroken in that case.

  • “Signal and WhatsApp offer meaningfully different message security.” For message content specifically, both rely on the same underlying protocol. The practical differences are mainly in metadata handling, default settings, and organizational incentives, not in the strength of the encryption applied to a single message.

Frequently Asked Questions

Can WhatsApp employees or Meta read my messages?

No, not the content of end to end encrypted chats under the system as documented and as verified by independent security researchers. Meta’s servers relay encrypted data but do not hold the decryption keys, so even a valid legal request cannot produce readable message content for personal chats. Metadata such as who you messaged and when is a separate matter and is not end to end encrypted. A 2026 lawsuit alleges otherwise regarding internal Meta access, but that claim is in early litigation and has not been established in court.

Is WhatsApp Web as secure as the phone app?

Yes, WhatsApp Web uses the same end to end encryption as the mobile app, since it mirrors your phone’s session rather than storing a separate copy of your messages on a server. The added risk with Web is physical: an unlocked session on a shared or public computer can be viewed by anyone nearby, so logging out after use and periodically checking Linked Devices matters more than the encryption itself.

Should I enable encrypted chat backups?

Yes, if you back up your chats at all. Without end to end encrypted backups turned on, your chat history sits in iCloud or Google Drive protected only by that platform’s standard account security, not by WhatsApp’s own encryption. Passkey encrypted backups remove the old tradeoff between a memorable but weak password and a strong but easy to lose 64 digit key.

Does deleting a message for everyone actually remove it from the recipient’s phone?

It removes the message from the chat interface on devices that received the deletion request while online, but it does not guarantee removal from a device that had already saved a copy, took a screenshot, or was offline when the deletion was sent. Treat “delete for everyone” as a courtesy feature, not a guarantee.

Is it safe to use WhatsApp for sensitive professional communication, like legal or medical topics?

For most cases the encryption is strong enough that the bigger risks are device security and accidental screenshots or forwards, not interception. For genuinely high stakes confidentiality needs, or for anyone with a threat model resembling the journalists and activists targeted by Pegasus, purpose built tools with stricter retention and audit controls are usually a better fit than a consumer messaging app.

What is Private Processing and does it weaken encryption?

Private Processing is WhatsApp’s system for running AI features like message summaries or writing suggestions using on device processing where possible, and Trusted Execution Environments when data must briefly leave the device for a specific AI task. It is designed to keep AI features from having standing access to your plaintext messages, and it does not change the underlying end to end encryption of the messages themselves. Users who want zero AI involvement can disable related features individually in chat privacy settings.

How do I check if a specific chat is actually end to end encrypted?

Open the chat, tap the contact or group name, and look for “Encryption” in the contact info screen. A message stating that messages are end to end encrypted, along with a QR code and a 60 digit security code, confirms the chat’s status and allows manual verification against tampering.

Was WhatsApp’s encryption itself ever broken by a hacker or government agency?

There is no public, verified case of the Signal Protocol encryption used by WhatsApp being mathematically broken. Every major documented attack, including the NSO Pegasus campaign, worked by compromising the device or exploiting a separate software vulnerability rather than defeating the encryption algorithm itself. This distinction matters because it points users toward device security and update hygiene as the highest value protection, rather than assuming the encryption layer is the weak point.

What should I do if I suspect my phone has been targeted by spyware?

Update your operating system and all apps immediately, since spyware campaigns typically exploit known vulnerabilities that patches close. Consider running a reputable mobile security check, back up important data, and if you have reason to believe you are a specific target, such as a journalist or activist, contact a digital security organization like Citizen Lab or Access Now for a forensic review rather than relying on consumer tools alone.

Author

Helga Afon

Helga Afon is a technology writer specializing in video conferencing, collaboration software, and workplace communication. She writes articles and reviews that help readers better understand enterprise communication tools and industry trends.