We don't currently recommend WhatsApp for secure communications. See here for a full explanation.
In addition we're concerned with WhatsApp's web app. WhatsApp provides an HTTPS-secured web interface for users to send and receive messages. However, as with all websites, the resources needed to load the application are delivered each and every time you visit that site. So, even if there is support for crypto in the browser, the web application can easily be modified to serve a malicious version of the application upon any given pageload, which is capable of delivering all your messages to a third party.
WhatsApp does still provide end-to-end encryption, which ensures that a message is turned into a secret message by its original sender, and decoded only by its final recipient. We take no issue with the way this encryption is performed. In fact, we hope that the encryption protocol WhatsApp uses, the Signal Protocol, becomes more widespread in the future. Instead, we are concerned about WhatsApp’s security despite the best efforts of the Signal Protocol.
If you would still like to use WhatsApp, see our tutorial below and be sure to turn off cloud backups and turn on fingerprint change notifications (see section on Additional Security Settings).
WhatsApp is an application that allows users on mobile devices to communicate with each other using end-to-end encryption. With it, users can securely chat with and call each other, send files, and engage in group chats. Although WhatsApp uses telephone numbers as contacts, calls and messages actually use your data connection; therefore both parties to the conversation must have Internet access on their mobile devices. Due to this, WhatsApp users don't incur SMS and MMS fees.
WhatsApp is owned by Facebook. The app itself is closed-source software, which means that it is very difficult for outside experts to confirm that the company has implemented their encryption in a secure way. Nonetheless, the methods that WhatsApp uses to send encrypted messages are public, and regarded as secure.
Installing WhatsApp on your Android phone
Step 1: Download and Install WhatsApp
On your Android device, enter the Google Play store and search for "WhatsApp." Select the app WhatsApp Messenger by WhatsApp Inc
After you tap "Install," you may see a list of Android functions that WhatsApp needs to be able to access in order to function. Tap "Accept."
After WhatsApp has finished downloading, tap "Open" to launch the app.
Step 2: Register and Verify your Phone Number
WhatsApp will request access to your contacts. If you grant this access, WhatsApp will have a full list of your contacts' phone numbers. If you do not grant this access, you can manually add each of your contacts for chat messages, however you cannot make a new call without granting WhatsApp access to your phone's contacts. If you'd like to send photos, media, or files, Whatsapp will request access to these files as well.
Tap "Continue," then tap "Allow" for each if you wish to grant these permissions.
You will then see a screen that looks like this:
Enter your mobile phone number and tap the right-pointing arrow. You will then see a verify dialogue:
Tap "OK." In order to verify your phone number, you will be sent an SMS text with a six-digit code. At this point, you may see a dialogue that indicates WhatsApp is requesting access to your SMS messages. If you tap "Allow," WhatsApp will automatically recognize when you've received the code and complete your registration. If you tap "Deny," you will have to check your SMS application manually to retrieve the code, and enter it into a dialogue that looks like this:
In the next few screens, you may be asked if you want to back up your messages to Google Drive. To ensure that unencrypted backups are not sent to Google, choose "Never" and then tap "Done."
To use WhatsApp, the person that you are messaging or calling must have WhatsApp installed.
When a new encrypted conversation is initiated, you will see a notification as follows: "Messages you send to this chat and calls are now secured with end-to-end encryption. Tap for more info." At this point, you can verify the authenticity of the person you are talking with, to ensure that their encryption key wasn't tampered with or replaced with the key of someone else when your application downloaded it (a process called key verification). Verifying is a process that takes place when you are physically in the presence of the person you are talking with. You can tap this notification, or manually view the contact by tapping the menu button at the top (with three vertical dots), then tap "view contact", then in the subsequent screen tap on the green lock icon:
Have your contact follow the same process on their phone. The following screen will be titled "Verify security code":
You will see a string of 60 numbers. You can either verify by manually reading off these numbers and making sure they correspond with your contact's numbers, or having them scan your QR code which appears on this screen.
Another verification method you may want to consider is taking a screenshot of the numbers and sharing it over a secondary secure channel, like PGP-encrypted email.
Once this is done, you can be assured that encrypted communications with this contact really are only accessible by yourself and your contact. This applies to both text messages within WhatsApp as well as WhatsApp voice calls.
Additional Security Settings
Show Security Notifications
As stated above, if for any reason the encryption key of a contact changes, you may want to be notified of this change.
Ordinarily, a key changing is no cause for alarm: this often happens as a result of app re-install or switching phones. There is, however, the possibility of a key change being caused by a malicious third party performing a man-in-the-middle attack. For this reason, it is good practice to verify (as described above) once again when the key of your contact changes. By default, WhatsApp doesn't display when contacts keys change. To enable this, go into Settings → Account → Security, and slide “Show security notifications” to the right:
Google Drive Backup
Also stated above, you'll probably want to ensure that unencrypted backups are not sent to Google.
Navigate to Settings → Chats → Chat backup to ensure cloud backups are turned off. Under "Back Up to Google Drive" choose "Never":