How to: Use WhatsApp
Some of WhatsApp's most useful security features are not enabled by default. You'll need to actively go in and set them up yourself (and ask your contacts to do the same!).
Download location: Google Play Store or Apple App Store
System requirements: Android 5 or later, iOS 12 or later
Version used in this guide: 2.23.13.76
License: Proprietary
Other reading:
- https://blog.whatsapp.com/10000618/end-to-end-encryption
- https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
- https://medium.com/@thegrugq/operational-whatsapp-on-ios-ce9a4231a034/
Level: Beginner
Time required: 15-20 minutes
Table of Contents
- Getting Started with Whatsapp
- Using WhatsApp
- Manage Your Group Chats and Communities Preferences
- Additional Security Settings
WhatsApp is an application that allows you to securely communicate one-on-one, send files, and engage in group chats. Although WhatsApp uses telephone numbers as contacts, calls and messages use your data connection; therefore both parties to the conversation must have internet access on their mobile devices. Due to this, WhatsApp users don't incur SMS and MMS fees.
WhatsApp is owned and operated by Meta. The app itself is closed-source software, which means that it's difficult for outside experts to confirm that the company has implemented their encryption in a secure way. But WhatsApp does use end-to-end encryption , which ensures that a message is turned into a secret message by its original sender, and decoded only by its final recipient. We hope that the encryption protocol WhatsApp uses, the Signal Protocol, becomes more widespread in the future.
While the encryption protocol is sound, the privacy practices of WhatsApp and its parent company are concerning. Since 2016, WhatsApp has shared data with Facebook (now Meta), and while that doesn't include the contents of messages, it does include other information, including your phone number, logs of how often you use WhatsApp, IP addresses, device identifiers, and other similar metadata . Even though this steers clear of using the contents of your messages to target ads, it's still an uncomfortable amount of data-sharing that you won't find in WhatsApp's biggest competitor, Signal.
There is also some cause for concern with WhatsApp's web app. WhatsApp provides an HTTPS-secured web interface to send and receive messages. As with all websites, the resources needed to load the application are delivered each and every time you visit that site. Because of this, it's technically possible that the web application can be modified to serve a malicious version, which would then be capable of delivering all your messages to a third party. If you want to use WhatsApp on your computer, consider the desktop apps for Windows and Mac instead.
Getting Started with WhatsApp anchor link
Download and Install WhatsApp anchor link
First things first, you'll need to download the WhatsApp app to your phone. You can search the Google Play or Apple App Store for "WhatsApp" or download directly from the links below:
- On Android: Download the app from the Google Play Store here.
- On iPhone: Download the app from the Apple App Store here.
After WhatsApp finishes downloading, launch the app. The settings and screens may look different, depending on your version of Android and the manufacturer of your phone.
Register and Verify your Phone Number anchor link
Before you can use WhatsApp, you'll have to accept the Terms of Service and Privacy Policy. Tap "Agree and Continue."
WhatsApp will next request the ability to send you notifications. Tap "Allow" to get notifications when you receive new messages.
When prompted, enter your mobile phone number and then tap "Yes" for the next prompt. While WhatsApp doesn't use SMS, your phone number will still be visible to all your contacts. If you do not want to use your primary phone number, Freedom of the Press Foundation has tips for getting a secondary number.
In order to confirm your phone number, you will be sent an SMS text with a six-digit code. Enter that code when prompted.
You will then be asked to enter your name and add a profile picture. Keep in mind whatever you use for your profile will be visible by all your contacts.
WhatsApp will request access to your contacts. If you grant this access, WhatsApp will have a full list of your phone numbers. On Android, you must grant access to your contacts in order to send messages or initiate phone calls. On iPhone, you can decline access to your contacts and the app will still work, but you'll have to manually enter each person's phone number to contact them.
- On Android: Tap "Continue" and then "Allow" to grant access to your contacts.
- On iPhone: Tap "Continue," then tap "OK" for each if you wish to grant these permissions.
If you'd like to send photos, media, or files, WhatsApp will request access to these as well.
Using WhatsApp anchor link
To use WhatsApp, the person that you are messaging or calling must have WhatsApp installed as well. You can start a chat or phone call from the app by typing in a phone number manually, or by typing out a contact's name if you've given access to your contact list. You can initiate group chats the same way, adding as many people as you'd like to a text thread.
- On Android: Select the "Chats" tab (or "Calls") then tap the message icon in the bottom right. Select the contact you'd like to start a conversation with.
- On iPhone: Tap the "Chats" (or "Calls") option on the bottom navigation bar, then tap the message icon in the top-right. Select the contact you'd like to start a conversation with.
When your first encrypted conversation is initiated, you'll see a message describing how disappearing messages work. Click "Ok," and you're taken to the new message screen. You'll see a note at the top of each message thread that says, "Messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them. Tap to learn more," followed by more information about the default setting for disappearing messages (more on disappearing messages below).
At this point, you can verify the authenticity of the person you are talking with, to make sure that their encryption key wasn't tampered with or replaced with the key of someone else when your application downloaded it (a process called key verification ). This is an optional step that may not be necessary for everyone you communicate with, but can be useful in cases where you're talking about private information. The process works the same on both Android and iPhone:
To verify, tap on their name (or phone number) at the top, then on the next screen, tap "Encryption."
Have your contact follow the same process on their phone. The following screen will be titled "Verify Security Code."
You will see a string of 60 numbers. You can either verify by manually reading off these numbers and making sure they correspond with your contact's numbers, or if you're in the same place, you can also scan their QR code that appears on this screen. If needed, you can also take a screenshot of the numbers and share it over a secondary secure channel.
Once this is done, you can be assured that encrypted communications with this contact really are only accessible by yourself and your contact. This applies to both text messages within WhatsApp as well as WhatsApp voice calls.
Manage Your Group Chats and Communities Preferences anchor link
Alongside one-on-one chats, WhatsApp also supports group chats and community chats (which are basically larger groups of group chats). As with chats, both group chats and community chats are end-to-end encrypted.
To create a new group chat:
- On Android: Select the "Chats" tab then tap the message icon in the bottom right. Select "New Group," and then the contacts you'd like to start a conversation with.
- On iPhone: Tap the "Chats" (or "Calls") option on the bottom navigation bar, then tap the message icon in the top-right. Select "New Group," and then the contacts you'd like to start a conversation with.
You can adjust certain settings for groups you create, as well, including whether or not others can add new participants, or if administrators need to approve them:
- On Android: Open a group chat, tap the name, and then scroll down and tap "Group Settings."
- On iPhone: Open a group chat, tap the name, and then scroll down and tap "Group Settings."
By default, anyone can add you to a group chat, just as they can with a normal SMS message. But you can change this setting:
- On Android: Tap the Three dot icon (⋮) > Settings > Accounts > Privacy > Groups.
- On iPhone: Tap Settings > Privacy > Groups.
Here, you'll find three options to choose from:
- Everyone: With this setting, everyone, including people not in your address book, can add you to groups without your approval.
- My Contacts: Only people in your contact list can add you to groups without your approval. If someone is not in your contacts, they'll get a pop up asking to invite you.
- My Contacts Except: With this option, you can select specific contacts in your phone's address book who cannot add you to groups without your approval.
If you are in a group chat or community and want to leave, you can do so:
- On Android: Open up the group chat or community you want to leave, then tap the group's name at the top of the screen. On the next screen, scroll down to the bottom and tap "Exit group."
- On iPhone: Open up the group chat or community you want to leave, then tap the group's name at the top of the screen. On the next screen, scroll down to the bottom and tap "Exit group."
Additional Security Settings anchor link
Account Security anchor link
There are a few basic security settings that everyone should change in WhatsApp, regardless of your security concerns.
Enable End-to-End Encryption on Backups anchor link
WhatsApp offers the option to back up your chats. This way, you can restore your chats if you lose or change to a new phone. These backups are optional and not enabled by default. WhatsApp allows you to store these backups with or without encryption. If you decide to enable backups, then for the most protection, enable the optional end-to-end encrypted backup. With this option enabled, WhatsApp, Google (or Apple), cannot access the information in the backup.
- On Android: Tap the Three-dot icon (⋮) > Settings > Chats > Chat backup to get to the backup screen. Then tap "End-to-end encrypted backup," toggle the feature to on.
- On iPhone: Navigate to Settings > Chats > Chat Backup to get to the backup screen. Then tap "End-to-end encrypted backup," toggle the feature to on.
When you enable the end-to-end encrypted backup, you'll be asked whether you'd like to either set a password or use an encryption key. Be sure to save this key or password somewhere safe, like a password manager , as WhatsApp will not be able to help you recover your backup if you lose it.
Remember that anyone you chat with can also back up their chats, including in a way that does not use end-to-end encryption. If this is a concern for you, be sure to help your contacts change their settings as well.
Enable Two-Step Verification anchor link
For added security, you should consider enabling two-step verification . This makes it so you can set a PIN that's required before you can log into WhatsApp on another phone.
- On Android: Tap the Three-dot icon (⋮) > Settings > Account > Two-Step Verification. Once there, tap the "Enable" button to turn it on.
- On iPhone: Tap Settings > Account > Two-Step Verification. Once there, tap the "Enable" button to turn it on.
Once you select the "Enable" option, you're asked to create a six-digit PIN, then confirm that number. You can also add an optional email account that will help you reset the PIN if you forget it.
The app will periodically ask you to input this PIN when you open WhatsApp to help you remember it.
Lock the App or Individual Chats anchor link
If you use biometrics (like Face ID or Touch ID) or a PIN to lock your phone, you can also lock down the entire WhatsApp app, or individual chats. This means after unlocking your phone, you'll need to authenticate again to open the app or access chats. To lock the whole app:
- On Android: Tap the Three-dot icon (⋮) > Settings > Privacy > Fingerprint , and enable the "Unlock with fingerprint (it may say biometric instead)" option.
- On iPhone: tap Settings > Privacy > Screen Lock and enable the "Require Face ID (or Touch ID)" option.
Once enabled, you can select a duration of time before the app automatically locks itself again.
If you don't need to lock the entire app but do want to secure specific chats:
- On Android: Tap the name (or phone number) of the chat, then scroll down to "Chat Lock," and tap "Lock this chat with fingerprint (it may say biometric instead)."
- On iPhone: Tap the name (or phone number) of the chat, then scroll down to "Chat Lock," and tap "Lock This Chat with Face ID (or Touch ID or PIN)."
With the chat lock feature enabled, the chat thread will be moved to a separate "Locked Chats" folder that you'll need to scroll down from WhatsApp's home screen to get to. Notifications will not include the message contents from these chats regardless of what your other message preview settings may be.
Review Privacy Settings anchor link
Similar to a social network, WhatsApp has a number of specific privacy settings, like whether or not people can see when you're online, or whether they get "read receipts," that you may want to consider changing.
- On Android: Tap the Three-dot icon (⋮) > Settings > Privacy, and go through each option to ensure you're not sharing more than you intend to.
- On iPhone: Tap Settings > Privacy, and go through each option to ensure you're not sharing more than you intend to.
You can also run the "Privacy Checkup" on this page for more detailed guidance.
Addition Security Settings for More Sensitive Situations anchor link
Aside from the above settings, WhatsApp includes a number of more specific security settings that not everyone will need to consider, but are useful if your security plan calls for it.
Change Disappearing Messages Length anchor link
WhatsApp offers a number of options for disappearing messages, where messages are deleted after a set amount of time. Disappearing message times will apply to both you and the recipient, but keep in mind that before messages disappear, the recipient could take a screenshot of them. If you opt to enable this feature, you can choose between 24 hours, seven days, or 90 days. To set this for every chat:
- On Android: Tap the Three-dot icon (⋮) > Settings > Privacy > Default message timer, and choose the length you'd like as the default.
- On iPhone: Tap Settings > Privacy > Default Message Timer, and choose the length you'd like as the default.
You can also set this on an individual level for each thread. Open a chat thread, then tap the name (or phone number), scroll down to "Disappearing Messages," and select the time duration you'd like for that specific chat.
Note that when you reply to a message that then gets deleted, the quoted text might still remain for a short time afterward.
Use "View Once" Mode for Sensitive Photos anchor link
When you send photos in a chat, you can optionally set that photo so that it can only be viewed one time. The recipient can only open the photo one time, and after that it will be deleted. WhatsApp will also block screenshots, though keep in mind someone could still snap a picture of their phone with another device. To use "view once," open up a chat and:
- On Android: Tap the paperclip icon > Gallery, and then select the photo you want to send. On the next screen, tap the "1" button to enable "view once," then tap the arrow icon to send the message.
- On iPhone: Tap the "+" symbol > Photo Library, and select the photo you want to send. On the next screen, tap the "1" button to enable "view once," then tap the arrow icon to send the message.
You'll get a receipt in the chat saying that the image was opened.
Show Security Notifications anchor link
If for any reason the encryption key of a contact changes, you may want to be notified of this change. Ordinarily, a key changing is no cause for alarm: this often happens as a result of app reinstall or switching phones. But there is the possibility of a key change being caused by a malicious third party performing a man-in-the-middle attack . For this reason, it's good practice to verify (as described above) once again when the key of your contact changes. By default, WhatsApp doesn't display when a contact's keys change. To enable this:
- On Android: Tap the Three-dot icon (⋮) > Settings > Accounts > Security Notifications, and enable "Show security notifications on this device."
- On iPhone: Tap Settings > Account > Security Notifications, and enable "Show Security Notifications on This Phone."
Connect Through a Proxy Server anchor link
If you cannot access WhatsApp because the service is blocked in your region, you can try using a proxy server. When you connect to a proxy server, you connect to a server set up by volunteers, not WhatsApp, which in some situations can help you use WhatsApp in places where it's blocked. Accessing WhatsApp over a proxy server is straight-forward, but in order to find a reliable one you will need to search online. It is usually best to search on social media for proxy details when you're in need of one. To use a proxy server:
- On Android: Tap the Three-dot icon (⋮) > Settings > Storage and Data > Proxy > Set-Up Proxy, and enter the proxy address of a trusted provider. In most cases, you will not need to worry about setting up the ports.
- On iPhone: Tap Settings > Storage and Data > Proxy > Set-Up Proxy, and enter the proxy address of a trusted provider. In most cases, you will not need to worry about setting up the ports.
If the connection to the proxy is successful, you'll see a status message telling you that it works. When using a proxy server, your messages are still end-to-end encrypted, though the proxy provider can see your IP address .
Hide Your IP Address from Another Caller anchor link
If you're in a circumstance where you're calling someone you don't trust (or they're calling you), consider changing how WhatsApp routes your call. By default, WhatsApp switches between routing calls through a server and peer-to-peer calling, which can leak your IP address to the other caller. You can force a call to route through the server to protect your IP address, but it comes at the cost of call clarity.
- On Android: Tap the Three-dot icon (⋮) > Settings > Privacy > Advanced, and enable "Protect IP address in calls."
- On iPhone: Tap Settings > Privacy > Advanced, and enable "Protect IP address in calls."