Is WhatsApp safe to use? A complete guide for every user

WhatsApp is a pretty safe and secure messaging app. It has a suite of privacy and security features, including end-to-end encryption, two-step verification, and more. All these serve to keep your conversations private and your account safe from hackers.

Meta’s ownership raises concerns for some users, who worry about data sharing with Facebook, potential leaks, and overall privacy—concerns that have only grown with the recent introduction of targeted ads. Users are also concerned about the proliferation of scam messages and the company’s security practices.

This article will explain the strengths and weaknesses of WhatsApp when it comes to privacy and security. It’ll also address whether or not the app is safe for kids and teens, offer some simple tips to make using the app safer, and compare WhatsApp with other popular messaging apps.

How secure is WhatsApp?

Though more secure than many options, WhatsApp is overshadowed by a few privacy-focused alternatives. That said, it does have some excellent security features. Here are a few of them.

End-to-end encryption

WhatsApp uses end-to-end encryption to keep your messages private. When you send something through the app, the data is “locked” (or encrypted, which turns it into unreadable gibberish), and only the recipient’s device has the key to “unlock” it. This means that third parties, including governments, hackers, and WhatsApp itself, can’t read what you send, even if they intercept the data.

End-to-end encryption is enabled by default for messages, photos, videos, files, group chats, and voice calls. If you create any backups, those will need to be manually encrypted.

Device verification

Device verification helps ensure that only your verified devices can access your WhatsApp account. WhatsApp stores a unique security token on your device, which gets updated with every message (the process is called security token bootstrapping). This mechanism ensures that a copy of the token can’t be reused elsewhere. When a connection attempt is made, WhatsApp checks whether the connecting client has the valid, current token. If not, the connection will be blocked.

That said, if your device is infected with malware, a hacker might still be able to steal the authentication key that lets you use WhatsApp without entering your login credentials every time. However, due to security token bootstrapping, stolen keys alone typically aren’t enough to send messages or interact with WhatsApp servers from another device, though they may allow the attacker to read stored messages indefinitely. Keep in mind, though, that this protection only applies if the attacker tries to transfer the session. In very rare cases, malware with persistent, root-level access could hijack the WhatsApp app directly on your phone and send spam or malicious links without breaking token security.

Two-step verification

Two-step verification is an optional feature you can enable to add an extra layer of security to your WhatsApp account. Normally, when you register WhatsApp on a new device, you're asked to enter a 6-digit registration code sent via SMS or phone call. But if someone gains access to your phone number, they could intercept that code and take over your account.

With two-step verification enabled, you'll also need to enter a 6-digit PIN that you create on top of the SMS code. This adds an extra layer of protection, so even if someone steals your registration code, they can’t immediately re-register your account without your PIN.

However, it’s worth noting that if an attacker can intercept your SMS messages, they could initiate a PIN reset during re-registration. In that case, your account would be locked for seven days. If you don’t intervene during that time by completing the OTP process and entering your correct PIN, the attacker may be able to complete the re-registration.

You can also add an email address so WhatsApp can help you reset your PIN if you forget it. To keep your PIN fresh in your memory, WhatsApp will occasionally prompt you to enter it.

Disappearing messages

WhatsApp lets you set an expiry date on messages. Messages can disappear after 24 hours, 7 days, or 90 days after they’re sent, whether they’ve been read or not. You can choose to turn disappearing messages on for all chats or just for specific ones, and if there’s a specific message in the chat that you don’t want to disappear, you can choose to keep it.

It’s a useful feature, but keep in mind it doesn’t stop the recipient from saving your message, for example, by taking a screenshot or snapping a photo with another device. You can work around this by sending a one-time photo and attaching your message to it. The recipient won’t be able to screenshot it, and the message disappears once the photo is closed. That said, even this isn’t foolproof, as someone could still use another device to record or photograph their screen.

App lock

App lock prevents someone from opening WhatsApp on your phone without passing a biometric check (fingerprint or facial recognition) or entering a password (web version only).

Common WhatsApp security issues

Despite WhatsApp’s use of end-to-end encryption and other safety features, no app is immune to threats. The following are some common security issues faced by WhatsApp users.

Account hacks

An attacker can take over your account by tricking you into handing over your verification code. They usually accomplish this by pretending to be a friend or a WhatsApp support rep. But in more advanced cases, an attacker may convince your mobile provider to transfer your phone number to a SIM card that they control by providing personal details about you that they’ve gathered through other means. This allows them to receive your WhatsApp verification code directly and access your account on their device.

Another, more sophisticated method involves exploiting vulnerabilities in the SS7 protocol, the system that enables international calls and SMS. Attackers with access to SS7 terminals (harder to obtain today but still used in high-level espionage) can intercept your calls and messages, including one-time passcodes. This method works similarly to SIM swapping, but instead of social engineering, the attacker tricks the network into thinking your phone is roaming abroad, causing your messages and calls to be forwarded to them.

You can add a layer of defense by turning on two-step verification—just make sure you never share your PIN with anyone.

Malware exploits

If your device is infected with spyware, an attacker could potentially read your WhatsApp messages. They can then obtain any personal information that you’ve shared with friends and family, such as personal secrets, credit card details, or login credentials. This could lead to a hijacked account or even identity theft.

WhatsApp has had security issues in the past. Most recently, Meta warned Windows users to update to the latest version of the app, as a vulnerability had been discovered that could potentially let attackers execute malicious code by sending specially crafted files with misleading file types. WhatsApp quickly patched the flaw, and there’s no evidence it was exploited in the wild, but it’s a reminder that no app is perfectly secure.

Scams

Scammers on WhatsApp may pose as friends or representatives of legitimate organizations (usually government agencies, employers, or WhatsApp support) and trick you into clicking a malicious link, sharing personal information, or sending them money. WhatsApp scams can take countless forms, including surveys, giveaways, investment opportunities, job offers, pleas for help, and more.

Privacy concerns

While end-to-end encryption means that WhatsApp can’t read your messages, the app collects and shares user information with other Meta (formerly Facebook) companies for business and advertising purposes. This information includes your phone number, IP address, WhatsApp usage patterns, and location information.

There have also been multiple incidents where WhatsApp or Meta user data has leaked. For example, in 2020, it was discovered that invite links to private WhatsApp groups were being indexed on Google. This means that anyone could join them and obtain the names, phone numbers, and other personally identifiable information of group members.

Is WhatsApp vulnerable to government surveillance?

Your WhatsApp messages can’t be read by anyone, including the government, thanks to end-to-end encryption. However, WhatsApp still has access to other information about you, like your IP address, contacts, usage patterns, and so on. It will share these with governments if it has “a good-faith belief that it is necessary” to comply with legal requests.

The fact that Meta has made its generative AI model, Llama, available to U.S. government agencies also raises some privacy concerns. User data collected across all Meta services, including WhatsApp, may be fed into the AI model.

Is WhatsApp safe for kids and teens?

Allowing kids and teens to use any kind of social media comes with a certain amount of risk, including exposure to inappropriate content, cyberbullying, and online predators. But there are strategies parents can adopt to make using WhatsApp safer for children.

Age restrictions and legal considerations

WhatsApp's Terms of Service vary by country, but in most of the world, you must be at least 13 years old to use the service. Just know that there's no age verification during registration, so children can just lie about their age when creating their account. WhatsApp says that it will sometimes ask for further verification in the form of a selfie or photo ID, but this isn't always the case.

In terms of laws, the GDPR in the EU and COPPA in the U.S. do put extra conditions on services used by children, but with no age verification, WhatsApp has no way to determine a user’s actual age.

Parental controls and supervision tips

WhatsApp doesn’t have built-in parental controls, so parents will need to take a more hands-on approach to supervision or install a third-party parental control app that’s capable of blocking or monitoring WhatsApp conversations.

The best way to keep your child safe on WhatsApp is to educate them on safe messaging habits. This means teaching them not to talk to strangers, click on random links, or share personal information.

You can also mitigate the risks of using WhatsApp by taking an interest in your child’s digital life, which will help you build trust and stay aware of any potential issues. Ideally, they’ll feel comfortable asking you for help if they encounter any problems.

How to use WhatsApp safely

Practicing good digital hygiene and taking advantage of WhatsApp’s built-in features can make using WhatsApp safer. Below are some simple steps that you can take to protect your WhatsApp account, personal data, and private conversations.

These are all preventative measures. If you suspect that your account has already been hacked, you’ll need to recover your WhatsApp account.

1. Use two-step verification

We strongly recommend that you turn on two-step verification in your WhatsApp settings. This makes it harder for an attacker to hijack your account, as they’ll need both the verification code sent to your phone by SMS and a 6-digit PIN to access your account on a new device. Just make sure you use an unguessable PIN (not your birth date, in other words).

To turn on two-step verification in WhatsApp:

1. Open the kebab menu (3 vertical dots) and tap Settings (on iOS, you can access Settings via the gear icon in the bottom right corner).
2. Tap on the Account button.
3. Select Two-step verification.
4. Tap Turn on and create your 6-digit PIN.

2. Adjust the privacy settings

There are several privacy-related settings in WhatsApp that you can tweak to manage who’s able to see your information, such as your profile picture and status. You can also control who can add you to group chats to reduce unwanted contact or exposure—by default anyone who has your phone number could add you to a group chat.

To control who can see your personal information and add you to group chats:

1. Open the Settings and tap on the Privacy button.
2. Change your preferences for the following: Last seen and online, Profile photo, About, Links, Status, and Groups (I recommend setting them all to My contacts).

Unfortunately, there's no way to disable Meta AI on WhatsApp. But if you’re concerned about the amount of data that may be shared with third parties, you can limit your interactions with Meta AI Chat.

3. Avoid phishing and scam messages

As a general rule, you should never follow directions or click on any link from someone you don’t know, even if they claim to be from a legitimate organization, like WhatsApp support.

Common red flags for phishing attempts or scams include messages that ask for money or verification codes, request personal information, or offer unrealistic rewards or benefits.

Additionally, you should be wary if a known contact is acting strangely; it’s always possible that a friend or family member’s WhatsApp account has been hacked, and the attacker is impersonating them to exploit your trust.

4. Keep your app updated

Using an outdated version of WhatsApp can be very dangerous. This is because app updates include essential bug fixes or patches for security vulnerabilities. By default, WhatsApp updates automatically, and it's recommended that you keep this setting turned on. The same advice applies for your phone’s operating system—there’s no point worrying about the security of your WhatsApp account if your device itself is vulnerable.

5. Use app lock

Activating the app lock feature on WhatsApp prevents someone from accessing your WhatsApp account, even if they get physical access to your phone. This is especially important if you often leave your phone unattended. It’s a small but significant step that will protect you from both theft and casual snooping.

To turn on app lock:

1. Open the Settings and tap Privacy.
2. Scroll down until you see App lock, tap it, and toggle it on.

6. Consider locking chats

WhatsApp also comes with a chat lock feature that you can use to hide individual conversations behind a PIN code or biometric authentication. If you have a particularly sensitive conversation (one where you share personal details), consider locking it. Once you do, there’ll be a locked chats button at the top of your list of conversations.

To lock a chat:

1. Go to the Chats tab and long-press on the chat you want to lock until a green check mark appears.
2. Open the settings menu and tap Lock chat.
3. Select your preferred verification method when accessing the chat in the future.

7. Don’t overshare personal info

Don’t get lulled into a false sense of security just because WhatsApp uses end-to-end encryption. There are many ways that oversharing personal info, such as your full name, home address, bank information, or passwords, can still put you at risk. This is true even when you’re speaking to someone you know and trust.

While your WhatsApp account and device may be secure, you never know if the person you're chatting with has the same level of protection. And even if you send a disappearing message, what you write can be saved and shared with others without your knowledge.

8. Review your connected devices

WhatsApp lets you stay logged in on multiple devices for convenience. But every connected device is also another potential entry point for attackers. Therefore, it’s a good idea to periodically review the devices that are linked to your WhatsApp account. Just go to the settings menu and remove any that you don’t recognize or no longer use.

To check your linked devices or remove them:

1. Open Settings and tap Linked devices
2. Select a device to unlink.

9. Use an antivirus

The official WhatsApp app is generally pretty safe, but your device can be infected with malware from other sources. For example, some unofficial apps may be insecure or outright malicious. Installing a good antivirus can help you detect and remove threats before they cause any harm.

WhatsApp vs. other messaging apps: Privacy showdown

WhatsApp is a decent choice for privacy, but how does it stack up against other popular messaging platform alternatives, like Signal, Telegram, Facebook Messenger, and Discord? Let’s take a look.

WhatsApp vs. Signal

Signal is the superior choice when it comes to privacy and security. Both apps use end-to-end encryption to prevent outside parties from reading your conversations, but only Signal encrypts the metadata that's sent along with a message, such as information about who the recipient is and a timestamp. This means that not only are the contents of messages on Signal protected, but information about the message is protected, too.

Signal collects less information about you—basically just your phone number—whereas WhatsApp also collects your contacts, IP address, location, and more, as well as serving you targeted ads.

Last but not least, Signal is more trustworthy because it's owned by a non-profit organization (Signal Technology Foundation). WhatsApp is owned by Meta (formerly Facebook), and its privacy policy states that it may share user data with other Meta companies.

WhatsApp vs. Telegram

WhatsApp and Telegram both have their pros and cons. Telegram’s client-side code is open source, and the company collects less user data than WhatsApp. But only WhatsApp offers end-to-end encryption for all communications—Telegram’s end-to-end encryption is only available in Secret Chats.

WhatsApp vs. Messenger

WhatsApp and Facebook Messenger are very similar. Both use end-to-end encryption by default, and both are owned by the same company (Meta). However, WhatsApp wins because it's only linked to your phone number, whereas Messenger is linked to your Facebook account (and therefore all of the personally identifiable information you share on that service).

WhatsApp vs. Discord

WhatsApp knows more about you than Discord, but it knows less about what you say. Discord only provides end-to-end encryption for audio and video calls and not text messages, meaning it (and other third parties) can potentially read all of your conversations. That said, you can set up Discord using your email address rather than your phone number, which is a lot easier to anonymize. But if you share a lot of personal information on Discord, you could easily be identified.

FAQ: Common questions about WhatsApp safety

Is WhatsApp safer than SMS or email?

Yes, WhatsApp is generally safer than SMS or email. This is because it uses end-to-end encryption to protect the contents of your messages, which means that only you and your recipient can read your messages, not even WhatsApp can access them.

In contrast, SMS messages aren’t encrypted, so they can be read if they’re intercepted by a third party. Most popular email services aren’t encrypted either, including Gmail (unless you’re an enterprise customer).

Can someone track my location via WhatsApp?

No, unless you choose to share your location using the Live Location feature. That said, WhatsApp collects your IP address, which can be used to determine your general location, and it’s possible for hackers to obtain this information through the platform. For total privacy, disable location permissions for WhatsApp on your device.

Does WhatsApp share data with Facebook?

Yes, the data WhatsApp collects may be shared with other Meta companies, including Facebook and Instagram. The data collected by WhatsApp includes your phone number, IP address, contacts, app usage patterns, location information, and more. This data may be used to improve Meta services and to show you targeted advertisements.

How private is WhatsApp messaging?

WhatsApp messaging is very private because it protects your messages using end-to-end encryption. Essentially, this means that only you and the recipient of the message will be able to read what you write. Even if a hacker (or WhatsApp itself) were to intercept the message, all they would see is unreadable gibberish. That said, the app does collect metadata, like who you talk to, when, and how often, which could still reveal patterns about your behavior.

What are the disadvantages of using WhatsApp?

WhatsApp is a pretty safe and private messaging app, but it’s not perfect. It collects a lot of data about its users and shares it with other Meta companies, and it’s recently introduced ads to its Updates tab. In the past, gaps in its security have also exposed its users to malware or resulted in data leaks.

Additionally, while it protects your messages using end-to-end encryption, it doesn’t encrypt the metadata sent along with your messages, which can reveal information like who you're talking to and when.