Is WhatsApp safe? Main security issues

Is WhatsApp secure?

WhatsApp is secure for personal message content in the sense that chats, calls, photos, videos, voice messages, and documents are protected with end-to-end encryption. However, that does not make the whole app risk free.

Your account can still be targeted through scams, SIM swapping, suspicious attachments, exposed devices, or weak account protection. WhatsApp also processes some account, device, usage, and location-related data, so privacy depends on more than message encryption.

A 2025 lawsuit from a former WhatsApp security executive also raised concerns about Meta’s internal privacy and account-security practices. Meta denied the allegations, and a US court later dismissed the case.

How does WhatsApp encryption work?

WhatsApp uses the signal protocol, an encryption system that scrambles your message on your device before it leaves your phone. The message travels in unreadable form and can only be turned back into readable text on the recipient’s device.

This protection applies to personal texts, voice and video calls, photos, videos, voice messages, files, and group chats. Simply put, the readable version of your message should stay between the people in the chat, rather than being exposed while it moves through WhatsApp’s servers.

WhatsApp also refreshes encryption keys over time. These keys work like digital locks for your chats — changing them helps reduce what could be exposed if one lock was ever broken. That said, you do not need to set this up for regular personal chats because end-to-end encryption is turned on automatically.

However, WhatsApp encryption does not cover everything by default. Chat backups stored in Google Drive or iCloud are only end-to-end encrypted if you turn on encrypted backups manually. Without that setting, your active chats may be encrypted, but your saved backup history may not have the same level of protection.

WhatsApp privacy and security features explained

WhatsApp includes several privacy and security features, but they protect different parts of the app. Some are turned on by default, while others need to be enabled manually in the settings.

• End-to-end encryption. Personal messages and calls are encrypted by default, including texts, photos, videos, voice messages, files, and group chats.
• Two-step verification. This optional setting adds a six-digit PIN when you register your WhatsApp number again, helping reduce account takeover risk.
• Privacy settings. You can control who sees your “Last seen” status, online status, profile photo, and about section and who can add you to groups.
• Disappearing messages. You can set messages to disappear after a chosen period, such as 24 hours, seven days, or 90 days.
• View once media. Photos, videos, and voice messages can be sent so they disappear after the recipient opens them once.
• Device verification. WhatsApp runs background checks to help spot when malware on an unauthorized device may be trying to misuse your account.
• App lock. You can add biometric, PIN, or password protection to stop others from opening WhatsApp on your device.
• Encrypted cloud backups. You can add end-to-end encryption to Google Drive or iCloud chat backups, so back-up chats stay protected outside the app.
• Automatic spam detection. WhatsApp uses automatic detection to help identify suspicious accounts, scams, spam, and unwanted bulk messages.

These features help protect your account, chats, and privacy settings, but they do not remove every hacking risk. Your WhatsApp account can still be targeted through account takeovers, scams, exposed devices, and social engineering.

Is WhatsApp safe from hackers?

WhatsApp’s end-to-end encryption helps keep your message content unreadable to someone trying to spy on the connection between devices, including on unsecured Wi-Fi. However, it does not make your account, phone, or linked devices impossible to compromise.

Hackers may still target your WhatsApp account through weak passwords, exposed devices, or social engineering tactics — tricks that pressure you into sharing a code, clicking a link, or trusting a fake message. For example, they may pretend to be WhatsApp support to trick you into sharing your verification code.

SIM swapping is another risk. In this type of attack, a scammer convinces your mobile provider to move your phone number to a SIM card they control. If they receive your WhatsApp verification code, they may try to register your account on another device.

Weak passwords are also easy for bad actors to guess or crack, especially on your phone, cloud backups, email, Google account, or Apple account. To lower the risk, use a strong password, protect your phone number, never share verification codes, and turn on WhatsApp two-step verification.

Is WhatsApp safe for sending private photos?

WhatsApp is safer for sending private photos than apps without end-to-end encryption, but it is not risk free. Photos and videos are protected while they move between you and the recipient, so they should not be readable to people outside the conversation during delivery.

For more control, you can use the “view once” feature. This makes a photo, video, or voice message disappear after the recipient opens it once. However, the “view once” feature does not make sending a sensitive photo risk free. The recipient may still find another way to save, copy, photograph, or record what you send.

Is WhatsApp safe for kids?

WhatsApp is not usually the safest option for young children without parental involvement. The app has a minimum age requirement, but WhatsApp does not verify users’ ages, so children can bypass the rule easily. It also lacks the built-in content filters found in child-focused messaging apps.

The main risks for kids include contact from strangers, cyberbullying, inappropriate content, pressure to join unknown groups, and WhatsApp scams. Because chats are protected from outside access, you cannot rely on built-in message monitoring to see everything a child sends or receives.

If your child uses WhatsApp, you can reduce some risks by adjusting privacy settings, limiting who can add them to groups, and making profile details visible to contacts only. However, these settings are not locked parental controls, so a child may be able to change them back if they control the account or device.

WhatsApp Web on a family computer may be easier for parents to supervise, but it should not be treated as the main safety solution.

WhatsApp security issues

WhatsApp has built-in security features, but that does not remove every risk. Like other widely used apps, WhatsApp can still be targeted by scams, account takeovers, and harmful software. Some risks are common, such as phishing messages, while others are rare, such as zero-click spyware attacks that try to infect a device without a tap.

Malware and spyware attacks

WhatsApp has had vulnerabilities in the past that could expose users to malware or spyware, but the issues described below have since been fixed. In 2022, a video call flaw could have allowed attackers to run malicious code during an established call.

In 2025, WhatsApp fixed a Windows flaw that could make a harmful attachment look like a harmless file, such as a PDF. If you opened it inside WhatsApp, the file could have launched harmful instructions on your device, potentially helping malware to run.

Spyware has also targeted WhatsApp users in more sophisticated attacks. In another 2025 case, Graphite spyware was reportedly sent through harmful PDFs in WhatsApp group chats and used against journalists and civil society members, such as activists and advocacy workers. Spyware is dangerous because once a phone is infected, opened chats, files, location data, and other device information may be exposed.

Not every threat comes from a WhatsApp flaw. In one Android banking malware case, compromised accounts sent harmful WhatsApp messages to other people. That can make a scam look more trustworthy because the message appears to come from a real contact.

These examples show why it’s important to keep WhatsApp and your device updated, avoid unexpected attachments, and be careful with links or app-install prompts sent through chats.

Zero-click attacks

A zero-click attack does not require the target to click on a link, open an attachment, or approve a request. The attack can start when a vulnerable app or device processes a malicious message, image, file, or background request automatically.

In 2025, WhatsApp fixed a flaw affecting iOS and Mac users. When combined with a separate Apple image-processing flaw — a bug in how the device handled images — it could have helped attackers break into some devices without the person clicking a link or opening a suspicious file.

Some Samsung Galaxy devices were affected by a separate image-processing flaw. Researchers at Palo Alto Networks’ Unit 42 linked the flaw to LANDFALL spyware that used malicious DNG files — a type of raw image file used by some cameras — that appeared to be shared through WhatsApp.

On a vulnerable phone, the spyware could be triggered when the device previewed or displayed the harmful DNG image sent through WhatsApp, not because the user clicked a fake login link.

The WhatsApp iOS and Mac flaw, along with the Apple and Samsung image-processing flaws, has been patched. Attackers behind zero-click spyware campaigns usually focus on high-profile targets, so most people are unlikely to be targeted this way.

Still, these cases show why WhatsApp, phone, and computer updates matter. Zero-click attacks are rare, but outdated apps and devices give attackers more room to exploit known flaws.

Phishing and scams

WhatsApp scams are a large-scale problem because attackers can contact people directly and make messages look like they came from someone you know. Many phishing attacks on WhatsApp start with a suspicious link, a fake login page, or an urgent request for money, personal details, or a verification code.

Common tactics include scammers impersonating trusted contacts, sending fake lottery or prize messages, promoting crypto investment scams, or pretending to be a bank, delivery service, employer, or WhatsApp support. Some scammers may also use AI-made fake voice or video messages to make impersonation attempts more convincing.

These scams do not usually break WhatsApp’s security features. Instead, the scammers try to pressure users into taking action themselves, such as clicking a link, installing malware, sending money, or sharing a code. If a message sounds urgent, unusual, or too good to be true, check with the person who is supposedly messaging you another way before responding — for example, call them or message them outside that WhatsApp chat.

WhatsApp privacy concerns

WhatsApp is owned by Meta, the parent company of Facebook and Instagram, so many privacy concerns focus on how the app fits into Meta’s wider ecosystem. In 2021, WhatsApp updated its privacy policy to allow more data sharing with Meta in areas such as business messaging, safety, service improvement, and connections with other Meta products.

The practical point for you is simple: WhatsApp may not read your personal chats, but data about your account, device, app use, location, and business chats can still affect your privacy. Review your privacy settings, be careful when messaging businesses, and avoid linking WhatsApp to other Meta services unless you’re comfortable with the data sharing.

Metadata collection and data sharing with Meta

WhatsApp may encrypt message content, but metadata — information about your activity rather than your message text — can still show how you use the app. It can include when you use WhatsApp, your device details, IP address, general location, groups, and linked Meta services.

Simply put, metadata can reveal usage patterns even without exposing what your messages say. If you connect WhatsApp to Meta’s account center, shared data may also be used for personalization and ads across Facebook and Instagram.

Meta AI is separate from your encrypted personal chats. If you use it inside WhatsApp, avoid entering private details you would not want stored or reviewed for AI improvement.

In 2025, researchers from the University of Vienna and SBA Research used WhatsApp’s contact discovery feature, which helps the app find who in your contacts uses WhatsApp, to identify roughly 3.5 billion phone numbers and collect associated public profile data.²

Meta was notified in April 2025 and rolled out additional rate-limiting protections to restrict repeated large-scale lookups by October 2025.

How to use WhatsApp safely

WhatsApp has built-in security features, but safer use also depends on your device, settings, and habits. These steps can help reduce common risks, from account takeovers to scam messages and unsafe backups.

1. 1.Use strong passwords. Protect your phone, email account, Google or Apple account, and cloud backups with strong, unique passwords. If someone gets into those accounts or your device, they may be able to access WhatsApp data, backups, or linked services.
2. 2.Enable two-step verification. WhatsApp two-step verification adds a six-digit PIN when you register your number again. This makes account takeover harder than relying on SMS verification alone, even if someone gets your verification code through SIM swapping or social engineering.
3. 3.Don’t follow suspicious links in messages. Be careful with links, even if they appear to come from someone you know. A contact’s account that has been hacked can send phishing links, fake login pages, malware downloads, or scam messages that look trustworthy because they seem to come from someone you know.
4. 4.Review AI tools and connected apps. Only connect WhatsApp to tools you trust and understand. If a tool asks you to enable access to your chats, contacts, files, or automation features, check what it can do and disconnect anything you no longer use.
5. 5.Enable encrypted cloud backups. WhatsApp cloud backups are optional and need separate protection. Turn on encrypted backups if you save chats to Google Drive or iCloud so your saved message history and media are better protected than they would be in unencrypted backups.
6. 6.Only download WhatsApp from official sources. Fake versions of WhatsApp can contain malware or spyware. Install and update the app only through official app stores or WhatsApp’s official website, especially if the app stops working or you see prompts to download a “new” version of the app.
7. 7.Keep WhatsApp and your operating system updated. Updates often fix security flaws in WhatsApp, Android, iOS, Windows, macOS, and browsers. Install updates promptly, especially if you use WhatsApp on desktop, WhatsApp Web, or an older phone.
8. 8.Adjust your privacy settings. Review who can see your last seen status, online status, profile photo, about section, and status updates. You can also limit who can add you to groups, which helps reduce spam, scams, and unwanted contact.
9. 9.Don’t share sensitive information over WhatsApp. Avoid sending passwords, banking details, verification codes, private documents, or financial information through chats. Even if messages are protected while being sent, the recipient, device access, backups, screenshots, or scams can still expose sensitive data.

How does WhatsApp compare to other messaging apps?

Messaging apps handle privacy in different ways. Some encrypt personal chats by default, some offer end-to-end encryption only in certain chat modes, and others are built more around communities than private one-to-one conversations.

Signal vs. WhatsApp is mostly a privacy comparison. Both encrypt personal messages and calls by default, but Signal collects less account and usage data.

Telegram vs. WhatsApp comes down to default encryption. WhatsApp encrypts personal chats by default, while Telegram only offers end-to-end encryption in secret chats.

Discord vs. WhatsApp is more about purpose. WhatsApp focuses on private messaging and calls, while Discord is built around servers, communities, and group discussions.

Messenger vs. WhatsApp is the closest comparison because both belong to Meta and encrypt personal chats and calls by default. The main difference is that Messenger is more closely tied to Facebook.

References

¹ Guardian staff reporter. (2025, September 8). Ex-WhatsApp cybersecurity head says Meta endangered billions of users in new suit. The Guardian. https://www.theguardian.com/technology/2025/sep/08/meta-user-data-lawsuit-whatsapp 

‌² Researchers discover security vulnerability in WhatsApp. (2025, November 19). SBA Research. https://www.sba-research.org/2025/11/19/researchers-discover-major-security-flaw-in-whatsapp/ 

The trademarks displayed are for illustration purposes only. NordVPN is not affiliated with, sponsored by, or endorsed by their owners.