Why is a bad idea to using the WhatsApp for anything

This sort informal article summarizes the most problematic privacy issues with Whatsapp in brief technical aspect and explain, why. And how to mitigate the known risks and the related possibly threats.

The market share of WhatsApp is more than creepy, I explain, why and how to mitigate the known risks and the related possibly threats.

How to use the WhatsApp without jeopardize your privacy and your device? The short answer: you simply cannot. The findings are not brand new possibly vulnerabilities, but the people should know more about this topic. The default setting of WhatsApp is by themselves is scary.

0x100. The IM uncover the time when the user recently used the application and when was recently online. Okay, probably only for the contacts but not a big rocket science to put yourself as a contact to another's contact lists.

0x200. By default the application allows receive attachments - it's as like as you open every email attachments which contain any malicious code or don't. Therefore strongly recommended simply deny to receive attachments automatically. It's not needed more elaboration.

0x300. Keep in mind: okay, the WhatsApp is available on MacOS and Windows as well, but these clients always get the settings from the mobile device where you used the WhatsApp recently. Ergo, you must use the application in a real, physical mobile device - or in virtualized, sandbox environment.

0x400. Nope, your Apple iCloud+ Private Relay feature doesn't protect your Apple devices against leaking your actual IP address among other sensitive information about your device. The Apple Private Relay hides the real IP address only in the native Apple apps, for example in Safari and Apple Mail. The Apple "protection" feature doesn't prevent the unattended leaking via another applications. If you want to protect the operation systems and the applications, you have to use a reliable VPN service, which route almost the entire traffic to a secure tunnel. IMHO the best solution is the PIA VPN - also know as PrivateInternetAccess VPN - and the Proton VPN with kill switch feature - just briefly.

You can set up the WhatsApp under the hood settings to protect IP address in calls, but if you simply analyze the traffic during you use the WhatsApp, you will see this means a weak protection and don't affect the attachment related IP-leaking.

0x500. By default you can see another actual IP address unless to contacting the another user. Why? If formerly you contacted to a chat partner earlier and he or she already sent any type of file for you - usually images - later you can lookup his or her IP address among other mentioned sensitive information if you synchronize the conversations on an another device which will download the formerly attachment from the senders device. It's really shame - if the Meta, as owner of the WhatsApp - don't offer to store or transfer the chat history in server side, at least the Meta should offer proxies the traffic by default.

I try to don't write more horrible details about Meta features in the future, but keep in mind the formerly, uncovered properties of this service. Just some example:

When the Meta/Facebook/WhatsApp/Instagram announced the end-to-end encryption, that was at least deceptive. In fact: the Meta lies as usual. For example you can turn on the E2E encryption but is still isn't default setting. Furthermore if someone reports an another user within the service, the chat history will landing in readable format in Meta staff to further investigation. It's ridiculous: doesn't matter that the private and public keys stored on the endpoints or the Meta servers.

The Meta must continuously analyze the entire traffic of the users, otherwise they cannot protect the user from well-known malwares and malicious URLs and silently block the suspicious messages without any user interaction. In another approach: they have to snoops the entire conversation to spot the potential unwanted and harmful contents and scams. If the machine learning-based fraud detection technology indicates an benign message as malicious, this will affect the entire user. Why? See below.

After the Facebook acquired the Instagram and WhatsApp, they silently began to handle all of the data from these services in aggregated form, linked to an user. The purpose is not just the fraud prevention and more-more precise personalized advertisement. If an user identified as suspicious in any Meta service, this might affects the Instagram, Facebook and WhatsApp.

Therefore I always ask others to never send me any kind of sensitive information via these build-in messaging feature. For example if someone send to the recipient pictures about a car accident or any evidence of criminal activity, the automated fraud prevention detects this as criminal activity, after this the Meta reserve the right to restrict of permanently ban the sender and/or the recipient account. The worst case is the shadow ban. See on Wikipedia. In a nutshell: you can loss the entire Facebook, Instagram and WhatsApp account forever and in the legal practice, you don't have any chance to effective appeal.

Do you think if an user affected a strict restriction, he or she can bypass it easily? Nope. Uninstall and reinstall the application and register a brand new account with new phone number might will be impossible on the same device. Because the Meta stores your unique device fingerprint. See on Wikipedia about device fingerprinting.

Keep in mind, if you place a voice or video call via Meta service, the Meta might generate automated [text] annotation from the voice in the background and store it forever.

So, I kindly ask everybody to never send me any sensitive... if already impossible expectation to fully ignore these apps in the real life due their popularity.

Just one more "small" thing: the criminal-related activity, illegal activity and malicious activity fall under a too wide scope globally, than you think! Nowadays in many countries the investigative journalism, wide spectrum of researches and the LGBTQIA-related content classified as crimes and persecuted by law enforcement authorities, regardless the user is a tourist or citizen of the given state. The authorities can capture the packets as any user with an simple traffic analyzer.

Did you ever checked the App Privacy Report under Privacy and Security in Security settings on iOS?

Cover photo: FB HQ pano, cca. 2014.