Is spying possible on WhatsApp?

WhatsApp is one of the most popular social media apps available today, with over two billion users worldwide as of February 2020. It has so many users mainly because of ease of access, availability across platforms, and it was the first app to provide messaging services free of cost, killing the traditional SMS. WhatsApp also claims to have 256-bit end-to-end encryption, which makes it a pretty secure application. Despite its popularity and privacy claims, let’s find out if someone could actually be spying on your WhatsApp conversations.

It is important to understand what 256-bit end-to-end encryption means. The messages you send from your device can only be read by your recipient’s device, as it is delivered over the internet in an encrypted form, using a 256-bit key to do so. This means that no law enforcement officials or malicious users can read your messages while it is being sent over the internet, even if they manage to gain access to it. Even WhatsApp themselves will not be able to decrypt what you say, making it one of the most secure ways to have a conversation. Usage of the 256-bit key is one of the best encryption methods, after the 128-bit and 192-bit encryption keys. It is used in most modern encryption algorithms, protocols and technologies such as AES and SSL. It would take approximately four trillion years for a supercomputer to brute-force a 256-bit encryption key, as it would have to go through 2256 different combinations.

We can rest assured that nobody will be able to spy on your messages while they are in transit. The only possible vulnerabilities are in the end devices; either your phone or your recipient’s phone. One of the easiest, yet effective methods someone can use to spy on your chats is by using the WhatsApp Web service with malicious intent. If someone has physical access to your phone, all they need to do is set up WhatsApp Web in your account with their device, and they can read all your conversations. This can be easily caught though. If your notifications are on for WhatsApp in your device, you will see a notification stating that WhatsApp Web is running. Even if WhatsApp notifications are disabled on your device, you can see a list of devices on which WhatsApp Web is set up when you visit the WhatsApp Web menu.

Someone who is familiar with common cybersecurity tools and techniques may be able to access your conversations on WhatsApp by installing a payload on your device. This could be administered using a link, an app or even a simple image file. Once this malicious payload is up and running on your device, the attacker can collect all kinds of information, such as access to your camera and files stored on your device. They can even see what’s on your screen at any given time, so if they catch you while you’re using WhatsApp they can possibly see who you’re talking to and read your conversations. Another way they can access not just your conversations but what you type as well is by using a keylogger, which will let them get whatever you’re typing on their device. This will include your WhatsApp conversations too. Most payloads used for such purposes (commonly known as Remote Access Trojans or RATs) come with a large array of features, including keyloggers. An example of a payload used to spy on WhatsApp users is the Israeli spyware “Pegasus” used by the NSO Group in November 2019 targeted at journalists, activists, lawyers and politicians in India.

WhatsApp has admitted to giving out metadata to law enforcement agencies in case they request it. This won’t allow them to read your conversations, but they can find out information like who you have been talking to, how long your calls were and whether any files were shared in the conversation, along with details like IP addresses and phone identifiers. This is enough to draw an informative map of your life. The police may also be able to get location and contacts data if the need arises. The most challenging aspect about knowing what WhatsApp shares about you to third parties is the fact that more often than not, they choose to neither accept nor deny any allegations and questions regarding data privacy.

There are many apps advertised on the internet which claim to be able to spy on anyone’s WhatsApp conversations. Never try to install and run any of these apps; they are all scams and they could seriously damage both your device and your victim’s device. They may steal your data and launch viruses and malware in your device, which can prove to be a cumbersome issue to solve. For the common man, spying on someone’s WhatsApp conversation is rarely a valid use case. Everyone has the right to privacy protected by the government, and you may find that having an honest conversation is better than taking extreme measures to breach into their personal life.