WhatsApp implements end-to-end encryption by default

Data from over 200 Pen Tests Shows Most Common Vulnerabilities. Learn more now.

Over 1 billion users will get end-to-end encryption by default once they update to the latest version of the software.

WhatsApp, the most popular messaging app in the world, works on iPhones, Android-based phones, Windows Phones, BlackBerry and Nokia phones. Through it, users can exchange messages, phone calls, photos, files and videos – and all are now encrypted (group chats as well).

“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us,” WhatsApp founders Brian Acton and Jan Koum stated in the announcement.

“We live in a world where more of our data is digitized than ever before. Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people’s digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities.”

WhatsApp’s end-to-end encryption is based on the open source, forward secure Signal Protocol for asynchronous messaging systems, designed by Open Whisper Systems (OWS), a nonprofit software group that develops collaborative open source projects with a mission to make private communication simple.

The group partnered with WhatsApp a year ago, and helped with the integration of the protocol into the app.

Users who upgrade to the latest WhatsApp version will get notified when their chats become end to end encrypted:

WhatsApp notice

“Once a client recognizes a contact as being fully e2e capable, it will not permit transmitting plaintext to that contact, even if that contact were to downgrade to a version of the software that is not fully e2e capable. This prevents the server or a network attacker from being able to perform a downgrade attack,” OWS’ Moxie Marlinspike explained.

“Eventually all the pre-e2e capable clients will expire, at which point new versions of the software will no longer transmit or accept plaintext messages at all.”

WhatsApp users can verify the authenticity of their encrypted session by either scanning a QR code or by reading a numeric security code aloud.

WhatsApp verification

For those who want to know the technical details of WhatsApp’s end-to-end encryption, the company prepared this whitepaper.