WhatsApp is a Facebook created cross-platform messaging and voice app that makes it easy to communicate with other people around the world—such as family. Like any other social media app, it allows you to network with a simple internet connection and phone service plan. 

As WhatsApp continues to grow, speculation has arisen that the platform is prone to hacking. To answer the big question, can WhatsApp be hacked? The answer is Yes and No. Let’s start with the Yes. 

The “Yes” Answer.

WhatsApp communication data could be accessed through a backdoor intrusion on the device (your phone or computer). Backdooring is a stealth tactic used by malicious actors like hackers to bypass the standard authentication or encryption in the computer systems, hardware, or electronics. Backdoor tools are generally embedded into a target device or software application without the owner’s or user’s knowledge. 

In most cases, engineering tricks like sophisticated deception, persuasion, and other psychological manipulation tricks are used to influence the target into installing back doors onto their own devices without knowing the danger. Back doors give malicious actors administrative control over the target computing devices and use remote access Trojan (RAT) to control them. 

Most backdoors come in the form of free mobile apps and Desktop software that we install on our smartphones and computers. We love to download free software, and yet these could be used as tools to spy on us, steal our confidential data, or even make you an accomplice in a crime you didn’t commit.

Once installed on the device, back doors try to get “root access” to your device (especially on android phones) by targeting multiple vulnerabilities that they exploit to control the entire system, thereby allowing a remote attacker or any malicious actor to control your device or phone fully.

If a vulnerability-based attack is not successful, the backdoor could try to trick you into granting it root access by displaying a message that probably looks like “Urgent System Update required, Click Update.” By clicking Update, you will be granting a backdoor program system-wide privileges on your device, which essentially gives a remote attacker complete control over your phone to be able to read all your WhatsApp conversations.

Israeli cyber arms firm NSO Group developed a Spyware program called “Pegasus.” This malware tool has scary potential to carry out key-logging (Capturing Keyboard typing), collect passwords, trace the location of the phone, take screenshots on the device screen, control device’s camera and microphone, sniff conversations like stealing your messages and call records from instant messaging apps (WhatsApp, Facebook, Twitter, Skype, and Gmail).

To prevent backdoors from accessing your device or network, you’ll have to do the following:

• Install reliable antivirus software from recognized and industry-leading vendors. Most people feel like it’s not necessary to have antivirus on their phones, yet it is significant for their devices’ security. AVG, McAfee & Kaspersky Mobile Antivirus are some of the most reputable services that are recommended for use.
• As mentioned, most Backdoors get installed on your device after being persuaded or social-engineered; you always need to be careful with what you download from the internet. Avoid clicking on every link you find on the internet. Such links have persuasive wording like; “click here to claim your prize, download this free internet app, this app will turn your phone into absolute magic.” Such persuasive wordings are intended to manipulate your minds psychologically and compromise your personal conviction and judgment on what you need and don’t need on the internet.

• Some Backdoors work through port binding. At the software level, a port is a logical construct that identifies a specific process or network service type. Ports are identified for each protocol and address combination by 16-bit unsigned numbers, commonly known as port numbers. It is through ports that various services are run. 

When a server program is initially started, it binds to a designated port number. Some of the protocols that use port numbers include the Transmission Control Protocols, TCP (used for inter-communication of devices on the internet, intranet, or extranet). 

The TCP/IP is popularly known as an Internet Protocol Suite; a group of different protocols like File Transfer Protocol (FTP), Secure Shell (SSH), Telnet, Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), Simple Network Management Block (SNMB) and many others.

Many of these protocols run on various assigned ports, some of which are vulnerable to backdooring attacks through Remote Access Execution. For instance, File Transfer Protocol (FTP) runs on Ports 20 or 21. And when these ports are open or instead of listening, attackers or hackers can carry out anonymous authentication attacks on FTP Servers, Web Servers, or SQL Servers, thereby granting them access to sensitive data. 

Furthermore, Port 23 (on which Telnet runs) is vulnerable to remote access attacks. Telnet sends data completely unmasked in clear text, allowing attackers to listen in, watch for credentials, inject commands via man-in-the-middle attacks, and ultimately perform Remote Code Executions. Different TCP and UDP ports, once open and listening, can make your devices and network vulnerable to remote access attacks. 

For IT Pros, you can check for listening ports and see the services running on them through using a CMD command “netstat -ab.” Not only that, but you can also close some of these ports, especially when the services running on them are not crucial for you or your machine. For instance, you can close the Telnet port since you probably don’t need it to prevent attack incidents on your device.

• Use a firewall, especially for organization computers and networks. A firewall is a system of hardware, software, or a combination of both, that’s used to monitor and control incoming and outgoing network traffic. A firewall establishes a barrier to outsiders illegally intruding into the organization’s network or computers. Network layer firewalls can be used to implement packet filters where set rules are established, and this prevents uncalled-for packets from the outside from entering.

• Always ensure that your device or computer receives routine updates from your software and operating systems’ makers. Android users, especially on mobile, need to make updates from Google on a frequent basis. Windows Users must ensure that their operating system is up to date through automatic update settings embedded into your device OS. For those who use Apple devices, you must ensure that you are running an iOS, not below version 9.3.5. Apple Devices running below 9.3.5 versions are more likely to be easy targets of Backdooring through tools like Pegasus.

The “No” Answer.

WhatsApp can’t be hacked during the communication between the sender and receiver because it uses end-to-end encryption (E2EE). Some messaging apps only encrypt messages between you and them, but WhatsApp’s end-to-end encryption ensures that only you and the person you’re communicating with can read what is sent. Nobody in between, not even WhatsApp, has access to your communication.

Received messages are secured with a lock, and only the recipient and the sender have the unique key needed to unlock and read them. For added protection, every message you send has its own exclusive lock and key. All of this happens automatically: no need to turn on settings or set up private secret chats to secure your messages.

WhatsApp uses the “Signal Protocol” developed by Open Whisper Systems to implement the end-to-end encryption which works as explained:

1. When the user first opens WhatsApp, two different keys (public & private) are generated. The encryption process takes place on the phone itself.
2. The private key remains with the user, whereas the public key is transferred to the receiver via the centralized WhatsApp server.
3. The public key encrypts the sender’s message on the phone before it reaches the centralized server.
4. The server is only used to transmit the encrypted message. Only the private key of the receiver can unlock the message. No third party, including WhatsApp itself, can intercept and read the messages.
5. If hackers try to hack and read the messages, they will fail due to the hardened encryption. This means hackers can’t position themselves between the sender and the receiver to carry out some kind of Man-in-the-Middle attack (MiTM).

To make it even harder, WhatsApp’s end-to-end encryption Architecture is based on AES Security Standards under which 256-bit encryption is recommended. In fact, the AES encryption standard is now used worldwide, making it the most reliable encryption technique available today.

Therefore, it is essential to note that WhatsApp communications can’t be intercepted during the transit stage due to the hardcore encryption used right from the sender up to the Receiver. However, embedding back doors into the target device could lead to remote access of WhatsApp data on your phones. Enhancing operating systems security, especially in Android OS, should be something developers at google must greatly focus on. Your personal device security and safety shouldn’t be overlooked, so you need to keep your eyes open all the time!