WhatsApp is a social media App that falls under the Facebook umbrella of products and/or services. It is used as a social messaging App by friends and family to keep in touch. WhatsApp’s popularity has surged in recent years raising its profile such that it has become one of the most popular social media Apps on the market today.
It is also one of the most popular Apps in the Irish Market, sitting in 2nd place on the Google Android Play Store ranking of free Apps. It is also 3rd on the Apple App Store ranking of free Apps. Furthermore, CyberSafeIreland conducted a survey which highlighted that WhatsApp currently retains a following of 33% of the Irish young users market, placing it squarely as the Third most used Platform by children in Ireland.
We conducted our own independent research to determine which Apps where the most popular among Irish children to see if the data supported this conclusion. We asked parents or people with siblings in Ireland to list the Apps their children or siblings preferred. While it seems, there is some debate as to whether YouTube is or is not a social media App, the results do support the conclusions of CyberSafeIreland. If one considers YouTube a social media App, then WhatsApp come in 4th place and if one does not consider YouTube a social media App then WhatsApp claim’s the 3rd spot.
Originally designed for the mobile App market, WhatsApp has extended its platform to include the desktop environment on both Windows PC based and IOS Mac devices. This allows for virtually seamless syncing of accounts and facilitates easy switching between communicating via a mobile platform while on the move, and a more flexible comfortable desktop device when sitting in an office or home environment.
Companies also have in recent years begun to adopt WhatsApp as a platform for business use. Usually this is an extension of existing services. For example, many companies will issue order, shipping and delivery status updates via WhatsApp. Some also offer customer support via WhatsApp.
There are currently no in App purchases within the WhatsApp platform. There are third-party plugins, such as emote and sticker packages and some of these may incur charges, but these are Google Play Store charges and not WhatsApp charges.
WhatsApp uses mobile phone WIFI and Data, and as such may result in accrued charges via the user’s internet service provider or mobile data provider. Again, these are not WhatsApp charges or fees, and users are responsible for managing their own data plans.
Features of Whatsapp
WhatsApp is primarily a text messaging App which allows people to send text messages via their internet connection. These text messages are free of charge from WhatsApp. Charges only via the user’s internet service provider or phone service provider, if for example the user exceeds their allotted data plan. It is the user’s responsibility to monitor this.
WhatsApp has extended its functionality to include video calls. As such it has access to your phones camera and can take pictures to add to chats. You may also use your phones gallery to add previously taken pictures or downloaded content to chats. In addition to being able to send pictures, users may also send Documents including PDF’s, spreadsheets, slideshows and so on, up a healthy size restriction of 100mb. This allows users to share reasonably sized documents without the need to switch to E-mail Apps. The size of file sharing that WhatsApp’s offers is quite good compared to other similar Apps, such as Discord, a recent rival to WhatsApp whose user based is steadily increasing, but who’s file sharing size is limited to 8mb on a free account and 50mb on a subscription to their upgraded account service, Nitro.
WhatsApp allows for group chats to be created and managed, allowing up to 256 people per chat to conversation and share information, pictures, videos, and sound files. Chats can be customized allowing the name of the group to be changed and chat profile picture to be changed. You may also mute a chat. Chat options further provide the ability to report, block, mute, clear, and export a chat. A shortcut to a chat can also be created which places the short cut directly on your device’s desktop environment.
WhatsApp has many interesting security and quality of life features and settings which will be covered in depth in another section of this report, for example, if you select and hold a message in a chat, you can un-send the message deleting it not only from your own device but from the entire conversation. This is a very useful feature in situations where a mischievous child might send an unauthorized message, or a parent finds their child has sent in appropriate content or revealing data via a message. This is not a guarantee that the data has not been otherwise saved on the end user devices, but it is a worthwhile security feature none the less and one that frankly we feel all such messaging Apps should adopt.
WhatsApp money transfer is a beta program currently being tested in countries such as India. It is currently (as of 26th Jan 2019) not available in Ireland, however, it is designed to facilitate the payment of bills and the sending of money between WhatsApp users by implementing the UPI (Unified Payments Interface) which requires activation. Once the UPI has been implemented, the user can then link in their bank account, and send money via a ‘Payments’ option in the user settings.
While is not beyond the bounds of possibility that a child may figure how to implement the UPI and select the payments option, the risks associated with unauthorized payments is far less significant than it is in other similar Apps or video games.
WhatsApp uses 60-character End-to-End device-based encryption. This means that a private key code is generated between two users, which is stored only on each user’s local device. The corresponding public key must be used if the message is to be read. Encryption is not perfect in any case, but encryption does afford a reasonable level of peace of mind and security.
In order to crack the encryption a ‘hacker’ would require a huge amount of computing power and a long period of time. It might be possible for a mis-user to guess an encryption key, but the odds of this happening are extremely low. This means that the only reasonable fast way to access a chat a mis-user should not have access too, is to gain access to a key, which means they would have access to the device allowing them to view the conversation or data in plain text.
What does all of this mean to the end user? Well, it means that your datas safety can be rated as very high. As these encryption keys are stored on the end user devices and not on WhatsApp servers, not even WhatsApp can view the data contained within a chat.
Data shared via chats, is deleted immediately upon delivery, from the WhatsApp servers. In cases where delivery failed, data is normally kept (encrypted) for 30 days to facilitate further attempts to deliver the data/message.
In extreme cases data may be held longer, for example; in cases where there is a good faith belief that the data may be needed in an account investigation. Or in cases where a legal request for access to account data / chat data has been made by legal or law enforcement authorities. However, users should always remember, your data is only as safe as the user with whom you are sharing your data. A person with whom you share data is free to share that data on with whom-ever they so choose, so users must think very carefully about who you, or they, add to friends, contacts list, phone books and what data they share.
Data shared with companies is retained on the companies end user device, and as such the data protections of WhatsApp will no longer apply. Users again, should think very carefully about what they share with companies and investigate the data retention, sharing and deletion policies of any companies with whom they are considering sharing data.
Whatsapp's security options
Manage account visibility
Manage GPRS location settings
Manage Users (Block, Report)
Manage account security (Two step verification)
Manage chat settings (backups, Delete Chats)
How to apply these options
Users may select the general App settings by selecting the three dots at the top right (which denotes a settings menu) of the screen as seen below.
Next, select settings from the available options. This will enter the settings menu.
You will now be in the main settings menu from which we will begin to adjust App settings to restrict the sharing of user data.
Accounts -> Privacy:
This menu is important from the perspective of parents who wish to reduce the online footprint and visibility of themselves or their child while using the WhatsApp platform.
Profile Photo / About / Last Seen:
These settings are all very similar in nature. We recommend that Last seen status is blocked from all users, profile photo be restricted to contacts and the about status be restricted from all user. This will help to restrict the user’s online footprint.
Status displays whether a user is currently available, away or busy. This setting might be seen as fairly innocuous however for peace of mind we recommend that either the option to include contacts individually or exclude contacts individually be used. This will restrict your status updates to only those you specifically wish to share them with or restrict those you specifically do not wish to share them with.
This setting controls the ability for WhatsApp to display and share location sensitive data. While you there are no options to here, the options are controlled by device settings. If you turn off GPRS based location services on your device, this data is no longer accessible via WhatsApp. An immensely important security feature where children are concerned.
Contact Blocking / Deleting:
Contact blocking in a simply process involving selecting the option from within the privacy settings, then selecting the contact to be blocked. This will add the contact to a blocked list contained here.
The process of unblocking a contact is done from the same menu.
As a further measure, should a parent wish to permanently forever a contact from contacting their child, the number can be removed from the device contact list. This will not just block the contact but preclude that contact from ever contacting the child again through WhatsApp.
This options simply allows a user to tell if a message has been read by the recipient. This does not involve any data sharing. It is a simple toggle option. We do not see any security risks associated with this option.
Returning to the main account settings menu we next select security. In here we set turn on security notifications.
With End-to-End encryption, encryption keys are stored on the devices of senders and recipients. These keys will not change under normal circumstances. However, in rare cases they might. For example, should a user change phone number, and use the proper procedure to change number their encryption key will change as their account has changed. Your chat is still encrypted, and the Encryption keys will re-sync the moment a message is sent.
User’s will still want to be notified that a key has changed enable them to contact the user and verify it is them and that keys re-synced, just in case the encryption has somehow been broken, which is extremely unlike, but not impossible.
Two step verification is account security setting with aims to make it more difficult for unauthorized users to download and access your WhatsApp account. This locks your phone number to a pin number.
Returning to the main account settings menu we select Two Step Verification from the menu. We are then prompted to enter and reconfirm a pin number. Next, we are asked to enter and reconfirm an E-mail address which we will use should we forget our pin number to reset. Finally, we will see a confirmation message confirm we have set up Two Step Verification. Should we wish to reset Our pin, or E-mail, we simply renter the Two Step Verification menu and are offered prompts to do so as seen below.
Request Account information:
Users may request their data from WhatsApp. Requests take up to three days. Requesting one’s data is a useful way to confirm if your data is being restricted. For example, prior to enabling these settings as we suggest, a user might request their data, then adjust the settings; finally requesting their data again and doing a direct comparison.
To request Account Information simply return to the main account settings menu and select the ‘Request Data’ option. On the next screen, simply select the option to request your data. You will be presented with a message stating that your data will take approximately 3 days to be prepared and will need to be downloaded once available, as seen below.
As mentioned previously, chat Backups allow you to export a chat to a third party. This can be done individually at any time from within a chat as seen below.
However, chats may also be set to backup automatically, or at pre-determined times, or disabled entirely. As previously mentioned, backing up chats to a third-party carries an inherent risk of data leakage. We recommend that automatic backups be disabled. Chats may still be backed up individually as and when needed. However, if security is the main concern, chat backups should be avoided. Furthermore, users should remember; when backing up data to a third-party service you enter that third-parties’ terms & conditions and depending on the third party your data may be shared.
To disabled automatic or scheduled chat backups, return to the main user settings. Next, select Chats setting. Next, select ‘Google Drive Settings’ and set the chat backups frequency to ‘Never’ as seen below.
Delete Chat Content as needed:
As mentioned previously, users can delete content as needed from chats. A user may delete any content they have sent from either their local device, or from all devices linked to the chat. Users also may delete any content the find inappropriate or offensive from a chat which another use has sent, however; this will only delete the offending message or content from their local device, not the entire chat.
To delete content, simply highlight the desired content. Tap to select this content. Tap the delete icon from the top of the chat, then select the desired deletion method. The content will then be deleted from the local device, or the entire chat depending on the chosen option. As seen below.
*DISCLAIMER* This will not delete any local backups of the content which have been saved to other locations, on any of the devices belonging to users connected to the chat.
Report a Chat:
Should a parent, or child find themselves the victim of an abusive user, or offending content leading to them wanting to report a chat, a feature is provided to handle this from directly within the App. This feature also allows the user to block the user and delete all content automatically as part of the reporting process.
To report a chat, simply select the chat option via the 3 dots on the upper right of the chat window, then select more. Next, select report, leaving the ‘Block this contact and delete this chats messages’ option pre-selected should you desire.
*Remember, should you wish to report this user further and lodge a dispute against the user using the report abuse function on the WhatsApp website, you may wish to keep any relevant data from within the offending users chat*
Finally, select ‘report chat’ and the chat report will be sent for review by WhatsApp as seen below. Please note, due to data protection laws, and GDPR laws, you may note see any outcome from this, but this does not mean WhatsApp have not investigated.
Whatsapp's Best Practice Settings Guide
Having reviewed the settings, we will now offer a best practice guide to the settings we suggest be employed to better protect the child’s use of their Apps and their device to increase their safety while accessing online content via Apps:
- Profile Picture:
We recommend that a user’s profile Photo be set to be seen by only those contacts you trust. Best practice would eb to have it seen by nobody. In the case of a child we do not recommend the use of a real picture.
We recommend that users about information be restricted to only trusted users, and a child’s should be restricted to nobody.
- Last Seen:
Once again, this should be restricted to trusted users online. AS with the previous settings a Childs should be restricted to nobody.
We recommend this setting be set to those individuals such as family or friends who are trusted.
As with all GPRS based services, we recommend that this be turned off especially for children.
- Read recipients:
This can be turned on or off. The only real use for this is for a user to hide when they are actively online or not.
- Security Notifications:
We always recommend that this be turned on. While the encryption used within WhatsApp is safe, no encryption is 100% safe and secure. User should always be aware when the codes change between chats. Should the code change we recommend contacting the user by some other means, for example a phone call, to ask if something has changed. A reinstallation of the App or a change of phone for example.
- Two Step Verification:
While it will most likely ensure that Adult intervention is needed whenever an account needs to be verified, we do recommend this setting fully utilized with a strong password. This will ensure that the account in question cannot be downloaded and accessed by other users.
- Chat Backups:
We recommend that external chat backups not be used as they increase the likely hood of data breaches leaking information such as phone numbers and email addresses which make it more likely that inappropriate contacts may contact you, or your child. This setting should be set to ‘Never’.
Whatsapp safety rating
Reflections on Whatsapp
All things considered we find WhatsApp, with the proper precautions to be a relatively safe App when compared to other similar products. The End-to-End encryption, while not flawless, provides an acceptable level of security and peace of mind for parents. However, we must stress; no security ever replaces the strict monitoring of a child’s online activity by a parent. WhatsApp security procedures and features simply ensure peace of mind for a parent during those times when a parent cannot be there to supervise.
The lack of ability to search a user is a very useful feature from the perspective of parents and it precludes the possibility of predators executing random, or automated searches. Mass spam messaging for the purpose of solicitations are also prohibited.
The ability to remove messages from both ends of a conversation is useful too as no child is perfect and might occasionally slip up and share inappropriate personal info or other data. Unlike most Apps, WhatsApp allows a parent to clean up a child’s accidental spilling of information.
The ability to restrict the collection of or sharing of personal data is perhaps more extensive than in most Apps of this nature. It is not perfect and most likely no App ever will be, however, the quality of life and peace of mind features provided are particularly good from the perspective of both child and parent users. Where proper security settings are applied we consider WhatsApp to be a relatively safe App for both parents and children.