Can an employer access Whatsapp messages if you are using their servers?

  • Does anyone know if an employer can access whatsapp messages if you are using their servers? Whatsapp apparently say the messages are encrypted, but I'm not sure about this.

    Secure against an employer - perhaps. Secure - certainly not. That'd need end-to-end encryption.

  • The following research paper describes four attacks on WhatsApp. I don't know whether they have been fixed.

    Impersonation attack. One attack allows an attacker to impersonate someone else. In particular, if the attacker has a particular phone number in mind (the victim's phone number), the attacker can register himself for that phone number and receive all WhatsApp messages that might have been intended for that phone number. See Section 5.2 of the paper.

    This may be relevant to you.

    SMS spam attack. A second attack allows an attacker to send arbitrary text messages to anyone around the world, for free, from the WhatsApp servers. See Section 5.4 of the paper.

    Phone number enumeration attack. A third attack allows an attacker to enumerate the phone numbers of other WhatsApp users and identify the operating system they are using. See Section 5.5 of the paper.

    Status message forgery attack. A fourth attack allows an attacker to change any other WhatsApp user's status message to anything of the attacker's choice. See Section 5.6 of the paper.

    Implications. None of these directly address the particular question you asked. However, these vulnerabilities diminish my confidence in the security of WhatsApp.

    The vulnerabilities described in the paper are extremely basic and elementary flaws. We're talking facepalm territory. The flaws include, for instance, a complete lack of access control or authentication; as well as inappropriate trust in the client. (Basically, OWASP A3, A8, and A9 violations.) Of course, anyone can make mistakes, but these are such basic mistakes that they make me wonder what other mistakes the WhatsApp developers may have made, and what is wrong with WhatsApp's security review process that these slipped through into deployment.

    So, based upon this analysis, I would be reluctant to rely too heavily upon the security of WhatsApp.

  • WhatsApp is a fairly popular messaging system according to the media:

    WhatsApp handles ten billion messages per day as of August 2012

    Financial Times: WhatsApp "has done to SMS on mobile phones what Skype did to international calling on landlines.

    It supports encryption and although having a number of security incidents, I would expect the security to be high and incidents similar to those above to be transient and managed by the company.

    There is one special case when your messages might be at risk. That is if your phone or computer on which you are using WhatsApp is being administered by your employer. So if you have a smartphone provided by your employer, then your messages might be intercepted.

    In conclusion, I think Whatsapp's message privacy is trustworthy. You should worry more about the security of your phone. Android smartphone are particularly not kept up-to-date with patches.

    Thanks Christian does the encryption apply to photos too or just text?

    The content of the message (text, photos, other media) is passed through an encrypted channel.

  • This article regards Whatsapp's encryption to be too weak and the company's handling of security issues to be lacking:

    This article says sender authentication is now more robust, but privacy concerns persist:

  • Do the following test on your mobile device and at least you can be sure that your device can't be monitored like that.

    1. go to
    2. Click on the https lock in the browser

    Example Screenshot

    If issued to is Google Internet Authority G2 then https is not penetrated or MITMA(Man In The Middle Attack) employed. If there is another name like your company name, then it's possible they can penetrate the https traffic.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used