How to Fortify Your WhatsApp, Like Now

Today I had planned to discuss two digital security education initiatives I’ve been helping stand up. One focuses on the education of journalism students. The other will find me traveling to all 50 states to work with state and local officials, and campaign officials, to help fortify them against malicious digital attacks, misinformation and disinformation. More of that tomorrow.

We have to stick with the headline of the day, because so many people (1.5 billion!) across the world use WhatsApp to communicate sensitive information. I have an equity here I must disclose: I consulted for WhatsApp when it launched its end-to-end encryption process. However, I confess that I also use several other encrypted chat apps for my own work.

It’s not likely that the Crown Prince of Saudi Arabia will allow himself to be the vector by which a malware implant is routed to your mobile device, but the case of Amazon CEO Jeff Bezos is extraordinarily instructive for everyone.

We do not know, precisely, how the malware that exfiltrated Mr. Bezos’s personal data and photos lodged itself in the root firmware of his phone. We know that WhatsApp was the medium, and there are hints that Bezos did NOT have to click a link that MBS sent him. Eesh.

What most people forget, though, is that the auto-download settings — the same type of Autodownload settings that your mail client uses — take stuff that’s sent to you through WhatsApp…. moves it out of the part of your phone that is running the app … and deposits it where you’ve specified. MP4s and photos might go directly into your “Photo” container. Think for a moment about how active that “place” - be it physically located on your hard drive or somewhere in the cloud, or both — must be. You use photos (and by extension, your camera app) for so many other other things. Apple doesn’t really have a way to scan everything that comes out of the WhatsApp part of your phone for malware, because that would require your phone to either have a dynamic directory of suspected signatures, or connect to a cloud that interrupts the end-to-end encryption process. In any event, here’s what you need to do if you use WhatsApp to chat about stuff you don’t want other people knowing about.

  1. Turn off the autodownload settings.

  2. Go into your iCloud back-up settings (in Settings), scroll all the way down to WhatsApp, and TURN OFF YOUR CLOUD BACK-UPs. They are NOT encrypted.

  3. Regularly clear your conversation cache.

Of course, if you need to keep a conversation, or you need to download something, do that on a case-by-case basis.

What happened to Jeff Bezos is scary. It might have been preventable.