WhatsApp security questioned as Israel remains the only known actor to hack it

WhatsApp is facing renewed scrutiny after Iranian state media urged citizens to delete the app and alleged it was sending user data to Israel.

The messaging platform, owned by US tech giant Meta, denied the claim and said it was “concerned these false reports will be an excuse for our services to be blocked at a time when people need them the most”.

“We do not track your precise location, we don’t keep logs of who everyone is messaging and we do not track the personal messages people are sending one another,” a statement said. “We do not provide bulk information to any government.”

The timing of the accusation has sparked fresh debate around WhatsApp’s security, particularly given that Israel is the only country known to have successfully hacked the platform.

Strong encryption?

“WhatsApp uses strong end-to-end encryption, which means only the sender and receiver can read the messages,” said Mohammad Ismail, vice president for EMEA at Cequence Security, a company that offers application programming interfaces security management. "Even WhatsApp itself can’t see what’s being shared."

In practice, this kind of encryption is considered very secure and is trusted by security professionals around the world, he said.

"However, the biggest risks usually does not come from the encryption, but from things like someone getting access to your phone or tricking you into revealing your login,” he told The National.

Pegasus breach

In 2019, the messaging platform filed a lawsuit against Israeli spyware company NSO Group, claiming the firm’s Pegasus software had exploited a vulnerability in the app to target more than 1,400 users.

Victims included journalists, human rights defenders and activists across several countries.

The attack did not compromise WhatsApp’s end-to-end encryption. Instead it utilised a “zero-click” exploit, a method that enables spyware to be installed simply by sending a specially crafted message or call, which triggers the hack without the user needing to click or even see it.

Once Pegasus is installed, it can bypass encryption entirely by accessing messages directly, recording calls and even activating the phone’s camera and microphone without the user’s knowledge, according to the Organised Crime and Corruption Reporting Project.

The NSO Group says it licenses Pegasus exclusively to vetted government clients for use in counterterrorism and criminal investigations, and all foreign sales are subject to approval by the Israeli Defence Ministry.

Encryption v device-level threats

While WhatsApp’s encryption remains intact in such cases, security experts warn encryption alone is not enough to protect against sophisticated surveillance tools.

Experts say directly breaching WhatsApp encryption is extremely unlikely. “It would take huge computing power and advanced knowledge, which even most government agencies don’t have,” Mr Ismail said. “Instead, hackers usually go after easier targets, like hacking into your phone, sending fake links, or using spyware.”

Technical flaws and metadata risks

Subho Halder, chief executive and co-founder of Appknox, a security platform, noted that WhatsApp’s encryption protocol, the Signal Protocol, is considered the gold standard in secure messaging.

“WhatsApp’s end-to-end encryption remains mathematically unbreakable with today’s technology,” Mr Halder told The National.

However, a recent scan of WhatsApp’s latest Android build (v2.25.9.78) by Appknox uncovered several critical and high-severity implementation flaws, including insecure network configurations, hardcoded secrets and potential file access vulnerabilities.

“These don’t break encryption directly, but they expose sensitive data through poor engineering practices,” he added. “The real risk often lies not in the cryptography, but in how securely it’s implemented.”

He added that other vectors remain concerning. “WhatsApp does not encrypt metadata, like who messaged whom, when and for how long, which can still be revealing even without access to the message content,” Mr Halder said.

He noted that cloud backups, while now optionally encrypted, have previously posed security risks.

Regional distrust

The renewed concern over WhatsApp’s vulnerability comes amid broader distrust in Meta in the Middle East.

Last year, the firm updated its hate speech guidelines to restrict posts referencing Zionists, saying the term was frequently used in way to dehumanise Jews and Israelis.

However, researchers and rights groups argue this change has led to the suppression of political speech, especially from pro-Palestinian voices.

Meta has been accused of “shadow-banning” Arabic or Palestine-related content, and Human Rights Watch documented more than 1,000 instances of post removals or demotions on Facebook and Instagram in October and November last year.

Wider context in Iran

Iran’s call to delete WhatsApp is not unprecedented. The app was blocked during nationwide protests in 2022 following the death of Mahsa Amini in police custody.

Although the ban was lifted late last year, the government maintains tight control over digital communication and platforms like WhatsApp are widely used via virtual private networks (VPNs).

WhatsApp is one of Iran’s most popular messaging apps, along with Instagram and Telegram.