Privacy Hardening WhatsApp

20th July, 2025

WhatsApp has become ubiquitous in many parts of the world, especially in regions like South Asia, Europe, Africa and Latin America. Here, you are pretty much expected to have WhatsApp on your phone (often times even by government and educational institutions). Since, it is next to impossible for common citizens to avoid WhatsApp, I have compiled the following guide to give out as little information as possible while using WhatsApp.

This guide can be summed up by the fact that the ONLY thing that's private in WhatsApp are the message contents which WhatsApp claims to be end-to-end encrypted. We can assume that everything other than message contents aren't secured with E2EE making it easily accessible to Meta or any government institution having the authority to subpoena WhatsApp.

If you want a truly private messaging app, it's best to use Signal.

Please note that you don't have to follow all the steps listed here, it's up to you to determine your threat model and how far you're willing to go (which steps you'll follow from the guide) to protect your privacy.

I have marked some points as [IMPORTANT] which I personally feel everyone should consider regardless of their threat model.

In-App Settings

Phone Number: Use an anonymous phone number which isn't linked to your identity. This might not be possible in countries where it's mandatory to provide ID proof while registering for a phone number.
Name: Don't use your real name on the profile. Ideally, leave it blank.
About: Don't give out Personally Identifiable Information in your bio. Ideally leave it blank. If you do choose to have a bio, set your about privacy to 'My contacts' or 'My contacts except...' in Settings > Privacy > About.
Profile Picture [IMPORTANT]: Don't use a personally identifiable profile picture or ideally keep it blank. If you do choose to use a profile picture, set your profile picture privacy to 'My contacts' or 'My contacts except...' in Settings > Privacy > Profile picture.
Links: Don't add any links to your profile. If you do choose to add any links, set your links privacy to 'My contacts' or 'My contacts except...' in Settings > Privacy > Links.
Status: Don't give out personally identifiable information in statuses or ideally don't post statuses at all. If you do choose to post statuses, set your status privacy to 'Only share with...' and choose the relevant contacts that you wanna share your status with. Settings > Privacy > Status.
Security Notifications: Enable security notifications in Settings > Account > Security notifications > Show security notifications on this device. This notifies you if any of your contacts change their WhatsApp device, after which you should ideally confirm this with them through other secure channels or in real life.
Passkey: Create a passkey and save it in your password manager (not in your device) by going to Settings > Account > Passkeys. Passkeys are phishing resistant since you can't accidentally give them away in a phishing attempt unless your password manager is compromised.
Email Address: Use an anonymous email alias that can't be linked back to you or keep this field empty if you're confident you won't lose access to your account. Settings > Account > Email address.
Two-Step Verification [IMPORTANT]: Turn on two-step verification and use a randomly generated pin saved in your password manager. Settings > Account > Two-step verification. This will prompt you to enter your pin in addition to an OTP if you ever register your WhatsApp on a new device.
Request Account Info: Request your account info to assess what data does Meta has access to. Settings > Account > Request account info.
Last Seen and Online: Set your last seen to 'Nobody' and your online activity to 'Same as last seen'. Settings > Privacy > Last seen and online.
Read Receipts: Turn off read receipts in Settings > Privacy > Read receipts.
Default message timer: Turn on default message timer in Settings > Privacy > Default message timer and set it to an option consistent with your threat model.
Groups: Set your "Who can add me to groups" to 'My contacts' or 'My contacts except...' in Settings > Privacy > Groups.
Avatar Stickers: Set "Who can feature my avatar in their stickers" to 'Nobody'. Settings > Privacy > Avatar stickers. Also, just don't create avatars using WhatsApp.
Calls: Enable 'Silence unknown callers'. Settings > Privacy > Calls.
Contacts: Disable WhatsApp contacts in Settings > Privacy > Contacts.
App Lock: Enable app lock and configure it according to your threat model in Settings > Privacy > App lock.
Camera Effects: Disable camera effects in Settings > Privacy.
Unknown Messages: Block unknown account messages in 'Settings > Privacy > Advanced`.
IP Address: Protect IP address in calls in Settings > Privacy > Advanced. Also, consider using a VPN to access WhatsApp because an IP address can be used to personally identify you.
Link Previews: Disable link previews in Settings > Privacy > Advanced.
Chat Backup [IMPORTANT]: Unencrypted chat backups is one of the primary ways the government can get access to your chats besides seizing control of your device itself. Either disable backup or if you do choose to enable it, use it with End-to-end encryption turned on in Settings > Chats > Chat backup.

App Permissions (Android Specific)

Camera: Set it to either 'Ask every time' or "Don't allow".
Contacts: Sync ONLY the contacts that you want to keep in WhatsApp then disable the contacts permission.
Location: Set it to either 'Ask every time' or "Don't allow".
Microphone: Set it to either 'Ask every time' or "Don't allow".
Music and Audio: Set it to "Don't allow". Allow as and when required.
Phone: Set it to "Don't allow". Allow as and when required.
Photos and videos: Set it to "Don't allow" or 'Allow limited access'.
Call logs: Set it to "Don't allow".
Nearby devices: Set it to "Don't allow".
SMS: Set it to "Don't allow".

Resources & Further Reading:

#privacy #security