menu
close_24px

BLOG

How Secure Is WhatsApp in 2025? [Appknox’s Pentesters Reveal 5 Critical Vulnerabilities]

We scanned WhatsApp’s latest Android app. Here’s what we found: 5 real-world vulnerabilities that could impact billions.
  • Posted on: Jul 1, 2025
  • By Raghunandan J
  • Read time 4 Mins Read
  • Last updated on: Jul 1, 2025

Is WhatsApp safe?

June 2025 has seen WhatsApp back in the headlines—this time for all the wrong reasons.

Earlier this month, The National broke the story: WhatsApp’s security is under renewed scrutiny following revelations that Israel remains the only known actor to have successfully exploited it. But if history has taught us anything, it’s this: if one nation-state can do it, others may follow.

At Appknox, we decided to verify the current state of WhatsApp’s mobile app security for ourselves.

We conducted a comprehensive Static Application Security Test (SAST) and Dynamic Application Security Test (DAST) on the latest public WhatsApp Android release (version 2.25.9.78). What we uncovered was a mix of mature security controls and high-impact vulnerabilities that, in the right hands, could be leveraged into serious exploitation paths.

WhatsApp security test findings: Snapshot

Our scan uncovered five major vulnerability categories, including one critical issue and multiple high-severity flaws. Here’s a summary:

Vulnerability found

Severity

How an attacker could exploit it

Network security misconfiguration

Critical

Bypass network protections to intercept or manipulate traffic using MITM attacks.

Hardcoded secrets

High

Extract API keys, tokens, or debug switches from the APK to abuse internal services.

Content provider file traversal

High

Gain unauthorized access to internal files or sensitive user data via malicious queries.

Derived crypto keys

High

Predict encryption keys or manipulate key generation logic to decrypt data.

Insufficient TLS enforcement

High

Force fallback to insecure protocols or bypass certificate validation to snoop on data.

Let’s explore what these mean in practice.

Exploitation pathways: How these vulnerabilities could be weaponized

 

1. Network security misconfiguration: The MITM gateway

This critical finding allows attackers to intercept communication between WhatsApp and its servers, especially on compromised or open Wi-Fi networks. While WhatsApp does use end-to-end encryption for messages, metadata, and handshake communications can still be vulnerable if network security policies aren’t tightly enforced.

🎯 Real-world scenario: An attacker sets up a malicious access point in a coffee shop. WhatsApp traffic is silently rerouted or degraded, enabling session fingerprinting, traffic replay, or metadata collection — even if message content remains encrypted.

 

2. Hardcoded secrets: Backdoors in plain sight

Our scans revealed sensitive, hardcoded values in the APK — these may include API keys, authentication tokens, or test/debug flags. In the wrong hands, these secrets could be reverse-engineered and used to:

  • Trigger hidden features,
  • Interact with internal APIs not meant for public use, and
  • Bypass certain authentication checks.

👨‍💻Attacker tactic: Reverse engineers decompile the APK using tools like JADX or open-source tools, search for keys, and attempt replay attacks against WhatsApp’s cloud infrastructure or dev services.

3. Content provider traversal: The quiet data leak

This vulnerability allows an attacker app installed on the same device to query WhatsApp’s exposed content providers and traverse file paths outside of intended directories. If file path validation is missing, attackers can access files such as cached media, logs, or temporary session data.

📍Example exploit: A malicious photo editing app silently queries WhatsApp’s storage, pulling unencrypted media or temporary chat backups via a poorly secured content provider.

 

4. Weak cryptography: Predictable keys, real risks

We flagged derived encryption keys that lacked sufficient randomness or entropy. In a secure mobile app, encryption keys should be either user-specific, generated per session, or hardware-backed.

🔓 Impact: Predictable key derivation means that even encrypted data — such as temporary files or offline media — could be brute-forced or decrypted using known patterns.

 

5. TLS enforcement gaps: A step back in 2025

TLS is table stakes. But we still observed fallback logic and missing checks in certificate validation. 

In certain cases, connections to backend services could potentially be redirected or spoofed by a malicious actor.

🕵️‍♂️ MITM scenario: A compromised root certificate on the device enables an attacker to proxy TLS traffic, potentially leaking analytics or system-level data that is not protected by end-to-end encryption.

📌 Want to learn how flaws like these can be prevented early in the development lifecycle?

Check out our Secure SDLC blog to learn why opting for a secure SDLC approach is the way forward for identifying vulnerabilities early.

What WhatsApp got right

We’re not here to just throw stones. WhatsApp also shows signs of mature security practice:

  • End-to-end encryption is robust and well implemented for messages and calls.
  • Permissions are minimal and justified, with no unnecessary overreach into device access.
  • Tamper resistance is effective in preventing unauthorized app modifications or rooted environment abuse.

In many ways, WhatsApp’s security baseline is higher than most apps in its category. But perfection is elusive — and that’s where attackers thrive.

Why these flaws matter

You might assume that a Meta-backed app with billions of users would have airtight security. But the reality is:

  • Security is not a one-time effort. Frequent app updates can inadvertently introduce new risks.
  • Attackers target metadata, backups, and infrastructure, not just the messages.
  • Even “non-critical” flaws become critical when chained together.

The trust gap is real.

In our latest US consumer survey, 63% of users reported they assume WhatsApp is secure. And yet, every critical and high-severity flaw we tested in this latest version was real, not hypothetical.

This is the trust gap: users believe in brands, attackers believe in bugs.

🛡️Security isn’t just about encryption. It’s about discipline, testing, and transparency. Especially when you’re powering global communication.

At Appknox, we test the apps people trust most so that trust is earned, not assumed.

Want to test your app’s real-world security posture?

Book a demo with us or speak to our security engineers today.

Key benefits of Appknox

 

  • Seamless CI/CD integration with automated scans on every build
  • Uncover hidden and shadow APIs to eliminate blind spots
  • Comprehensive coverage of OWASP API Top 10 and misconfigurations
  • Developer-friendly, actionable remediation reports
  • Minimal false positives to keep teams focused.

Appknox doesn’t just automate testing—it transforms security from a bottleneck into a growth enabler.

Detect vulnerabilities in minutes with deep, automated scans.

Start your free trial with Appknox today and escape security blind spots in your application portfolio.

TL;DR: WhatsApp may be secure, but not invulnerable

 

  • In June 2025, WhatsApp faced renewed scrutiny over security concerns.
  • Reports revealed that Israel remains the only known nation-state to have successfully exploited the app. However, history suggests this could open the door for more actors to follow.
  • Appknox conducted a real-world security audit of WhatsApp’s Android app (v2.25.9.78).
  • Our pentesters performed both Static and Dynamic Application Security Testing (SAST + DAST) on real devices.
  • Despite WhatsApp's strong security foundation, the audit uncovered:

    • 1 critical vulnerability
    • Multiple high-severity flaws
  • These issues could enable:

    • Traffic interception
    • Unauthorized access to user data
    • Weakened or bypassed encryption mechanisms

Frequently asked questions (FAQs)

 

1. Is WhatsApp secure in 2025?

While WhatsApp utilizes strong end-to-end encryption, our penetration testers identified several vulnerabilities, including MITM risks and hardcoded secrets within the APK.

2. Can WhatsApp be hacked through public Wi-Fi?

Yes. In our analysis, we identified weak network configurations that may allow attackers to intercept metadata over unsecured networks.

3. Does WhatsApp leak user data?

Our pentest revealed that certain vulnerabilities, such as file traversal and hardcoded keys, could be exploited to extract user data under specific conditions.

4. How does Appknox test apps like WhatsApp?

We use real-device Dynamic and Static Application Security Testing (DAST/SAST) to simulate real-world exploitation techniques.