
BLOG
BLOG
June 2025 has seen WhatsApp back in the headlines—this time for all the wrong reasons.
Earlier this month, The National broke the story: WhatsApp’s security is under renewed scrutiny following revelations that Israel remains the only known actor to have successfully exploited it. But if history has taught us anything, it’s this: if one nation-state can do it, others may follow.
At Appknox, we decided to verify the current state of WhatsApp’s mobile app security for ourselves.
We conducted a comprehensive Static Application Security Test (SAST) and Dynamic Application Security Test (DAST) on the latest public WhatsApp Android release (version 2.25.9.78). What we uncovered was a mix of mature security controls and high-impact vulnerabilities that, in the right hands, could be leveraged into serious exploitation paths.
Our scan uncovered five major vulnerability categories, including one critical issue and multiple high-severity flaws. Here’s a summary:
Vulnerability found |
Severity |
How an attacker could exploit it |
Network security misconfiguration |
Critical |
Bypass network protections to intercept or manipulate traffic using MITM attacks. |
Hardcoded secrets |
High |
Extract API keys, tokens, or debug switches from the APK to abuse internal services. |
Content provider file traversal |
High |
Gain unauthorized access to internal files or sensitive user data via malicious queries. |
Derived crypto keys |
High |
Predict encryption keys or manipulate key generation logic to decrypt data. |
Insufficient TLS enforcement |
High |
Force fallback to insecure protocols or bypass certificate validation to snoop on data. |
Let’s explore what these mean in practice.
This critical finding allows attackers to intercept communication between WhatsApp and its servers, especially on compromised or open Wi-Fi networks. While WhatsApp does use end-to-end encryption for messages, metadata, and handshake communications can still be vulnerable if network security policies aren’t tightly enforced.
🎯 Real-world scenario: An attacker sets up a malicious access point in a coffee shop. WhatsApp traffic is silently rerouted or degraded, enabling session fingerprinting, traffic replay, or metadata collection — even if message content remains encrypted.
Our scans revealed sensitive, hardcoded values in the APK — these may include API keys, authentication tokens, or test/debug flags. In the wrong hands, these secrets could be reverse-engineered and used to:
👨💻Attacker tactic: Reverse engineers decompile the APK using tools like JADX or open-source tools, search for keys, and attempt replay attacks against WhatsApp’s cloud infrastructure or dev services.
This vulnerability allows an attacker app installed on the same device to query WhatsApp’s exposed content providers and traverse file paths outside of intended directories. If file path validation is missing, attackers can access files such as cached media, logs, or temporary session data.
📍Example exploit: A malicious photo editing app silently queries WhatsApp’s storage, pulling unencrypted media or temporary chat backups via a poorly secured content provider.
We flagged derived encryption keys that lacked sufficient randomness or entropy. In a secure mobile app, encryption keys should be either user-specific, generated per session, or hardware-backed.
🔓 Impact: Predictable key derivation means that even encrypted data — such as temporary files or offline media — could be brute-forced or decrypted using known patterns.
TLS is table stakes. But we still observed fallback logic and missing checks in certificate validation.
In certain cases, connections to backend services could potentially be redirected or spoofed by a malicious actor.
🕵️♂️ MITM scenario: A compromised root certificate on the device enables an attacker to proxy TLS traffic, potentially leaking analytics or system-level data that is not protected by end-to-end encryption.
📌 Want to learn how flaws like these can be prevented early in the development lifecycle?
Check out our Secure SDLC blog to learn why opting for a secure SDLC approach is the way forward for identifying vulnerabilities early.
We’re not here to just throw stones. WhatsApp also shows signs of mature security practice:
In many ways, WhatsApp’s security baseline is higher than most apps in its category. But perfection is elusive — and that’s where attackers thrive.
You might assume that a Meta-backed app with billions of users would have airtight security. But the reality is:
In our latest US consumer survey, 63% of users reported they assume WhatsApp is secure. And yet, every critical and high-severity flaw we tested in this latest version was real, not hypothetical.
This is the trust gap: users believe in brands, attackers believe in bugs.
🛡️Security isn’t just about encryption. It’s about discipline, testing, and transparency. Especially when you’re powering global communication.
At Appknox, we test the apps people trust most so that trust is earned, not assumed.
Want to test your app’s real-world security posture?
Book a demo with us or speak to our security engineers today.
Appknox doesn’t just automate testing—it transforms security from a bottleneck into a growth enabler.
Detect vulnerabilities in minutes with deep, automated scans.
Start your free trial with Appknox today and escape security blind spots in your application portfolio.
While WhatsApp utilizes strong end-to-end encryption, our penetration testers identified several vulnerabilities, including MITM risks and hardcoded secrets within the APK.
Yes. In our analysis, we identified weak network configurations that may allow attackers to intercept metadata over unsecured networks.
Our pentest revealed that certain vulnerabilities, such as file traversal and hardcoded keys, could be exploited to extract user data under specific conditions.
We use real-device Dynamic and Static Application Security Testing (DAST/SAST) to simulate real-world exploitation techniques.