WhatsApp has announced a major step forward in its security strategy, unveiling a new set of protections designed to safeguard users against rare but highly sophisticated cyber threats, while reinforcing its long-standing commitment to privacy.
At the forefront of these updates is Strict Account Settings, a new lockdown-style feature aimed at users who may face elevated security risks, such as journalists, activists, and public-facing figures. When enabled, the feature automatically applies the most restrictive account settings, limiting certain functions such as receiving attachments or media from unknown contacts. Strict Account Settings will roll out gradually over the coming weeks and can be activated via Settings > Privacy > Advanced.
This new feature complements WhatsApp’s default end-to-end encryption, which already protects messages for more than 3 billion users worldwide. Together, these measures reflect WhatsApp’s broader, defense-in-depth approach to online security.
Rust at Scale: A New Backbone for Media Security
Behind the scenes, WhatsApp has also made a significant technological shift by increasingly adopting the Rust programming language to strengthen how media files, such as photos, videos, and documents, are handled across the platform.
Media sharing presents a unique security challenge. While WhatsApp already warns users about potentially dangerous file types, sophisticated malware can sometimes be embedded in seemingly harmless files like images or videos, exploiting vulnerabilities in operating systems or application libraries.
To counter this, WhatsApp has re-engineered its media-processing infrastructure using Rust, a memory-safe language known for reducing vulnerabilities commonly found in C and C++ codebases. According to WhatsApp, this represents the largest global deployment of Rust code across consumer-facing platforms to date.
Lessons from the Past: The Stagefright Vulnerability
WhatsApp’s push toward stronger media defenses was shaped in part by the 2015 Android “Stagefright” vulnerability, which exposed millions of devices to attacks through malicious media files. Because the flaw existed at the operating system level, apps like WhatsApp could not patch it directly.
In response, WhatsApp enhanced its own cross-platform media library to detect malformed files before they could trigger system-level bugs. While effective, the solution also highlighted the risks of processing untrusted media using memory-unsafe languages, prompting WhatsApp to rethink its long-term strategy.
Rewriting Media Security with Rust
Rather than incrementally modifying its existing C++ code, WhatsApp developed a Rust-based version of its media library in parallel, rigorously testing it against the original using differential fuzzing and extensive integration tests.
The results were decisive. WhatsApp replaced 160,000 lines of C++ with 90,000 lines of Rust, achieving improved performance and lower runtime memory usage. The Rust library has since been fully rolled out across platforms including Android, iOS, Mac, Web, and wearables.
This Rust-based system now underpins “Kaleidoscope,” a comprehensive set of checks that identify non-conformant file structures, detect file-type spoofing, flag high-risk formats like executables, and scrutinize commonly abused files such as PDFs. While no single layer can stop every attack, these checks significantly reduce exposure to many common exploitation techniques.
A Broader Security Strategy
WhatsApp emphasised that Rust adoption is just one part of a wider security framework. The company continues to invest in:
- Default end-to-end encryption for messages and calls
- End-to-end encrypted backups
- Key transparency to verify secure connections
- Regular security audits, fuzzing, and static analysis
- An expanded Bug Bounty programme, including the WhatsApp Research Proxy
WhatsApp also publishes CVEs for critical issues it discovers, even without evidence of active exploitation, to encourage faster patching and greater transparency.
Looking Ahead
By combining user-facing controls like Strict Account Settings with large-scale infrastructure upgrades powered by Rust, WhatsApp is reinforcing its commitment to secure, private communication. The company says it plans to accelerate Rust adoption across more components in the coming years, further reducing risk and strengthening protections for users worldwide.
![[Movie Review] Spies in Disguise (2019) - Alvinology](https://media.alvinology.com/uploads/2019/12/1040222-will-smith-tom-holland-cast-blue-skys-spies-disguise-1024x576.jpg "[Movie Review] Spies in Disguise (2019)")
