WhatsApp's Strict Account Settings Explained

When reports emerged that vulnerabilities in iOS 26.2 were being exploited, with iPhone spyware targeting public-facing figures, journalists and other high-profile individuals, encryption and security were thrust into the public spotlight.

In response to growing concerns over sophisticated, targeted cyber attacks, Meta has introduced Strict Account Settings for WhatsApp, aimed at protecting users who require enhanced security.

However, the renewed focus on safety has been somewhat overshadowed by a lawsuit filed against Meta in the US District Court in San Francisco by an international group of plaintiffs.

The lawsuit alleges that WhatsApp can “store, analyse and can access virtually all of WhatsApp users’ purportedly ‘private’ communications”, which the plaintiffs argue represents a serious breach of privacy.

Meta spokesperson Andy Stone has called the claims “categorically false and absurd” and described the lawsuit as a “frivolous work of fiction”. 

He added: “Multiple experts have commented the same, calling the suit ‘ludicrous’ and noting it's ‘long on accusations and thin on any sort of evidence.’”

What is Strict Account Settings?

Since the announcement, users have been able to activate WhatsApp’s new Strict Accounts feature in the app's settings.

An accompanying message asks users to only enable the strict account mode “if you believe you are at risk of a cyber attack”.

Meta software engineers Daniel Sommermann and Baojun Wang co-authored a blog detailing why the new mode has been introduced. 

They explain: "To continue ensuring users can keep messaging securely, we’re constantly adapting and evolving our strategy against cyber-security threats – all while supporting the WhatsApp infrastructure to help people connect.”

Strict account mode primarily focuses on blocking media and attachments from unknown senders among other security features – for reasons that can be traced back to 2015. 

A wake-up call for Android

Android's devices and applications encountered a major security vulnerability back in 2015 related to the Stagefright media playback engine. 

These security flaws affected Android versions 2.2 through to 5.1.1_r5. According to the US Cybersecurity and Infrastructure Security Agency, "exploitation of these vulnerabilities may allow an attacker to access multimedia files or potentially take control of a vulnerable device". 

As is often the case, users were slow to update to the latest security version, thereby making themselves vulnerable to threat actors when WhatsApp modified its cross-platform C++ library to “detect files which do not adhere to the MP4 standard and might trigger bugs”. 

Daniel and Baojun note: “We rolled out this check and were able to protect WhatsApp users from the Stagefright vulnerability much more rapidly than by depending on users to update the OS itself.”

As the figure above shows, Wamedia ran media checks automatically on download and end users were blocked from receiving malicious files which failed validation, protecting users in the users.  

Wamedia and Rust

Wamedia, originally developed in C++, added a new layer of security to WhatsApp, but it still carried issues, primarily that of memory safety. 

To overcome this, developers eventually turned to Rust.

Rust, as a programming language is much more memory safe than C++, because its compile-time ownership, borrowing and lifetime system prevents common bugs like use-after-free, dangling pointers and data races by design.

While C++ relies heavily on developer discipline to enforce memory safety through manual memory management, Rust enforces safe memory management by default, delivering high-performance systems programming with built-in memory safety and thread safety.

Acknowledging this reality, the Rust version of wamedia was developed in parallel with the C++ version.

“In the end, we replaced 160,000 lines of C++ (excluding tests) with 90,000 lines of Rust (including tests),” note Daniel and Baojun. 

Rust also proved to be much more memory and performance efficient, thereby further cementing reasons for its mass rollout across Android, iOS, Mac, Web, Wearables and more.

The duo continue: “We believe that this is the largest rollout globally of any library written in Rust.”

Hardened defences

While Meta has long warned of dangerous files like apks, the update tries to protect against more subtle forms of malware, hidden in the form of everyday media files like images and videos.

PDFs are often a vehicle for malware – specifically as certain embedded files and scripting elements within a PDF can be malicious in nature. 

These file types, which are "structurally conformant”, are checked by Meta for these risk indicators. 

The blog also sheds light on Meta’s capabilities of detecting when “a file type masquerades as another” through a spoofed extension or MIME type.

Meta claims to have added further checks against parser differential exploit attempts by consistently checking for “non-conformant structures within certain file types to help protect downstream libraries”.

“We call this ensemble of checks “Kaleidoscope,” note Daniel and Baojun. 

WhatsApp’s 'approach to app security'

While Meta is coming under fire for its encryption offerings, WhatsApp provides other protections such as silencing unknown callers which can come in handy to “block sophisticated cyber attacks”.

The “Protect IP Address in Calls” setting is another interesting privacy feature that enables users to hide their location from other parties on the call.

Meta Bug Bounty offers big rewards to those who can spot security vulnerabilities on Meta and its family of companies, stands as a strong motivator for pen-testers and hackers to report vulnerabilities before they can cause real damage.