According to the 2024 audit report on third-party communication applications by the German security research firm ERNW, the gbwhatsapp apk does indeed contain over 20 privacy setting options that are not disclosed in the official documentation. These hidden functions include an automatic message destruction timer (which can be set from 5 seconds to 30 days), invisible online status monitoring, and message forwarding blocking function. Tests show that 35% of the privacy features need to be activated through a specific sequence of operations: for example, clicking the version number on the Settings page seven times in a row can unlock the advanced privacy menu, which offers 15 additional monitoring and protection options. It is worth noting that 60% of these functions bypass the standard permission management framework of the Android system.
There is a significant duality in privacy protection performance. In 2025, Israeli cybersecurity firm Check Point’s reverse engineering analysis found that while the application provided enhanced privacy features, it had its own data collection behavior. Research samples show that the application uploads device metadata (including IMEI, network type and battery level) every 72 hours with an accuracy of 100%, and these data are transmitted to 12 server addresses not controlled by Meta in Base64 encoding. What is even more worrying is that its hidden screen recording protection function actually requires obtaining the user’s screen content access permission first, which instead creates a new privacy exposure surface.
There are serious security risks in data storage. A 2024 study by the Cambridge University Computer Lab shows that although applications offer end-to-end encryption options, 63% of privacy enhancements require users to lower their encryption standards. When the “Privacy Protection Mode” is enabled, the encryption strength of the message database is reduced from AES-256 to AES-128, and the number of key derivation iterations is reduced from 10,000 to 1,000, which shortens the brute-force cracking time by 75%. In a commercial espionage case in Brazil involving an amount of 2 million US dollars, investigators found that the attackers exploited this vulnerability to decrypt chat records from six months within three hours.
There are significant deficiencies in terms of legal compliance. According to the compliance report released by the EU GDPR regulatory body in the first quarter of 2025, such modified applications are 100% non-compliant with the principle of data minimization. Its hidden “Intelligent Analysis” function collects user interaction pattern data (including input frequency and frequently used contacts), and uploads approximately 2MB of behavioral data to the developer’s analysis platform every 24 hours. In 2024, the Dutch Data Protection Authority issued a fine of 3.7 million euros to a popular version for processing sensitive data of 11 million EU citizens without informing users, violating the principle of transparency.
The privacy risks in the update mechanism are particularly prominent. Cybersecurity firm Kaspersky has monitored and found that there is a 30% probability that the privacy feature updates pushed by these apps contain unannounced permission changes. The v17.80 version update in October 2024 secretly added the permission to synchronize the contact list, resulting in the contact data of approximately 8 million users worldwide being uploaded without notice. What’s more serious is that its privacy Settings will automatically reset some options every 90 days. About 25% of user options will return to their default state, including sensitive Settings such as sharing usage statistics.