WhatsApp : Technical White paper on their end-to-end encryption protocol
Since April 2016 all WhatsApp communication (messages, group chats, images, videos, voice messages and files) are being encrypted end-to-end, including metadata which is specifically mentioned in the paper :
• “Encrypts metadata to hide it from unauthorized network observers"
• “No information about the connecting user’s identity is revealed.”
• "WhatsApp servers do not have access to the private keys of WhatsApp users”
• "WhatsApp users have the option to verify keys in order to ensure the integrity of their communication.”
Messages are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication.
The encryption is based on the Signal Protocol from Open Whisper Systems.
▻https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
Message Key – An 80-byte value that is used to encrypt message contents. 32 bytes are used for an AES-256 key, 32 bytes for a HMAC-SHA256 key, and 16 bytes for an IV.
Key verification:
WhatsApp users additionally have the option to verify the keys of the other users with whom they are communicating so that they are able to confirm that an unauthorized third party (or WhatsApp) has not initiated a man-in-the-middle attack. This can be done by scanning a QR code, or by comparing a 60-digit number.
Note: right after the news there were some rumours and quite some discussions about the perception that WhatsApp still had access to the metadata cf. ▻http://seenthis.net/messages/477257
This is probably because of the privacy terms & conditions not having updated accordingly:
▻https://www.whatsapp.com/legal/#Privacy
Notwithstanding the above, WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect.