Skip to main content

Privacy risk: WhatsApp for Windows Phone tags your geolocation metadata to saved photos

Privacy in smartphones is always a big deal amongst consumers, so it’s a little odd to see the super popular WhatsApp messaging client have a platform-specific privacy breach regarding geo-location metadata.

The situation is a little convoluted so stick with us when trying to explain.  Photos that are received (not sent) from WhatsApp are automatically tagged with your current location, regardless of your privacy Settings (Applications > Photos + Camera). That means if you were to then pass that photo on to someone else or upload to SkyDrive, your location info will be preserved.

As an example, say Rich Edmonds sends me a photo of his house in the UK. When I save that photo to my gallery in the US (New York), my current location is tagged to that photo. If I were then to email it someone or share it publicly via SkyDrive, you would all see my current location.

Geolocation metadata

GPS info tagged by WhatsApp to a saved image from a user in the UK

Oddly enough, this behavior seems to be restricted to just the Windows Phone version of WhatsApp, as opposed to iOS and Android.  We also tried it on Kik and were unable to replicate the result (indeed Kik strips metadata automatically, so nothing is revealed or added).

The good news is the app is not tagging your photos with your location that you are sending to people, which would be a lot worse. In our case, we rarely download photos from friends and then pass them on to others (and if we sent it to another Windows Phone, it would ironically be over-written by that user’s location data).

Still, it’s discomforting to have your specific GPS coordinates stored unknowingly in your photo gallery. It also raises the question as to why WhatsApp is constantly accessing your geo-location information. Often, ads are targeted based on our current locale so having your info picked up in an app is the norm. But WhatsApp has no ads, which means this must be a side-effect of the optional “share your location” feature (powered by Foursquare). Clearly WhatsApp is constantly accessing your phone’s location for quick revelation when called upon by the user. The problem here is that the app is wrongfully using that info all the time to tag your saved images.

We’ll of course reach out to WhatsApp and Nokia (who are helping them with development) to see if this can be resolved. For now, you’ll want to think twice about passing on photos received from friends or until WhatsApp easily patches this bug.

Thanks, Amir, for the heads up

Daniel Rubino
Executive Editor

Daniel Rubino is the Executive Editor of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft here since 2007, back when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, Microsoft Surface, laptops, next-gen computing, and arguing with people on the internet.

  • Don't like this privacy intrusion. Seems we can't just remain anonymous again.
  • That needs to get corrected.
  • We haven't been anonymous for decades. This isn't new, just another intrusion.
  • should anonymous take an action on WA?
  • Does this happen if pictures are shared via SMS instead of email?
  • It should never happen, period. Your GPS info should never be tagged to saved images. Kik doesn't do it, why should WhatsApp?
  • Could you test to see what happens when pictures from WhatsApp are shared via SMS?
  • If you've turned off locations from the phone settings, how is this app then able to get our location? 
  • Should we have to turn off location always?
  • "If you've turned off locations from the phone settings, how is this app then able to get our location? "
    I think you missed the point. The solution is not for the end-user to deal with their geolocation info being saved to images by a blanket shutting off of location services for the whole phone (killing Maps, Navigation, Groupon, and dozens of other apps) but for WhatsApp to fix this bug. Your solution is like telling the 7.8 data bug users to just turn off all data on their phones. Sure, that "solves" the problem but c'mon, that's not really an option at all.
  • I agree. The app is the problem, not its users. Users should not need to jump through hoops to ensure basic functionality that they expect.
  • Speaking of the 7.8 bug. Any word on when an official fix is suppose to peak?
  • What's App is buggy on my Lumia 620 lately. Sometimes it refuses to start up and it freezes too.
  • Noticed that, but I don't really care...
  • Great article! I chuckled, however, when I read, "Privacy in smartphones is always a big deal amongst consumers." The fact that Android and Google services are so popular would suggest otherwise...
  • +1
  • +100
  • Whatsapp is generally fast in addressing privacy issues, now that you have posted this info and also sent the info to Nokia, I am quite sure they will update the app and solve the problem.
  • they are fast? they try lame workarounds. when do people understand that whatsapp and a solution only for smartphone devices is just crap
  • Whatsapp replied within 2 days, thats very fast response.
  • Why is everyone paranoid with "location"? Come on... do you walk on street covering your face? (you should, people may know where you are...)
  • Because it could potentially reveal to an internet of people where you live, work, etc... If you don't think that may be problematic, feel free to post your driver's license for the world to see.
  • "Reveal" is conditioned to only those happening to be interested in that info, not the entire world. Besides, you may lock down all location features on your phone, but someone(if determined) could picture you entering your home and post that to the web. Or if more skilled, sniff your network traffic while you are on Starbucks, hack your accounts, get your address and more. So pointing innofensive apps for being location trackers is just nonsense...
  • And by your reasoning, if someone really wants to break into your house, they can. So why bother locking doors, or even closing the front door when we're away from home?
    The point is, your location is just as anonymous as your home seen on Here or Bing maps (unless you were really famous; or your home an airport)
  • Haha!
  • What a brilliant analogy.
  • Would be nice for the them to get things together fast; its them and Nokia working on it, so I'm not sure why it takes so long to patch up a vital app. Don't mean to whine or complain, but they've had a number of udpates already and the app is still slow, still eats battery like crazy and still uses the damn audio API which is probably the cause of most user issues with the app; I'm not sure why that wasn't top of the list when it came to updates.
  • Meh,its just my location,not my credit card info.
  • Good to se some metadata showing up SOMEWHERE, sure as hell it ain't showing anything exif ON my WP...
    Want back the possibility to get "properties" like on old Windows Mobile without having to use apps...
  • Can those f**kers just fix this app already, n quit tryna know if I took a photo in my bathroom. Pathetic
  • Fhotoroom app also did this, if I chose to send it to SkyDrive, I can read the geotag instantly.
  • Well shit. Uninstalling.
  • Whatscrapp is so shit.
  • never really used whatsapp. not planning to use it for a long time, unless they fix the crappy audio api thingie.
  • I don't really care as have already uninstalled the software after rumours about takeover by Google.
  • You can install or uninstall any app you want but generally, it's a good idea not to act on rumours. And the $1B buyout rumour was just that... a rumour. WhatsApp denied it recently.
  • Great article. Hate to revive an old thread but I recently discovered this same windows phone/nokia vulnerability exists when photos are received from twitter and facebook, and saved to the windows phone (Lumia 922) regardless of location privacy settings. Photos that are saved/downloaded to the windows phone from facebook and twitter are geotagged/metadata tagged with the location that the phone is at when you save them/ download them. It preserves YOUR location where you downloaded the photos, so when you pass that photo on to someone else or share it/upload it YOUR location information is preserved in the metadata.  Has a fix/patch or solution to this been created? This exception to the privacy settings could expose the end user to potential liabilty because the metadata makes it look like the user that uploaded the content is also the source/author. If nothing else it tags the content  with YOUR location and makes it traceable back to YOU.