Messaging apps as covert weapons: Was WhatsApp used in Israeli strikes on Iran?

Iran has said that WhatsApp leaked sensitive user data to Israeli intelligence services, hinting that this breach of privacy might have helped Israel to carry out pinpoint airstrikes that killed multiple senior Iranian military officials and nuclear scientists. 

Iran’s state broadcaster IRIB reported that Meta, the owner of WhatsApp, enabled foreign intelligence to “track and identify” high-level Iranian personnel. 

The leaked WhatsApp data allegedly includes location tags and communication metadata. 

The IRIB advised citizens to delete apps such as WhatsApp and Telegram, warning that they “record and publish the user’s location as soon as the mobile phone is turned on or connected to the internet.”

Authorities have also advised against carrying mobile phones near sensitive sites and called on individuals, particularly employees of strategic institutions, to avoid using insecure software for communication.

Meta has denied the allegations, reiterating that WhatsApp uses end-to-end encryption and does not track user locations or store logs of personal communications. In a statement to CBS News, a spokesperson called the reports “false” and expressed concern that Iran was using such claims as a pretext to block access to its services. 

Iran’s warning comes amid growing global scrutiny of encrypted messaging apps. Telegram, which claims to champion privacy, was recently the subject of an investigative report revealing that its technical infrastructure is managed by a Russian network engineer with past ties to the FSB and Russia’s defence sector. 

Meta has previously come under scrutiny for its support of Israel as well, particularly through what rights groups describe as the systemic suppression of pro-Palestinian content across its platforms. 

A 2023 Human Rights Watch Report documented over a thousand cases in which Meta removed or obscured expressions of Palestine supporters on Facebook and Instagram. 

These actions appear to reflect a broader pattern in which tech companies have been accused of enabling Israeli narratives.

Metadata exposure and pattern of surveillance

Iran’s accusations have gained traction partly because of past instances where encrypted platforms were exploited. 

In 2019, WhatsApp filed a lawsuit against Israeli spyware firm NSO Group, alleging that its Pegasus software was used to infiltrate the phones of 1,400 users, including journalists and activists, through a “zero-click” exploit. 

In May 2025, a US federal jury ruled in WhatsApp’s favour, ordering NSO to pay $168 million in damages, the first legal verdict to hold a spyware manufacturer liable for breaching the integrity of an encrypted messaging platform. 

While NSO denied the allegations, the spyware’s ability to access calls, messages, cameras, microphones, and location data has fueled public scepticism about the security of even end-to-end encrypted platforms.

Pegasus has since been linked to surveillance operations in over 50 countries and was at the centre of the 2021 Pegasus Project, which claimed that tens of thousands of phone numbers, including those of political leaders, were potential targets. 

A recent investigation by OCCRP partner Important Stories has raised serious concerns about the integrity of another messaging app, Telegram’s technical infrastructure, despite its reputation as a privacy-focused platform. 

The report reveals that thousands of Telegram IP addresses and server operations are controlled by Vladimir Vedeneev, a Russian network engineer whose other companies have provided services to Russian intelligence agencies, including the FSB and military-linked research centers. 

Although Telegram advertises end-to-end encryption, experts warn that the app’s MTProto protocol contains unencrypted metadata elements, which may allow network operators to track users’ device IDs and IP-based locations, even without reading message content.

Data localisation as a strategic safeguard

In response to growing concerns over foreign surveillance and platform vulnerability, several governments, including Iran, have intensified calls for data localisation laws that require user data to be stored within national borders. 

Advocates argue that such policies reduce reliance on the US-based cloud infrastructure and increase legal oversight over how sensitive data is accessed or shared. 

For example, India has proposed comprehensive data protection regulations mandating local storage of certain categories of personal data, while Türkiye's Personal Data Protection Authority (KVKK) has encouraged compliance mechanisms aimed at limiting foreign data flows. 

These moves reflect a broader push to bring global tech giants under the jurisdictional reach of national regulators, particularly in times of crisis or conflict, when digital communications are viewed as national security assets.

Another increasingly favoured approach is the development of homegrown messaging apps and digital ecosystems. Iran has advanced its own domestically hosted alternatives, such as Soroush, while Pakistan announced its government-developed messaging app Beep Pakistan in 2023. 

The app was designed initially for internal communication among federal officials in response to long-standing concerns about data privacy and recurring internet disruptions in the country. Developed by the National Information Technology Board (NITB), Beep aims to provide a secure, locally-hosted alternative to foreign messaging platforms.

These platforms are often marketed as more secure and less susceptible to foreign interference. 

In the current landscape, where allegations of foreign surveillance and newly exposed technical vulnerabilities are mounting, Iran’s warning about the role of messaging apps in modern warfare underscores a broader reckoning with the geopolitical risks of digital dependency. 

____

Source: TRT