WhatsApp's Media Block: A Warning Shot for Dating Apps' Encryption Reliance

WhatsApp acknowledged something last week that should concern every trust and safety team in the dating industry: end-to-end encryption isn't enough to stop sophisticated attacks when users are sharing media files with strangers. The new Strict Account Settings feature, launched globally in late January, blocks photos, videos, and other attachments from non-contacts—a tacit admission that the very act of receiving and processing a file can bypass encryption protections entirely.

Dating platforms have spent years reassuring users that encryption keeps their intimate conversations safe. What they've said far less about is that malicious code can hide inside an innocuous-looking photo or video, exploiting vulnerabilities in iOS or Android file-processing libraries before encryption ever enters the equation. Users get compromised simply by receiving the file, no clicking required.

Anyone who's used a dating app in the past decade will recognise the problem immediately. Sharing photos with matches you've never met is standard behaviour on Hinge, Bumble, and Tinder. So are voice notes on apps like Chispa and MuzMatch.

Why this matters beyond journalists and activists

WhatsApp frames Strict Account Settings as a feature for 'high-risk users'—journalists, activists, public figures—who might be targeted by state-sponsored spyware. The company was careful to note that such attacks 'remain extremely rare today', according to its blog post announcing the feature. But the technical vulnerability the feature addresses isn't limited to Pegasus-level threats.

The 2015 Stagefright flaw, which WhatsApp explicitly referenced in its announcement, affected nearly a billion Android devices. It allowed attackers to execute code by sending a malformed video file via MMS. The recipient didn't need to open it—processing the file was enough.

Stagefright was patched years ago, but similar vulnerabilities emerge regularly in image codecs, video parsers, and PDF renderers across both iOS and Android. Dating app users are exposed to this vector constantly. A bad actor doesn't need nation-state resources to craft a malicious image file—they need moderate technical skill and a reason to target someone.

The dating context makes targeting easier: users expect to receive photos from strangers, and those photos often contain personal or intimate content, which lowers suspicion. WhatsApp's solution is to let users opt into blocking all media from non-contacts. That's a reasonable trade-off for a journalist worried about surveillance—it's unworkable for someone trying to date.

What dating platforms should learn from Rust and restrictive defaults

WhatsApp didn't just launch a user-facing toggle. The company also disclosed that it has moved significant portions of its media-handling infrastructure to Rust, a programming language designed to prevent memory-safety bugs that commonly enable exploits. According to the announcement, Rust now processes photos, videos, and messages to 'better resist spyware intrusions'—this is an infrastructure overhaul, not a feature update.

Dating platforms should take note. Most major apps are built on technology stacks that predate the current threat landscape. Moving media-processing pipelines to memory-safe languages is expensive and time-consuming, but it materially reduces the attack surface.

Match Group (MTCH) operates dozens of brands with different codebases and technology debt. Bumble (BMBL) has scaled Bumble, Badoo, and Fruitz across 150 countries. Both have the engineering resources to make this shift, but neither has publicly discussed doing so.

The two-tier model is equally instructive. WhatsApp isn't forcing everyone into extreme lockdown; it's offering a choice. Dating platforms could do the same—a 'verified contacts only' mode that restricts media from unverified users, or a sandbox that processes incoming files in isolation before rendering them, would give high-risk users additional protection without degrading the experience for everyone else.

WhatsApp felt compelled to tell users that file-sharing can bypass encryption. Dating platforms routinely tout encryption in their marketing and trust messaging, but few explain the limitations.

The compliance and liability angle

The UK Online Safety Act (OSA) and the EU Digital Services Act (DSA) both place obligations on platforms to assess and mitigate foreseeable risks to users. If WhatsApp considers malicious media a significant enough risk to build new infrastructure and a dedicated feature, regulators may start asking why dating platforms—which facilitate media-sharing with strangers at far greater scale—haven't done the same.

Liability doesn't require a breach to occur. It requires that a platform knew about a risk and failed to act. WhatsApp's announcement is now public evidence that the risk exists and that technical mitigations are feasible.

The reputational risk is equally real. If a high-profile case emerges—a stalker exploiting a media-file vulnerability to compromise a dating app user—the question won't be whether the platform's encryption was strong. It will be whether the platform took reasonable steps to protect users from a known vector. WhatsApp can now say it did—can Tinder?

What operators should be thinking about

For product teams, the immediate question is whether media-handling infrastructure is built with memory safety in mind. If not, what's the roadmap to get there? For trust and safety teams, it's whether current policies and user education adequately address the risk of malicious media.

WhatsApp's move also signals that user expectations around privacy and security are shifting. A feature that blocks all media from strangers would have seemed absurd five years ago. Today, it's positioned as a reasonable option for anyone with heightened threat models. That shift will eventually reach dating, where users are already increasingly concerned about stalking, harassment, and data misuse.

The dating industry has long treated encryption as a solved problem—a box to tick in marketing materials and privacy policies. WhatsApp just made clear that the box is more complicated than it looked. The question is whether dating platforms will respond before the next Stagefright-level flaw makes the decision for them.