WhatsApp has announced Strict Account Settings, a new lockdown-style security feature designed to protect users facing rare but highly sophisticated cyber attacks, including journalists and public-facing figures.

The feature, which is rolling out gradually over the coming weeks, locks certain privacy and security controls to their most restrictive settings. Once enabled, Strict Account Settings limit how WhatsApp functions, including blocking attachments and media from people who are not in a user’s contacts.

WhatsApp said the feature builds on its long-standing approach of providing default end-to-end encryption for messages and calls, which it says protects more than three billion users globally.

Lockdown-style protection for high-risk accounts

Strict Account Settings can be enabled by navigating to Settings > Privacy > Advanced within the app. According to WhatsApp, the tool is aimed at users who may be targeted by advanced spyware campaigns or tailored cyber intrusions, rather than the general public.

“Online security is an adversarial space,” the company said, adding that the new controls are intended to reduce attack surfaces commonly exploited through malicious files or unexpected messages.

While the feature limits some functionality, WhatsApp stressed that it is optional and designed for users who require an elevated level of protection rather than everyday use.

Rust-based media security rolled out globally

Alongside the new user-facing controls, WhatsApp revealed more details about its behind-the-scenes security architecture, including the large-scale adoption of the Rust programming language to strengthen defences against malware hidden in media files.

WhatsApp said it has rebuilt its core media consistency library — internally known as wamedia — in Rust, replacing about 160,000 lines of C++ code with roughly 90,000 lines of Rust, including tests. The company cited improved performance, lower memory usage and stronger protection against memory safety vulnerabilities.

The Rust-based system is now deployed across Android, iOS, Mac, web browsers and wearable platforms, making it one of the largest global rollouts of Rust code on consumer devices, WhatsApp said.

Lessons from past vulnerabilities

The move follows lessons learned from the 2015 “Stagefright” vulnerability on Android, which exposed weaknesses in how operating systems processed media files. At the time, apps such as WhatsApp were unable to patch the underlying flaw directly.

To mitigate similar risks, WhatsApp developed additional media checks to detect malformed or deceptive files before they are processed by operating system libraries. These protections have since evolved into what WhatsApp calls Kaleidoscope, a system that flags suspicious attachments, disguised file types and high-risk formats such as executable files and PDFs with embedded scripts.

Each month, these libraries are distributed to billions of devices across WhatsApp, Messenger and Instagram, all owned by Meta.

Strict Account Settings is one of several measures planned as part of WhatsApp’s broader defence-in-depth approach, with further security enhancements expected as the feature becomes widely available.