Is WeChat safe for messaging and payments? A 2025 security guide

What is WeChat?

Founded in 2011 by Allen Zhang under the umbrella of his Chinese company, Tencent, WeChat features instant messaging, social media, mobile payments, and mini-programs – third-party apps within the app – under one roof. Essentially, it combines WhatsApp, Facebook, PayPal, and Amazon into a single “super app.” 

WeChat plays a central role in daily Chinese culture and has a massive global presence with over 1.41 billion monthly active users, making it the sixth largest social network on the planet. 

Key features include: 

• Communication: Instant messaging plus video and voice calls. 
• Social media: WeChat “Moments” are similar to Facebook timeline posts.
• WeChat Pay: A mobile payment platform and digital wallet for retail, service, and P2P transactions.
• Mini-programs: Third-party apps that live within the main WeChat app. They can be anything from ecommerce stores to online services to games and more.
• Business accounts: Businesses use their official WeChat accounts to make announcements and deliver customer support.

These features are not only used by people living in mainland China, but also Chinese emigrants living abroad to connect with family and friends back home.

Is WeChat secure?

WeChat employs several technical security features designed to keep your account safe, including:

• Encryption: WeChat uses a proprietary form of TLS called MMTLS (MicroMessenger TLS) to encrypt messages.
• Secure login: WeChat offers two-factor authentication, passkey login, and even voiceprint in some regions to prevent unauthorized access.
• Antimalware monitoring and fraud alerts: WeChat monitors mini-programs for malware. It also monitors account activity to flag suspicious behavior and issues fraud alerts.
• Account freezing:  If you suspect your WeChat account was compromised, or if you lost your device, you can freeze your account – on your own or with the help of a friend using their WeChat account.
• PCI-DSS compliance: WeChat Pay meets PCI-DSS standards, which means it takes the same measures to protect your credit card transactions as any other major app.

WeChat security concerns

Despite its security features, WeChat does come with significant concerns about privacy. 

Lack of end-to-end encryption (E2EE)

WeChat encrypts data, but it’s not E2EE, which means WeChat can access the content of your messages. Moreover, The Citizen Lab, an academic research group at the University of Toronto, took a deep dive into the app and found that WeChat’s custom MMTLS encryption protocol is weaker than standard TLS encryption. 

The Citizen Lab also states that WeChat is prone to leaking user IDs and other data, and it does not have reliable forward secrecy, which means that compromised keys could expose current and past communications.

Data collection practices

WeChat collects a lot of user data, including your:

• Name, number, and email address
• IP address, device, and network information
• Apple and Facebook IDs, if connected
• Location
• Gender
• Photo
• All social posts and chats, including photos and videos
• Payment information

SiliconANGLE states that WeChat’s mini-programs automatically enroll their users into WeAnalyze, a data collection program that’s difficult to opt out of. Moreover, mini-programs control their own app permissions. In addition, The Citizen Lab found that WeChat collects more data than it discloses in its privacy policy. 

The Chinese – and Russian – governments may be watching

Chinese law allows state access to user data, and that access could extend beyond China’s borders to include U.S. citizens whose data is stored on Chinese servers. In other words, anything you send or receive over WeChat can be read by a third party. 

In addition, The New York Times reports that Russian intelligence has been infiltrating WeChat’s weak encryption to monitor people it suspects of connections to Chinese spies. While most U.S. citizens aren’t engaging in the cloak-and-dagger world of foreign spycraft, it illustrates how weak encryption and overzealous governments can compromise user privacy.

Scams

Scams are rampant on WeChat, making it critical to know how to spot them before falling victim. In one incident reported by the Monetary Authority of Singapore, criminals impersonating WeChat and employees of other messaging platforms were able to scam users out of S$17.4 million ($13.5 million USD). 

Stateside, the FTC reported an investment scam targeting WeChat groups that stole millions from Chinese people living in the U.S. 

Those are just two of many types of WeChat scams, which include: 

• Impersonation, phishing, and smishing scams: A very common WeChat scam in which scammers will impersonate customer service, government entities, and even law enforcement. They might say your account has been compromised, that you owe a fee, or that you must pay a fine to avoid arrest. The ultimate goal is to steal your personal information or money.
• Fake accounts: Scammers create fake profiles that look like trusted people – friends and family members – and then try to convince you they’re in trouble and need money. In another version of this scam, they’ll impersonate celebrities and request donations for a “cause.”
• Investment scams: In this scam, criminals will promise huge returns on minimal investment. Some are so sophisticated they’ll even start paying those returns, only to convince you to invest more, when they’ll disappear with your money.
• Prize scams: A classic scam in which you’re told you’ve won a prize and need to do something that compromises your security – such as give your bank account information – to collect it.
• Malicious mini-programs: Scammers create mini-programs that look authentic but are really designed to steal your credentials or payment information.
• Romance scams: In this common social media scam, scammers catfish their suspects to build romantic online relationships, then convince their victims to send money before disappearing.

So, is WeChat safe to use in the US?

In 2020, the Trump administration attempted to ban WeChat in the U.S. over alleged national security threats. A federal judge blocked the ban, ruling that blocking it would violate free speech. 

Ultimately, safety depends on context: it’s relatively safe for basic messaging and payment, but not recommended for sensitive or private communications. 

However, keep in mind that “safe” and “private” mean two different things, as the Chinese government – and potentially other third parties – can monitor your WeChat messages and other activity. 

Is WeChat safe for payments?

WeChat Pay offers a mobile wallet and provides multiple ways for users to pay merchants and to send money to each other, including: 

• Quick Pay: Users can present scannable payment codes to merchants.
• QR Codes: Merchants can create QR codes for customers to scan and pay.
• P2P Transfers: Users can send money directly to one another (like Venmo).

WeChat employs multiple methods to secure WeChat payments. It’s PCI-DSS compliant, so it follows the same credit card protocols as other major apps. It also uses biometrics, fraud detection, and payment passwords – users must enter their codes before money is transferred. 

Though those features help secure WeChat for payments, they don’t eliminate every risk. Scammers use phishing, social engineering, and other nefarious tactics to trick users into giving them access to their accounts or sending them money. And, if WeChat detects suspicious activity, they might freeze your funds while they investigate, leaving you without access to your money.

According to the Information Technology & Innovation Foundation, many WeChat Pay features are not available to U.S. users – including P2P transfers and transfers to U.S.-based bank accounts. The organization states that the FTC should assess whether WeChat’s data practices violate U.S. privacy norms.

WeChat vs other messaging apps

Here’s how WeChat compares to other messaging apps like WhatsApp, Telegram, and Signal. 

Encryption

WhatsApp and Signal both boast end-to-end encryption, which means no one can read messages except the sender and recipient. End-to-end encryption is not turned on in Telegram by default, but you can enable it for each chat to turn them into “Secret Chats.” WeChat does not offer end-to-end encryption at all, which means messages can potentially be read by third parties like its parent company, Tencent, and even the Chinese government. 

Forward secrecy

In a nutshell, forward secrecy is when messaging apps frequently change encryption keys so that if a conversation is ever compromised, past messages still cannot be viewed. Signal, WhatsApp, and Telegram (Secret Chats only) all employ forward secrecy, but WeChat does not. So, if hackers accessed WeChat’s encryption keys, they could potentially decrypt and view your entire message history. 

Data collection

WeChat collects a lot of personal information about you, including your name, number, email address, gender, photos, location, and activity. This information, along with your metadata, could be viewed by Tencent and Chinese authorities. 

WhatsApp collects your phone number, device metadata, and some activity data like group membership, but more sensitive information like contacts and location can only be collected with your permission. Note that WhatsApp is part of the Meta ecosystem, so it could share information with other Meta services like Facebook. 

Telegram collects your phone number and metadata like your IP address. If you give permission, it can also collect your email address, contacts, and location data. Note that cloud chats are not end-to-end encrypted, so they’re less secure than Secret Chats, which are E2EE.

Signal, by design, only collects minimal data, such as your phone number at registration. If security and privacy are your top priorities, Signal is probably the best option. 

How to protect your privacy when using WeChat

Follow these tips to protect your privacy when using WeChat. 

1. Don’t allow strangers to find you

By default, anyone can find your WeChat account if they have your WeChat ID, email address, or phone number. Disable that ability by browsing to Me > Settings > Privacy > Methods for Finding Me.

2. Update your Moments settings

Strangers can view your last ten Moments updates by default. Hide your posts from strangers and decide who can view your Moments by browsing to Me > Settings > Privacy. 

3. Disable WeChat Shake

WeChat Shake is a feature that lets you connect with other nearby users by shaking your phone. Scammers could potentially use that feature to connect with you as well. Disable Shake by browsing to Me > Settings > General > Manage Discover > enable/disable Shake. 

4. Lockdown app permissions

In your Android or iOS settings, disable WeChat’s access to your location, contacts, camera, and microphone. 

5. Limit mini-program use

Limit the number of mini-programs you use, and never engage with mini-programs from entities you don’t already know and trust. 

6. Never click on suspicious links or attachments

If you receive an unexpected link or attachment in a WeChat message, don’t click it or open it, as it could lead to malware that infects your device and steals your personal data. 

7. Do not respond to unexpected communications

Scammers can send messages or even call you directly and state they represent WeChat customer support (or a mini-app) and that they need information to protect your account or they need payment. They’re often rather compelling, threatening account closure or some other dire consequence if you don’t act fast. Don’t fall victim to these scams. Instead, reach out directly to the company via their official channels to confirm the issue. 

8. Use a strong password and 2FA

Use a strong password and enable two-factor authentication to help keep your WeChat account safe. Never reuse passwords between apps and services; instead, use a strong password generator or password manager to create a new one for each.

9. Install app and OS updates

Make sure your WeChat app and operating system are always up to date, as updates often contain critical security patches. 

Final verdict: should you use WeChat?

Generally speaking, WeChat is probably OK for casual use, though it’s worth carefully considering whether you want to add your payment information – and you should not use WeChat for sensitive communications. Ultimately, there are better options for privacy-first users. 

FAQs

Does WeChat steal data?

WeChat doesn’t steal data in the criminal sense, but it does collect a lot of personal information from its users. That data – in addition to chat messages, which are not end-to-end encrypted – can be read by Tencent and even the Chinese government, per law. 

Is WeChat safe on iPhone?

Apple’s own security measures help prevent potential malware from infecting your iPhone, but since WeChat still collects a lot of data and doesn’t use E2EE messaging encryption, it still poses security risks on the iPhone. 

Is WeChat encrypted?

WeChat uses a proprietary version of TLS encryption, called MMTLS (MicroMessenger TLS). It’s not end-to-end encryption, which means WeChat’s parent company, Tencent, can decrypt and read your messages.

Does WeChat spy on you?

While WeChat probably doesn’t watch your every move, it does collect user information and track app activity. Tencent can access that data, which is also subject to snooping by Chinese authorities. 

Is WeChat safe in the US?

WeChat is relatively safe for casual use, as long as you understand that the content of your conversations and your app activity can be monitored by the company and even the Chinese government. It doesn’t infect your device with malware and the platform itself is pretty secure, but scams are rampant.

What is the biggest WeChat security risk?

WeChat’s biggest security risk is the fact that communications are not end-to-end encrypted, which means WeChat and even the Chinese government can decrypt and read your messages. Nothing you do on WeChat should be considered private or protected.