WhatsApp has strengthened their security over recent years by adding two-step verification, and automatic end-to-end encryption. Despite this, there are still some security threats you need to know about.
With over a billion users, it’s almost certain that malicious cybercriminals would look to exploit the popular messaging app. WhatsApp announced the launch of a web interface and desktop application in January 2015. Unsurprisingly, hackers were quick to pounce with fake WhatsApp websites and applications that stole data and distributed malware.
Some attackers created malicious software downloads that would masquerade as WhatsApp Desktop applications. Once installed they could install and distribute malware or otherwise compromise your computer. Others turned to creating websites pretending to offer access to WhatsApp Web. They ask for your phone number in order to “connect you to the service” but in reality use it to bombard your WhatsApp with spam messages.
The messages you send via WhatsApp are end-to-end encrypted meaning that only your device has the ability to decode them. This prevents your messages being intercepted during transmission, but says nothing of their safety while on your device. On both iOS and Android it is possible to create a backup of your messages to either iCloud or Google Drive. The backups that WhatsApp create contain the decrypted messages on your device.
The backup itself is not encrypted. If someone wanted access to your messages, they would only need the latest copy of your daily backup. It is also vulnerable as there is no ability to change your backup location, meaning that you are at the mercy of the cloud service to keep your data protected. iCloud in particular has suffered a poor reputation for security, especially after its role in the largest celebrity leak in history.
One of the supposed benefits of encryption is, for better or worse, being able to prevent government and law enforcement from being able to access your data. As the unencrypted backup is available on one of two US based cloud storage providers, all it would need is a warrant and they would have unfettered access to your messages. In many instances, this renders the end-to-end messaging encryption as redundant.
Facebook Data Sharing
“We plan to share some information with Facebook and the Facebook family of companies…some of your account information with Facebook and the Facebook family of companies, like the phone number you verified when you registered with WhatsApp, as well as the last time you used our service.”
In a great use of weasel words, they also state that none of your information will be publicly visible on Facebook. Instead, it will be hidden in Facebook’s deep, and inaccessible, profile of you. It is possible to turn this data sharing off in the settings. However, to the chagrin of almost all privacy advocates, the data sharing was turned on by default, requiring every single one of WhatsApp’s over one billion users to manually head into the settings to turn it off if they weren’t comfortable.
After the change, there were expressions of concern from officials in Germany, the US, and the UK. There is now even a possible investigation into Facebook and WhatsApp’s practices by the European Commission. Since November 2016, Facebook has paused data collection from UK users after the Information Commissioner’s Office wrote to Facebook outlining the issues and asked Facebook to clarify to users how their data will be used.
In January 2017, The Guardian published a story claiming that WhatsApp’s implementation of encryption protocol could be exploited. While your messages are end-to-end encrypted so that they can’t be read during transmission, they are decrypted locally on your phone. To verify the device receiving the message is the intended recipient, each user has a public security key. This key can be changed when reinstalling the app or moving to a new phone.
The Guardian’s report claimed that as WhatsApp had the ability to change security keys for offline users, they may be able to intercept and unencrypt messages. WhatsApp could then force you to resend your messages with the new security key, and allow themselves access to the messages. They claimed that this was a problem, or intentional feature, of WhatsApp’s implementation of Open Whisper Systems’ protocol.
However, Open Whisper Systems responded in a lengthy blog post, where they refuted the claims of an “encryption backdoor”. Instead, they noted that a man in the middle attack “is endemic to public key cryptography, not just WhatsApp”. They also dispute the over simplification of the issue made by The Guardian. They did not include the fact that there are two encryption keys, one public and one private on your device. This is done to prevent an attacker compromising the server and “[lying] about a user’s public key, and instead [advertising] a key which the attacker knows the corresponding key for”.
The consensus from the technical community is that The Guardian did very little verification of the details before publishing the story. However, it did highlight that even systems that are viewed as secure, like end-to-end encryption, are not entirely flawless.
One More Thing…
WhatsApp recently revamped their Status feature, morphing it from a line of simple text into a disappearing photo and video updates. This brought it in line with Instagram Stories and Snapchat. Despite their parent company’s seeming aversion to simplifying privacy controls, WhatsApp has made it quite easy to control who you share your Status with.
If you head into the settings you are now greeted with three privacy levels for your Status updates;
- My contacts
- My contacts except…
- Only share with…
Despite this simplicity, it isn’t immediately clear if your blocked contacts would be able to see your Status. WhatsApp seems to have done the sensible thing and blocked contacts are unable to view your Status. As with Instagram Stories any videos and photos added to your Status will disappear after 24 hours.
Time To Change?
If these reasons were enough to make your question your messaging app allegiance, then there are other secure alternatives available. WhatsApp’s end-to-end encryption protocol was developed by Open Whisper Systems, who make their own secure messaging app Signal. Then there is the popular Telegram which combines the messaging capabilities of WhatsApp with the ephemeral nature of Snapchat.
Will you continue using WhatsApp? Have you ever been caught out by these security threats? Are there other alternatives available? Let us know in the comments below!
Originally written by Dann Albright on February 25th 2015