WhatsApp is easily the most widely-used instant messaging service for phones and tablets. Founded in 2009, the service has now exploded to more than 700 million active users – almost 250 million more than the second-placed alternative, China’s WeChat. Since being acquired by Facebook for an eye-watering $19 billion twelve months ago, the firm has been forced to clean up its approach to security and privacy, which resulted in the news last year that it has introduced new encryption measures.
What Was The Problem?
WhatsApp had suffered countless embarrassments and exposures over their poor security. The problems started as long ago as May 2011, when a security flaw was discovered that allowed users’ accounts to have their session hijacked (gaining unauthorised access to information by exploiting a valid usage session), and have their traffic intercepted and logged by a package sniffer. A new version of the app was released, but data continued to be sent and received in plaintext.
Their difficulties continued into 2012. At the start of the year a hacker published WhatsAppStatus.net, which allowed people to change the status of any user of WhatsApp, and the developers of the app were slow to respond – initially claiming the flaw had been fixed when in reality they had merely blocked the website’s IP address. Unsurprisingly, similar tools soon popped up, and the firm was forced to respond in a more robust way. By the late spring, WhatsApp finally stopped using plaintext for data, but its replacement – a cryptographic method – was widely criticised for being broken at launch.
In late 2013 a security researcher in The Netherlands claimed anyone with enough technical knowledge could decrypt communications sent within the app thanks to several “long documented weaknesses” – mainly the fact WhatsApp used the same encryption key on both sides of a conversation. Thijs Alkemade, the student at the University of Utrecht who discovered the flaw, said “You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort“. Adding, “There is nothing a WhatsApp user can do about this… except to stop using it until the developers can update it“.
As recently as November 2014, WhatsApp scored a mere two out of seven on the Electronic Frontier Foundation’s secure messaging scorecard – losing points thanks the fact it used an encryption which the provider had the key for, there was no way to verify a user’s identity, and its security design was not well-documented.
What Was The Response?
On the 18th November last year, WhatsApp’s new owners Facebook decided enough was enough. Although Facebook isn’t exactly well-regarded in terms of its own transparency about privacy and security, they didn’t want to jeopardise their expensive new acquisition and risk losing users to a rival service such as Viber or Tango.
As a result, they announced a new partnership with Open Whisper Systems in a deal that would finally bring end-to-end encryption to the service, hopefully banishing the gremlins of the previous three years. Open Whisper said the new encryption would be the largest of its kind anywhere in the world, and would use TextSecure – a service which uses a cryptographic key that’s unique to individual devices – to protect its giant user base. Experts were quickly impressed, as Wired claimed the solution was “practically uncrackable“, and the Wall Street Journal stated that “the encryption is so robust that even the law enforcement won’t be able to decrypt WhatsApp messages“.
How Does It Work?
Instead of storing the keys for unscrambling the encryption on a centralised server that’s owned and operated by the WhatsApp developers, end-to-end encryption works by instead only storing the keys on a user’s device. When combined with TextSecure, which uses a protocol called “forward secrecy” to issue a fresh key for every new message, it’s easy to see why WhatsApp’s CEO Jan Koum claimed they had “now built WhatsApp around the goal of knowing as little about you as possible… Respect for your privacy is coded into our DNA“.
The encryption now used by the service differs hugely from that used by similar instant messaging apps and social networks, who mostly still store the keys on their own servers as well as a person’s device. This means companies and governments can access the contents of your messages and data on demand, as well making it easier for hackers to gain access to private and personal information.
In fact, the move by WhatsApp is part of a larger movement towards increased privacy by leading tech firms, though not everyone is happy. When Apple and Google both expanded their encryption services in the run up to the WhatsApp announcement, FBI Director James Comey criticised the move, claiming that “the post-Snowden pendulum has [now] swung too far“.
Are All The Problems Fixed?
Providing effective security isn’t easy. While WhatsApp were clearly a long way behind the game at the turn of the decade, the late 2014 update sounds entirely hacker-proof. Sadly, that’s rarely the case, and in recent days more negative press has emerged for the Mountain View-based firm.
Although the contents of a user’s message seemingly remain secure, a simple piece of software has been released that can be used by hackers to circumnavigate various privacy settings – thus giving them a way to see whether a user is online or offline, a way to monitor a person’s profile picture, a way to see a user’s status, and the ability to see someone’s personalised privacy settings.
The software, called WhatsSpy Public, has been created by a Dutch developer and can reveal the timeline of a tracked-user’s online status, even if the user has the strictest privacy controls enabled. “You may think now you’ve set all options to ‘nobody’ you are safe, privacy-wise, but nevertheless I can still track your moves on WhatsApp” said the software’s designer Maikel Zweerink. The good news for users is that the software is hard to set up, and will only be able to track users on rooted Androids or jail-broken iPhones – so if you use a “vanilla” OS you should be ok.
WhatsApp have not yet responded to the allegations officially, though an insider move to play down the breach when he told the UK media that “This is not a hack… in essence he built a program that just records and monitors information he has access to anyway“.
Despite that, given WhatApp’s poor track record its users are unlikely to take much solace in the statement. Whatever the truth may be, the issue simply points to the overriding fact that security in a digital age can never be taken for granted; even when you think you’re protected you can be certain there is a hacker or criminal looking for the next bug or flaw with which to compromise you.
What Do You Think?
Do you use WhatsApp? Has its poor history ever put you off the service? Have you tried some messaging alternatives but always find yourself being drawn back to the ubiquitous app? Does privacy generally concern you, or do you subscribe to the mind-set of “nothing to hide, nothing to fear”?
We’d love to hear from you. Let us know your thoughts in the comments below.