Security Social Media

WhatsApp Encryption: It’s Now the Most Secure Instant Messenger (Or is it?)

Dan Price 23-02-2015

WhatsApp is easily the most widely-used instant messaging service for phones and tablets. Founded in 2009, the service has now exploded to more than 700 million active users – almost 250 million more than the second-placed alternative, China’s WeChat. Since being acquired by Facebook for an eye-watering $19 billion twelve months ago, the firm has been forced to clean up its approach to security and privacy, which resulted in the news last year that it has introduced new encryption measures TrueCrypt Is Dead: 4 Disk Encryption Alternatives For Windows TrueCrypt is no more, but fortunately there are other useful encryption programs. While they may not be exact replacements, they should suit your needs. Read More .


What Was The Problem?

WhatsApp had suffered countless embarrassments and exposures over their poor security. The problems started as long ago as May 2011, when a security flaw was discovered that allowed users’ accounts to have their session hijacked (gaining unauthorised access to information by exploiting a valid usage session), and have their traffic intercepted and logged by a package sniffer. A new version of the app was released, but data continued to be sent and received in plaintext.


Their difficulties continued into 2012. At the start of the year a hacker published, which allowed people to change the status of any user of WhatsApp, and the developers of the app were slow to respond – initially claiming the flaw had been fixed when in reality they had merely blocked the website’s IP address. Unsurprisingly, similar tools soon popped up, and the firm was forced to respond in a more robust way. By the late spring, WhatsApp finally stopped using plaintext for data, but its replacement – a cryptographic method – was widely criticised for being broken at launch.

In late 2013 a security researcher in The Netherlands claimed anyone with enough technical knowledge could decrypt communications sent within the app thanks to several “long documented weaknesses” – mainly the fact WhatsApp used the same encryption key on both sides of a conversation. Thijs Alkemade, the student at the University of Utrecht who discovered the flaw, said “You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort“. Adding, “There is nothing a WhatsApp user can do about this… except to stop using it until the developers can update it“.

As recently as November 2014, WhatsApp scored a mere two out of seven on the Electronic Frontier Foundation’s secure messaging scorecard – losing points thanks the fact it used an encryption which the provider had the key for, there was no way to verify a user’s identity, and its security design was not well-documented.


What Was The Response?

On the 18th November last year, WhatsApp’s new owners Facebook decided enough was enough. Although Facebook isn’t exactly well-regarded in terms of its own transparency about privacy and security, they didn’t want to jeopardise their expensive new acquisition and risk losing users to a rival service such as Viber or Tango Tango - A Budding Skype Alternative For Android, iOS & Windows The world of Voice over IP is expanding fast, and we’re getting more and more options for calling our friends without paying cellphone providers. The strongest, and most known contender in this area is obviously... Read More .

As a result, they announced a new partnership with Open Whisper Systems in a deal that would finally bring end-to-end encryption to the service, hopefully banishing the gremlins of the previous three years. Open Whisper said the new encryption would be the largest of its kind anywhere in the world, and would use TextSecure – a service which uses a cryptographic key that’s unique to individual devices – to protect its giant user base. Experts were quickly impressed, as Wired claimed the solution was “practically uncrackable“, and the Wall Street Journal stated that “the encryption is so robust that even the law enforcement won’t be able to decrypt WhatsApp messages“.

How Does It Work?

Instead of storing the keys for unscrambling the encryption on a centralised server that’s owned and operated by the WhatsApp developers, end-to-end encryption works by instead only storing the keys on a user’s device. When combined with TextSecure, which uses a protocol called “forward secrecy” to issue a fresh key for every new message, it’s easy to see why WhatsApp’s CEO Jan Koum claimed they had “now built WhatsApp around the goal of knowing as little about you as possible… Respect for your privacy is coded into our DNA“.



The encryption now used by the service differs hugely from that used by similar instant messaging apps Forget WhatsApp: 6 Secure Communication Apps You've Probably Never Heard Of The Electronic Frontier Foundation (EFF) is a lobby group dedicated to "defending civil liberties in the digital world". They maintain the Secure Messaging Scorecard, which makes for worrying reading for fans of instant messaging. Read More and social networks, who mostly still store the keys on their own servers as well as a person’s device. This means companies and governments can access the contents of your messages and data on demand, as well making it easier for hackers to gain access to private and personal information.

In fact, the move by WhatsApp is part of a larger movement towards increased privacy by leading tech firms, though not everyone is happy. When Apple and Google both expanded their encryption services Google End-To-End Encryption, Slender Man Attempted Murder [Tech News Digest] Google goes End-To-End, Kickstarter softens campaign rules, Sony kills the PSP, Chrome goes 64-bit, Slender Man attempted murder, Todoist For Business, and teens reacting to 90s Internet. Read More in the run up to the WhatsApp announcement, FBI Director James Comey criticised the move, claiming that “the post-Snowden pendulum has [now] swung too far“.

Are All The Problems Fixed?

Providing effective security isn’t easy. While WhatsApp were clearly a long way behind the game at the turn of the decade, the late 2014 update sounds entirely hacker-proof. Sadly, that’s rarely the case, and in recent days more negative press has emerged for the Mountain View-based firm.

Although the contents of a user’s message seemingly remain secure, a simple piece of software has been released that can be used by hackers to circumnavigate various privacy settings – thus giving them a way to see whether a user is online or offline, a way to monitor a person’s profile picture, a way to see a user’s status, and the ability to see someone’s personalised privacy settings.



The software, called WhatsSpy Public, has been created by a Dutch developer and can reveal the timeline of a tracked-user’s online status, even if the user has the strictest privacy controls Everything You Need to Know About Your WhatsApp Privacy Settings As with all communication tools, privacy is of utmost importance. Here's how to protect your privacy when using WhatsApp. Read More enabled. “You may think now you’ve set all options to ‘nobody’ you are safe, privacy-wise, but nevertheless I can still track your moves on WhatsApp” said the software’s designer Maikel Zweerink. The good news for users is that the software is hard to set up, and will only be able to track users on rooted Androids or jail-broken iPhones – so if you use a “vanilla” OS you should be ok.

WhatsApp have not yet responded to the allegations officially, though an insider move to play down the breach when he told the UK media that “This is not a hack… in essence he built a program that just records and monitors information he has access to anyway“.

Despite that, given WhatApp’s poor track record its users are unlikely to take much solace in the statement. Whatever the truth may be, the issue simply points to the overriding fact that security in a digital age can never be taken for granted; even when you think you’re protected you can be certain there is a hacker or criminal looking for the next bug or flaw with which to compromise you.


What Do You Think?

Do you use WhatsApp? Has its poor history ever put you off the service? Have you tried some messaging alternatives but always find yourself being drawn back to the ubiquitous app? Does privacy generally concern you, or do you subscribe to the mind-set of “nothing to hide, nothing to fear”?


We’d love to hear from you. Let us know your thoughts in the comments below.

Related topics: Chat Client, Online Privacy, Online Security, WhatsApp.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Charlie
    November 26, 2016 at 2:14 am

    I started using scrambl3.
    It's encrypted and doesn't require phone or email to setup.
    Very good app.

  2. Vivek Kumar
    April 12, 2016 at 6:23 am

    As the keys only stored on user device, how can we switch to a new device with the chat history? Do we need to manually transfer the key from old to new device??

  3. Amar Rahe
    December 14, 2015 at 12:09 pm

    what happens to a users account information if say
    User 1 is using a company phone & sim.
    User 1 surrenders the phone/sim when leaving the company & forgets to delete the Whatsapp account
    User 2 now gets the phone & installs Whatsapp on the same phone/sim
    Use 2 will now have access to all information on the account setup by User 1

    In my humble opinion whatsapp should tie the account to a email address or a username as a second line of unauthorized access

  4. Dan Price
    March 23, 2015 at 11:25 pm

    Who? And How?!

  5. Max
    March 23, 2015 at 9:03 pm

    Mota do you know eho developed telegram? And do you know how it encrypts messages? ;) I will never use telegram.

    • Plamen
      November 30, 2015 at 11:10 am

      Pavel Durov, who sold his stake at VK, because the government pressed him to give users' data. He declined to give that data, but sold his company, because in Russia you can go to jail if you don't play with the government. So what was your argument against Durov???

  6. Dan Price
    February 25, 2015 at 3:57 pm

    Thanks for the tip Mota!

  7. Mota
    February 25, 2015 at 1:05 pm

    ... No thanks.

    I love telegram, it's far more secure. It's like having an whatsapp with ACTUAL security and accessible from your tablet and pc/mac. Seamsless.

  8. Fik of Borg
    February 24, 2015 at 12:48 pm

    "... uses a cryptographic key that’s unique to individual devices ..."
    What about when someone gets a new device and makes a whatsapp database backup on the old device and transfer it to the new one (a common procedure)?
    Until now whatsapp offered to import the backup, but I'm not clear regarding the different key on the new device.

    • Daniel Price
      February 24, 2015 at 3:26 pm

      Good question. Honestly, I'm not sure - though I doubt after spending so much $$$ on fixing their privacy that they'd have left a gaping hole that was so exploitable.

    • unathi
      February 25, 2015 at 2:14 pm

      ilove to play whats up.but the most of my ispend it to my studies.the are things that idont love about whats up is when people talking or send sathanism thing that make me bored.

    • unathi
      February 25, 2015 at 2:14 pm

      ilove to play whats up.but the most of my ispend it to my studies.the are things that idont love about whats up is when people talking or send sathanism thing that make me bored.

  9. nanook
    February 24, 2015 at 3:48 am

    What is a package sniffer? A type of dog? I think you were looking for the term packet sniffer. Or maybe you meant crotchhound?

    • Daniel Price
      February 24, 2015 at 3:25 pm

      I think you're right...!!

  10. Dann Albright
    February 23, 2015 at 6:59 pm

    While it's good that Facebook and WhatsApp are taking steps to make the app more secure, I don't have much confidence in their abilities. OpenWhisper has a good track record, but Facebook and WhatsApp have both been embarassed multiple times. The existence of WhatsSpy Public is also very worrying. Sure, it's not a hugely dangerous piece of software, but it was also developed by a university student who wasn't even looking for vulnerabilities in the app. That's not good.

    I do still use WhatsApp to communicate with my family overseas, but I'm trying to use Telegram more. Though they do store unencrypted text (or they have the decryption keys; I can't remember which), there's always the private mode, which is totally end-to-end encrypted.

    As always, it will be interesting to see how Facebook responds to another revealed problem with their security!

  11. Dan
    February 23, 2015 at 2:01 pm

    The first part of this post was good, but the second part is just fear-mongering. The "attack" requires root access (a small attack vector) to work and it can only see the metadata, not the content. I don't use WhatsApp but I do use TextSecure over SMS, and I can live with the government and my carrier knowing that I am sending encrypted messages to my wife. We're plotting something, hehehe! ;-p

    • Dann Albright
      February 23, 2015 at 7:02 pm

      It may be "only" metadata, but you can learn a hell of a lot from metadata:


      Even if it requires a rooted device, it's still revealing a pretty big hole in the security. WhatsApp says it just monitors and records data that's already available, but that's definitely not what I've heard. Definitely a reasonable cause for worry!

  12. Sean
    February 23, 2015 at 12:18 pm

    I love how Whatsapp is staying true to its identity of respecting privacy over profits.

    • Daniel Price
      February 23, 2015 at 3:05 pm

      Do I detect a whiff of sarcasm?! :)

    • Testuser
      February 23, 2015 at 3:11 pm

      I hope so Daniel :P