WhatsApp, the messaging platform, since it was acquired by Facebook in 2014, has seen an unstoppable growth. The app now boasts over a billion users each month, who send over 30 billion messages per day.
Given the increasing security and privacy concerns, WhatsApp over the recent years added two-step verification, and end-to-end encryption. But despite all that, there are still some security threats you need to know about.
It is pretty obvious that malicious cyber-criminals look to exploit the popular messaging app. The company launched a web interface and desktop application in January 2015. And unsurprisingly, hackers were quick to react with fake WhatsApp websites and applications that stole data and distributed malware.
Many attackers created malicious and fake software downloads for those who were new to the platform. Malicious software would masquerade as WhatsApp Desktop applications. Once installed they could install and distribute malware or otherwise compromise your computer.
Other attackers turned to creating websites pretending to offer access to WhatsApp Web. They ask for your phone number in order to “connect you to the service” but in reality use it to bombard your WhatsApp with spam messages.
Although WhatsApp does offer a client for both Windows and Mac, the safest option is to go directly to the source at http://web.whatsapp.com.
The messages that are sent via WhatsApp are end-to-end encrypted, meaning that only your device has the ability to decode them, and nobody else including the company can decode them. But the real issue is of backups. On both iOS and Android, the backups created to either iCloud or Google Drive contain the decrypted messages on your device.
The backup itself is not encrypted. If malicious persons wanted access to your messages, they would only need your daily backup. Other vulnerability is that there is no ability to change backup location, meaning that you are at the mercy of the cloud service to keep the data protected. And iCloud in particular has a poor reputation for security.
Facebook Data Sharing
“We plan to share some information with Facebook and the Facebook family of companies…some of your account information with Facebook and the Facebook family of companies, like the phone number you verified when you registered with WhatsApp, as well as the last time you used our service.”
Even though WhatsApp allows users to turn this data sharing off in the settings. But the change in settings of the data sharing was turned on by default, requiring every single one of WhatsApp’s over a billion users to manually change the settings to turn it off.
After the change, concerns were raised from the officials in Germany, the US, and the UK. And since November 2016, Facebook has paused data collection from UK users after the Information Commissioner’s Office wrote to Facebook outlining the issues and asked Facebook to clarify to users how their data will be used.
At the start on this year, a new controversy broke when The Guardian published a story claiming that WhatsApp’s implementation of encryption protocol could be exploited. While messages sent through the app are end-to-end encrypted, they are decrypted on your phone. To verify the device receiving the message is the intended recipient, each user has a public security key. This key can be changed when reinstalling the app or moving to a new phone.
The Guardian’s report claimed that as WhatsApp had the ability to change security keys for offline users, they may be able to intercept and un-encrypt messages. WhatsApp could then force you to resend your messages with the new security key, and allow themselves access to the messages. They claimed that this was a problem, or intentional feature, of WhatsApp’s implementation of Open Whisper Systems’ protocol.
However, Open Whisper Systems responded in a blog post, where they refuted the claims of an “encryption backdoor”. Instead, they noted that a man in the middle attack “is endemic to public key cryptography, not just WhatsApp”.
Open Whisper Systems in their reply, also dispute the over simplification of the issue made by The Guardian. They did not include the fact that there are two encryption keys, one public and one private on your device. This is done to prevent an attacker compromising the server and “[lying] about a user’s public key, and instead [advertising] a key which the attacker knows the corresponding key for”.
The technical community realizes that The Guardian did very little verification work before publishing the story. However, the story did highlight that even systems that are viewed as secure, like end-to-end encryption, are not entirely flawless.
Are These Reasons Enough?
WhatsApp is used by billions and despite their assurance of flawless security over the users’ data and privacy, the above reasons are enough to make anyone stop using the app.
What do you think? Will you continue using WhatsApp? Have you ever been caught out by these security threats? Let us know in the comments below.