Last week, The Guardian reported that a security vulnerability had been found in popular encrypted messaging app WhatsApp—and that the flaw allowed Facebook and others to intercept and read encrypted messages within the app.
However, this claim has since been criticized by some security experts.
So is WhatsApp secure or not? And if not, what can you do about it?
According to the Guardian:
“Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.”
The original article called the flaw a “backdoor”, which is said by some experts to be an inaccurate term here. A backdoor is intentionally built into software to allow access to the app without a user’s knowledge. The vulnerability within WhatsApp is, in fact, the potential for a “man-in-the-middle” attack. Here’s how it works.
WhatsApp’s encryption uses Signal Protocol, which cryptographically identifies devices via both a public key (on a server) and a private key (on the private device).
The key pair is exposed by the WhatsApp “security code”, by which users can verify the security of their communications with another user’s device.
The issue is this: When a user changes device or reinstalls the app, the key pair will change. WhatsApp gives users the option be notified when these changes occur, so they can re-verify, but it’s unlikely that all users do. The WhatsApp server, however, cannot see whether users have verified the new key pairs.
The fact that WhatsApp doesn’t force users to verify these new key pairs is what makes the app vulnerable. It leaves the encryption open to potential man-in-the-middle attacks, whereby a third party (with privileged information, like a user’s registered phone number) could “slip into” the communication and compromise this key pair.
WhatsApp could avoid this issue by blocking devices with new, non-verified key pairs, but the disruption to their userbase, who may or may not fully understand the process, could be sizeable. It’s understandable why they haven’t chosen to do this. However, we think it is in the best interest of the users to have to go through this process. WhatsApp should focus on privacy and security of the user more than avoiding a minor inconvenience for the user.
This isn’t just an issue with WhatsApp. This is how any end-to-end encrypted messaging app works, and each one is vulnerable in a similar way. While the better option is to invest in more robust encryption that creates a secure tunnel between your device and the internet (i.e. a VPN), there are some things you can do to ensure your WhatsApp is as safe as it can be.
So what can you do to protect yourself?
- Go into WhatsApp and ensure that the Show Security Notifications option is selected.
2. Before starting any conversation with a new contact, verify the communication’s security via the security code
3. When WhatsApp alerts you to a change in a contact’s security code, re-verify that contact immediately.
4. If the communication can’t be re-verified, don’t send any messages. Get in touch with your contact in person and alert other users to the issue.
Encryption is a powerful tool to ensure your security, but you have to be sure that you’re entrusting your safety to a company working hard to protect it. We hope Facebook and the WhatsApp team do the right thing to address this. We love WhatsApp, and would love to not worry too much about our privacy and security while using it.
Be vigilant about just who you trust with your online security.