Bytes: Since the messaging platform WhatsApp was acquired by Facebook in 2014, its growth has been unstoppable. The app now boasts over a billion users each month who send over 30 billion messages per day.
WhatsApp has strengthened their security over recent years by adding two-step verification, and automatic end-to-end encryption. Despite this, there are still some security threats you need to know about.
Some attackers created malicious software downloads that would masquerade as WhatsApp Desktop applications. Once installed they could install and distribute malware or otherwise compromise your computer. Others turned to creating websites pretending to offer access to WhatsApp Web. They ask for your phone number in order to “connect you to the service” but in reality use it to bombard your WhatsApp with spam messages.
Although WhatsApp does offer a client for both Windows and Mac, the safest option is to go directly to the source at http://web.whatsapp.com.
The backup itself is not encrypted. If someone wanted access to your messages, they would only need the latest copy of your daily backup. It is also vulnerable as there is no ability to change your backup location, meaning that you are at the mercy of the cloud service to keep your data protected. iCloud in particular has suffered a poor reputation for security, especially after its role in the largest celebrity leak in history.
One of the supposed benefits of encryption is, for better or worse, being able to prevent government and law enforcement from being able to access your data. As the unencrypted backup is available on one of two US based cloud storage providers, all it would need is a warrant and they would have unfettered access to your messages. In many instances, this renders the end-to-end messaging encryption as redundant.
Facebook Data Sharing
“We plan to share some information with Facebook and the Facebook family of companies…some of your account information with Facebook and the Facebook family of companies, like the phone number you verified when you registered with WhatsApp, as well as the last time you used our service.”
In a great use of weasel words, they also state that none of your information will be publicly visible on Facebook. Instead, it will be hidden in Facebook’s deep, and inaccessible, profile of you. It is possible to turn this data sharing off in the settings. However, to the chagrin of almost all privacy advocates, the data sharing was turned on by default, requiring every single one of WhatsApp’s over one billion users to manually head into the settings to turn it off if they weren’t comfortable.
After the change, there were expressions of concern from officials in Germany, the US, and the UK. There is now even a possible investigation into Facebook and WhatsApp’s practices by the European Commission. Since November 2016, Facebook has paused data collection from UK users after the Information Commissioner’s Office wrote to Facebook outlining the issues and asked Facebook to clarify to users how their data will be used.
In January 2017, The Guardian published a story claiming that WhatsApp’s implementation of encryption protocol could be exploited. While your messages are end-to-end encrypted so that they can’t be read during transmission, they are decrypted locally on your phone. To verify the device receiving the message is the intended recipient, each user has a public security key. This key can be changed when reinstalling the app or moving to a new phone.
The Guardian’s report claimed that as WhatsApp had the ability to change security keys for offline users, they may be able to intercept and unencrypt messages. WhatsApp could then force you to resend your messages with the new security key, and allow themselves access to the messages. They claimed that this was a problem, or intentional feature, of WhatsApp’s implementation of Open Whisper Systems’ protocol.
The consensus from the technical community is that The Guardian did very little verification of the details before publishing the story. However, it did highlight that even systems that are viewed as secure, like end-to-end encryption, are not entirely flawless.
One More Thing…
WhatsApp recently revamped their Status feature, morphing it from a line of simple text into a disappearing photo and video updates. This brought it in line with Instagram Stories and Snapchat. Despite their parent company’s seeming aversion to simplifying privacy controls, WhatsApp has made it quite easy to control who you share your Status with.
If you head into the settings you are now greeted with three privacy levels for your Status updates;
- My contacts
- My contacts except…
- Only share with…
Despite this simplicity, it isn’t immediately clear if your blocked contacts would be able to see your Status. WhatsApp seems to have done the sensible thing and blocked contacts are unable to view your Status. As with Instagram Stories any videos and photos added to your Status will disappear after 24 hours.
Time To Change?
If these reasons were enough to make your question your messaging app allegiance, then there are other secure alternatives available. WhatsApp’s end-to-end encryption protocol was developed by Open Whisper Systems, who make their own secure messaging app Signal. Then there is the popular Telegram which combines the messaging capabilities of WhatsApp with the ephemeral nature of Snapchat.