What’s up with WhatsApp? Your messages aren’t that secure after all

What’s up with WhatsApp? Your messages aren’t that secure after all

Early last year, we featured an article discussing the use of end-to-end encryption, highlighting that there is a general trend in the market towards messaging services adopting this technology. This is partly in response to concerns many of us have about who can access our data. A year later, many mobile app developers (particularly those developing messaging services) are creating apps which proudly proclaim they “protect your privacy”, often by using “industry leading security measures”.

WhatsApp is one of the many messaging services using end-to-end encryption (the basic concepts of which are explained in this article). WhatsApp received a great deal of praise for using this technology, as it was seen as a step in the right direction towards respecting and enhancing its users’ privacy.

Everything is not as it seems

On 13 January 2017, the Guardian revealed that WhatsApp’s encryption technology has a back door (here). This back door enables the encryption keys used by WhatsApp (the vital pieces of digital information which enable your encrypted messages to be decrypted) to be re-generated. This ultimately means that entire conversations can be forwarded on, and viewed by WhatsApp (or a government agency). To be clear, the concern is not that a government agency can now intercept all of your WhatsApp messages, but that such an agency might put pressure on WhatsApp to use this vulnerability to hand them over (as was the case with the recent Apple/FBI iPhone hacking issue).

WhatsApp is also reported as having known about the encryption vulnerability since April 2016, but WhatsApp still states on its website that:

“… your messages are secured with a lock, only the recipient and you have the special key needed to unlock and read them”.

In my view, that this statement remains on WhatsApp’s website despite the encryption vulnerability creates a misleading impression of security.

Current communication trends

At a conference recently, WhatsApp set out its plans to formally offer a commercial messaging service. The messaging App has also “flourished” in international diplomacy situations (see here), with British government officials reported to be using WhatsApp in preference to the government’s own encryption services to communicate. WhatsApp’s messaging service was also used in the recent landmark deal made in Rwanda under which countries including the US, Japan, China and India agreed to phase out the use of HFCs (a key contributor to global warming).

Whilst many people might respond to this news with a short and to the point: “I don’t have anything to hide; I’m not that bothered“, WhatsApp’s increasing use in commerce and governmental negotiations means the messaging data passing through WhatsApp’s service is increasingly commercially sensitive and highly valuable. As the WhatsApp encryption vulnerability as well as the sensitive nature of the data passing through the messaging service is public knowledge, perhaps we will begin to see a migration away from WhatsApp towards messaging services which don’t suffer from the same vulnerability. This seems particularly likely given that current details point to the underlying encryption technology being secure, with the problem lying in WhatsApp’s implementation of that technology.