WhatsApp is used by over a billion people worldwide – that’s billions of messages, all allegedly private, secure, and protected by the end-to-end encryption provided by Open Whisper Systems. But are your private messages really secure?
End User Encryption Vulnerability
In early January, 2017 a ‘Backdoor’ was found in the WhatsApp system that could potentially give a third-party access to your messages. A ‘Backdoor’ is either placed by design, or by shortcoming, and it allows for unauthorized access to data, in this case, your messages. WhatsApp has previously stated that their popular messaging system is completely secure and encrypted, and indeed their encryption protocol is very safe. The problem lies not in the protocol itself but in the way it is implemented.
Defect or Feature?
When confronted with this security problem, Open Whisper Systems’ suggested that the vulnerability is not a defect, it is in fact a feature of most standard end-to-end encryption software. It seems that when posed with the dilemma between ultimate security and streamlined user-experience WhatsApp chose the latter. While they have clearly and publicly declared that they would oppose any request, even from a government department, to gain access and / or monitor user activity, there is a vast difference between choosing not to divulge information and blocking any access to it.
So what does this security vulnerability mean for the end-user? The detail lies in WhatsApp’s ever-changing encryption key that is broadcast by a contact and is not verified by WhatsApp security. Each time a contact broadcasts a new encryption key, it is not re-verified so as not to cause a break in the message delivery process.
How to Protect Your Messages
If you’re conscious about your privacy, it’s important to verify the encryption keys broadcast by your contacts before you send messages. Enable security notifications in the application itself and make sure that you manually accept and verify each encryption key broadcast by your contacts. However, you should be aware that this does not promise airtight security, seeing as WhatsApp will only notify you that the encryption key has changed after your message has been delivered. If you want to be extra cautious, conduct your private conversations on platforms like Signal that chose security over user-experience, and enable the verification of new keys before they are used.