Recently, The Guardian published a story that claimed WhatsApp to have a “backdoor” that could allow third parties to snoop-in on your conversations. A person living in the post-Snowden era, who’s concerned about their privacy and security, is likely to be alarmed. Many might not even read much beyond the title, before starting to form their own opinions on the matter at hand. In fact, there have been reports of users switching away from WhatsApp in favor of less secure options ever since the article was published.

Understand WhatsApp’s Security to Protect your Privacy

Many security researchers and tech blogs have criticized The Guardian for publishing the misleading story, and even asked them to retract it. But all they have done until now is change the word “backdoor” in the title to “vulnerability” (the original title can still be found on the article’s URL).

Is WhatsApp’s security really compromised and should you use it? We at 7labs urge you to understand the below facts and then take an informed decision.

 
WhatsApp’s End to End encryption

As of April 2016, messages transmitted on WhatsApp are end to end encrypted, thanks to the integration of Open Whisper System’s Signal protocol into their iOS, Android and Windows Phone apps. What it effectively means, is that WhatsApp communications are fully secure, thus preventing any third party from listening in on private messages and calls shared between two parties.

Assuming the two parties involved in a WhatsApp conversation use the latest version of the app, all messages are encrypted using the receiver’s public key before being transmitted over the network. The public key is stored on the WhatsApp servers, and can be retrieved by the sender for encryption purposes. However, these messages can only be decrypted back to plain text (readable form) by using the receiver’s private key, which is stored locally on the receiver’s device. At no time does WhatsApp (or any third party) have access to any users’ private keys.

In a typical Man-in-the-Middle scenario, a third person posing as the receiver may intercept and possibly alter a message before it reaches the actual receiver. In order to verify that the person you’re sending messages to, is indeed the intended receiver, WhatsApp allows users to verify their Identity Key Pair, called security code. If the security code on the sender’s side matches that of the receiver’s, one can ensure that the messages are being delivered to the intended person.

 
The alleged “backdoor”

By the design of the Signal protocol, the security code changes every time either of the two parties in communication changes their device or reinstalls WhatsApp. The sender can also opt to get notified when the security code has changed from the receiver’s side, so that the two parties can re-verify their codes.

Now, unlike the Signal app, WhatsApp does not provide an option to temporarily block communications between two parties unless their keys have been verified. So, in the event of a security code change, any undelivered message will be re-sent automatically without verifying the keys again.

So, if you have sent sensitive information over WhatsApp to one of your contacts, who’s currently offline. And if a third party gets access to their WhatsApp account from a different device before the original person does, the third party will be able to read the previously undelivered messages (indicated by a single grey tick). If the relevant option is turned on, you’d would be notified of the key pair change, suggesting a potential attack, but there’s no way to block those messages you’ve already sent.

The vulnerability here lies in how WhatsApp handles Identity Key Pair changes. WhatsApp has stated that it was an intentional design decision. And considering the product’s user base, the trade-off between a security feature and a compromise in user experience is sort of justified.

WhatsApp is used by over a billion users across different parts of the world. And there are hundreds of individuals who change their devices or reinstall WhatsApp everyday, resulting in key pair changes. If it was mandatory for all users to re-verify their security codes every time the codes changed, it would have been a huge setback for the service. In remote areas where it was not possible to re-verify codes, you couldn’t contact someone on WhatsApp who’d recently reinstalled the app. By allowing automatic resend, WhatsApp ensures that your communications are not disrupted just because someone got a new phone!

A WhatsApp spokesperson said: “In many parts of the world, people frequently change devices and SIM cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

 
Secure use of WhatsApp

As mentioned before, WhatsApp implements the Signal protocol for End to End Encryption, the same protocol used by Snowden-approved Signal app. It does not have access to the users’ private keys, and is hence protected from potential third party interceptions. Moreover, messages that have already been delivered (indicated by double blue ticks) are not retransmitted. Only messages in the queue are sent.

Having said that, here are a few steps you can take in order to ensure that sensitive information isn’t leaked to unintended third parties.

Enable Security Notifications: The Show Security Notifications option allows you to get notified whenever a contact’s security code has changed. Once you get such a notification, you can ask your contact (through a phone call or any other alternative channel) if they have recently reinstalled WhatsApp or changed their device. If not, the conversation might have been compromised by a third party. Security Notifications can effectively be used to detect potential snooping activities when it happens.

To enable this setting, go to WhatsApp’s Settings >> Account >> Security and then turn on Show Security Notifications. This is disabled by default.

Verify and re-verify your contacts: Whoever you’re going to share information with, you should first ensure that their account is not compromised in the first place. Verify the security codes of your contacts prior to exchanging any information. Also, whenever you see a message that that a recipient’s security code has changed, re-verify the security codes with them.

Ensure key pair integrity: Since undelivered messages are automatically resent in the event of a security code change, you need to be sure that the Identity Key Pair is not changed while sensitive information is in transit. Initiate the conversation on a casual note and wait for a reply. Once the receiver is online and no key pair change is indicated, you may go ahead with sharing the intended information. Such an approach reduces the possibility of a snooping attack.

If you’re really concerned about potential third parties snooping into your messages, use an alternative app like Signal to exchange sensitive information. You could still continue using WhatsApp for casual conversations, as most of your friends are likely to be active WhatsApp users.

WhatsApp could introduce an optional setting, allowing users to block undelivered messages in case of a security code change. But WhatsApp seemingly does not have any plans for implementing it, going by the fact that the vulnerability was first reported to Facebook (which currently owns WhatsApp) way back in April 2016.

Update:

WhatsApp has recently been rolling out an update, which allows users to configure a new two-step verification system. With it, users will be prompted to enter a pre-configured 6 digit passcode every time they reinstall WhatsApp. WhatsApp will also send periodic prompts to enter this passcode, just to ensure that it’s not forgotten. To enable Two-step verification on WhatsApp, follow the steps provided below:

  1. Open WhatsApp Settings >> Account >> Two-step verification.
  2. Tap on Enable. This will initiate the setup process.
  3. In the next two screens, you’ll be asked to enter and confirm the 6 digit security passcode that you wish to set for verification purposes, should you have to reinstall WhatsApp in future.
  4. In the subsequent two screens, you’ll enter and confirm an email address, which will help you recover the 6 digit passcode, should you forget it at any time.

Two-step verification has now been setup for your WhatsApp account.

This new feature adds an additional layer of security against unauthorized account access, and hence reduces the risk of third party interceptions.

 
What could WhatsApp potentially share with Law Enforcement agencies?

Now we know that because of End to End Encryption, the contents of message conversations being shared on WhatsApp are fairly secure. And, unless someone gains unauthorized access to a contact’s account, it is nearly impossible to snoop in on private conversations.

However, tech companies like Facebook, WhatsApp and others are often asked by law enforcement agencies to share customer information, usually in order to help with criminal investigations. And while the message contents themselves are encrypted, WhatsApp could be obliged by law enforcement agencies to provide user information, which is non-encrypted.

Such information (mostly metadata) may include details like, phone numbers of persons in a WhatsApp conversation, the time and duration of conversation, the IP addresses involved, and even the respective location and other contact details of the WhatsApp accounts in question.

It is important to mention here that, while such details may indirectly be used to track potential suspects in criminal investigations, it should not affect you as an individual, as long as you’re not doing anything illegal. While personal privacy and security are gaining a top spot in today’s agenda, criminals should not be allowed to take advantage of the situation. A balance needs to be struck between what is okay to share with the agencies, and what’s not.

If you are still uncomfortable about WhatsApp tracking your details, you could use a VPN service to mask your actual IP address, and protect yourself from potential trackers.

As of today, WhatsApp hasn’t released any transparency report about how many, or what type of customer data requests it has handled till date. While this move may be highly criticized, maybe the company does not wish to disclose it because the information could then be effectively used by criminals to get around trackable situations.