Does WhatsApp’s Encryption Really Protect You?

Yasuyoshi Chiba/AFP/Getty Images

WhatsApp icon | Yasuyoshi Chiba/AFP/Getty Images

There are plenty of reasons to replace the texting app that came preloaded on your phone with a messaging app that’s smarter and more capable. Not only will you get fun new features, but you’ll more easily be able to sync your messages between your devices, or communicate with friends and family who live abroad without paying a hefty per-message charge. But one of the biggest reasons to switch to a messaging app are the privacy and security benefits. So it’s worth paying attention to the encryption that WhatsApp, the world’s most popular messaging app, has enabled for all 1 billion of its users.

As WhatsApp’s FAQs explain, the purpose of end-to-end encryption in the latest versions of the app is to prevent “your messages, photos, videos, voice messages, documents, and calls … from falling into the wrong hands.” End-to-end encryption is available when you and the people you’re messaging are using the latest versions of WhatsApp, and end-to-end encryption is always activated provided all parties are using the latest version of the app. As the company’s website explains:

WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. Your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message. For added protection, every message you send has a unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.

Keezel founder Aike Müller reports for VentureBeat that while WhatsApp’s choice to add end-to-end encryption to its platform reignited the debate that pits national security against individual privacy, WhatsApp got “nothing but praise” from the tech world for implementing end-to-end encryption to protect users’ privacy and ensure that no one, not even WhatsApp itself, can eavesdrop on their communications.

Müller reports that the news that the company used the Signal Protocol designed by Open Whisper Systems for its encryption “lent the move an extra dose of authority and credibility and WhatsApp was hailed as an example to follow, a true privacy trailblazer democratizing encryption by making it available to the masses.”

But can you trust WhatsApp’s encryption? Müller writes that he has a few questions about WhatsApp’s encryption — questions that could point to some potential holes in the messaging platform’s encryption. For instance, WhatsApp will still keep records of users’ metadata. So even though the content of a message will only be readable by the sender and the recipient, the phone numbers involved in the exchange and the timestamps on the messages will still be stored on the company’s servers.

That means that if a court orders WhatsApp to share the information it has on a user, “the amount of metadata the company would be handing over would most likely be sufficient to create a profile and draw some strong conclusions,” Müller explains. “Knowing who someone talked to, at what time, and how many times per day is some pretty powerful information to have, don’t you think?”

Another potential privacy concern? WhatsApp was acquired by Facebook in 2014, a company that makes money by serving ads that are informed by your behavior and personality as a consumer. Which is why Müller says he’s “a little bit worried about WhatsApp’s quest to provide privacy to 1 billion people.” Screenshots of a recent beta update for WhatsApp revealed that the company was planning to ask users to share their WhatsApp account information with Facebook.

If that were to happen, Facebook would begin to see all of WhatsApp’s metadata — metadata that could enable Facebook to create an even more accurate profile of you than the one it’s already compiled. And even if that doesn’t happen, if you agree to Facebook’s request to “secure your account” by adding your phone number, it’s possible that Facebook could use your phone number to link your Facebook and WhatsApp accounts on its own, without your consent or knowledge.

Additionally, Müller posits that while WhatsApp isn’t making any money for Facebook currently, the app will almost certainly be monetized in some way in the coming years. WhatsApp has made it clear that it isn’t planning to enable brands to advertise to users on its platform, but it’s unclear whether potential sources of revenue like enabling users to communicate directly with companies will really bring in enough money in the long run. In sum, Müller thinks that WhatsApp’s implementation of end-to-end encryption is a “huge step forward for online privacy.” But that doesn’t mean that you can safely assume that there’s no way for your privacy on WhatsApp to be compromised, either now or in the near future.

It might not be wise to assume that WhatsApp’s security framework is unassailable on its own, even without unease about Facebook’s record on user privacy in the picture. Researchers at security firm Positive Technologies report that WhatsApp’s encryption could be “rendered ineffective” by vulnerabilities in the Signalling System 7 (SS7) framework on which both WhatsApp and other messaging apps like Telegram are built. The researchers explain:

It’s a known fact that one-time codes via SMS are insecure, because mobile communication is insecure. Both the SS7 network and air interface encryption algorithms suffer from vulnerabilities. Attacks on SS7 may be conducted from anywhere, and hackers may choose other targets apart from messengers.

SMS authentication is a major security mechanism for apps like WhatsApp (or Facebook). To authenticate a user, devices or apps send SMS messages via the SS7 network to verify his or her identity. The problem is that an attacker could easily intercept these messages and assume the identity of a targeted user. A hacker could gain full access to a user’s account, “including the ability to write messages on behalf of the victim as well as read all the correspondence.” The researchers conclude not only that mobile operators need to improve their signaling security, but that messaging platforms like WhatsApp “need to add another layer of verification” of the user’s identity.

As Paul Wagenseil reports for Tom’s Guide, Positive Technologies has exposed a problem that affects not only WhatsApp’s verification process, but the two-step verification system used by Telegram, Google, Amazon, LinkedIn, and dozens of other apps and services. Facebook’s two-step verification system, on the other hand, uses the Facebook app itself and therefore is more secure.

The upshot is that even if WhatsApp is using end-to-end encryption, that alone can’t keep your communications safe if the framework on which the app is built is left vulnerable. But Wagenseil notes that the “silver lining to all this bad news is that it’s normally not that easy to get into the SS7 system.” The problem is that with 800 different telecommunications companies worldwide using SS7, some have weaker security than others. And SS7, which was set up during the 1970s, “doesn’t ask for internal verification of commands once you’re in the system.”

Is this likely to pose a problem to the average WhatsApp user? Probably not. But if you’re the target of a national intelligence agency, a sophisticated criminal, or (in this case) some determined security researchers, WhatsApp’s reliance on SMS verification codes doesn’t warrant the total trust that you might think the implementation of end-to-end encryption would merit.

More from Gear & Style Cheat Sheet: