If you own a smartphone you’re probably familiar with WhatsApp – the popular mobile messaging service used by over 1 billion persons on a daily basis. The success seen by app has been attributed to a number of things, but one of them is security.
Back in April, the company announced it was enabling end-to-end encryption for its entire user base. This meant that every message, video or image exchanged via the app were visible ONLY to the parties involved in the conversation. Not snoopers, not hackers or governmental agencies. Well at least in theory.
A recent article from The Guardian reveals how cryptography and security researcher, Tobias Boelter from the University of California discovered a security backdoor in WhatsApp which allows third-parties to intercept and read encrypted messages.
Following the publication of the news piece, WhatsApp was quick releasing a statement denying the information, which read:
“WhatsApp does not give governments a “backdoor” into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.”
And it turns out the vulnerability was no stranger to security experts and WhatsApp never really tried to hide it from general view. Boelter himself altered the company his findings back in April, but was told WhatsApp was already aware of the vulnerability.
The bug manifests when one end sends a message to another party who is not currently online or has a new phone or doesn’t have the app installed. Given that one of the two ends is “non-existent” at the time of delivery, new encryption keys for the recipient are created, so the absent party can still view the message once he/she returns online.
The report goes on to say the problem is that WhatsApp doesn’t alert users of this shift in encryption keys, while the message’s security status remains uncertain until the other party logs in. Which leaves the door open for message interception.
However most cryptography experts seem to disagree with the report and point out the vulnerability (not backdoor) is actually a design choice made by WhatsApp so that chats could flow seamlessly.
Users who are really worried their information might get intercepted can go ahead and enable a setting in WhatsApp that will alert them when a friend changes devices after the message has been delivered. However, most users don’t know this option is available for them.
Even if the issue has been blown up of proportion, the WhatsApp vulnerability does pose a question. How should an encryption app handle the situation of users switching phones? WhatsApp decided to keep the conversation flowing while, Signal – another messaging app won’t send messages and will alert senders the recipient switched devices.
WhatsApp has opted for a “non-blocking’ approach to deliver the messages, in an attempt to provide a simpler, flowing user experience. Which shows us just how difficulty is to leverage security and the demands / expectations of every day users.