WhatsApp is more than just a freeware messaging platform and SMS text messaging alternative. Since its original development by Facebook over eight years ago, it has become one of the most popular apps of its type in existence. According to a post on the company’s own blog, more than 100 million voice calls alone are made every day as of June 2016. By early January of 2015, the service had over 700 million monthly active users all over the world and sent over 30 billion text-based messages each day. By any metric you can think of, that’s a massive success.
A lot of WhatsApp’s popularity stems from the fact that it offers a very key feature that other services don’t — end-to-end encryption. Since 2014, WhatsApp has offered total encryption to all users free of charge. This means that only the person sending the message and the person receiving it can actually read it. Even if someone does happen to be using sophisticated technology to intercept that data while it’s in transmission, it would be completely unreadable. To its credit, Facebook has always claimed that NOBODY can intercept WhatsApp messages — even Facebook employees.
A recently uncovered vulnerability, however, calls all of this into question.
The WhatsApp Situation
For end-to-end encryption to work properly, only two people can have decryption keys — the sender and the recipient. So long as nobody has physical access to either of the two devices, a conversation is completely impenetrable. A security vulnerability — one that was intentionally built into the app’s code by its developers — changes things significantly, however. Experts have stated that WhatsApp actually has the ability to “force” the creation of a secondary set of encryption keys for offline users, all without actually telling the users what is going on.
This means that if someone is targeted by the United States government, for example, WhatsApp can actually generate a secondary set of encryption keys that would let officials spy on messages being sent and received. All the while, the original users would think that nothing was wrong.
The vulnerability was originally discovered by a cryptography and security researcher named Tobias Boelter at the University of California. He reported what he initially assumed to be a problem to Facebook in April of 2016, only to be told that this was “expected behavior.” Reading between the lines, it’s easy to see that this is less a flaw and more a “feature” — one that has harrowing implications on freedom of speech and cyber privacy in general. Since Boelter’s findings, other organizations like The Guardian have been able to confirm that the vulnerability still exists as of January 2017.
Naturally, this was big news when the story originally broke. Members of the WhatsApp team said that this is seen as “acceptable” because, in theory, it will never affect the majority of the service’s users. For this “security loophole” to be employed at all, a particular user or set of users must be targeted. It’s not like someone could read any of the billions of messages being sent each day if they wanted to, someone needs a reason to look at the messages of a select person. The fact that the vulnerability exists at all, however, calls the company’s entire mantra of “privacy for all” into question.
Thankfully, there is a mechanism built into the WhatsApp application that allows users to see if this vulnerability is actively being used. By opening the app and selecting the “Security” option, followed by the “Account” option and then navigating to the “Security” screen, they can enable a feature called “Show Security Notifications.” This will alert a user when a contact’s security code has been changed. While this does happen if someone buys a new phone or uninstalls and reinstalls the app, it will ALSO happen if decryption codes are changed due to someone making use of this security issue.