WhatsApp revisited

by | Oct 24, 2016

whatsapp-eyeThe very excellent Electronic Frontier Foundation have recently published an article expressing their security concerns about WhatsApp. In short, these are:

Unencrypted backups

WhatsApp prompts you to choose how often to backup your data to the cloud. These backups are unencrypted and not password protected. The advice is to never back up your messages to the cloud, since that would deliver unencrypted copies of your message log to the cloud provider.

Key change notifications

Key verification is critical to prevent a Man in the Middle attack, in which a third party pretends to be a contact you know. If your contact’s key changes suddenly, this could be an indication that you are being man-in-the-middled (though typically it’s just because your contact has bought a new phone and re-installed the app).

If the encryption key of a contact changes, this fact is hidden away by default. To turn notifications on, go to Account/Security/Security Notifications and switch it on.

Web app

WhatsApp provides an HTTPS-secured web interface for users to send and receive messages. This can easily be modified to serve a malicious version of the application which is capable of delivering all your messages to a third party. A better, more secure option would be to provide desktop clients in the form of extensions rather than a web interface.

Facebook data sharing

WhatsApp’s recent privacy policy update announced plans to share data with WhatsApp’s parent company Facebook, signalling a concerning shift in WhatsApp’s attitude toward user privacy. As covered in our earlier post, while existing WhatsApp users were given 30 days to opt out of this change in their Facebook user experience, they cannot opt out of the data sharing itself. This gives Facebook an alarmingly enhanced view of users’ online communications activities, affiliations, and habits.

For full details you can read the original article here.