Last week, the Guardian published a report highlighting a security researcher’s discovery of what he described as a serious flaw in WhatsApp, the popular messaging service owned by Facebook and used by more than a billion people around the globe.
The findings, published by researcher Tobias Boelter, centered on the end-to-end encryption that WhatsApp uses by default and how it handles encryption keys while offline. “End-to-end” encryption means that a message is coded on the sender’s device, and decoded on the recipient’s device, so that anyone who intercepts the message is left with an encrypted, unreadable jumble of text. The encryption keys are how the app determines that the sender and recipient are who they say they are. WhatsApp “automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.” The bottom line is this: A very dedicated person could exploit this slight window with the right, very specific tools.
Another security researcher quoted by the Guardian explained it thusly: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”
Facebook, when contacted about the app’s behavior, said that it was expected behavior, and not the sort of back door that Boelter was making it out to be. Still, the report set off panic about WhatsApp’s security, with activists reportedly telling each other to leave the app for fear of its security holes.
Should they have? There’s a high-level security debate to be had over the app’s design, but many security experts agree that the perceived vulnerability is not a wide-open back door into the system.
This week, dozens of cybersecurity experts are calling on the Guardian to retract or correct their story, worried that it has scared users into switching to less secure messaging options.
The experts’ letter is extensive in its rebuttal but here’s the tl;dr section toward the end.
1: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a “loophole” or a “backdoor” is not productive or accurate.
2: The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning–even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method.
3: Telling people to switch away from WhatsApp is very concretely endangering people. [Popular messaging app] Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what’s actually been happening since the publication of this story and years of experience in these areas.
4: You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a “vaccines can kill you” story without interviewing doctors, and your defense seems to be, “but vaccines do kill people [through extremely rare side effects].”
So, is WhatsApp safe to use? In 99 percent of applications, the answer is yes. (And if you need a chat app for that other one percent of applications, you probably aren’t getting your security news from Select All.) Certainly, it’s still one of the safest options you can use if you want to easily encrypt your communications, despite what you may have heard.
Now, if you’re particularly paranoid, you may not want to use an app owned by an enormous corporation like Facebook, one that has a documented relationship with the U.S. government. That’s okay, too. The bottom line in current mobile-messaging security anyway is that the independent, open-source app Signal is the all-around safest and most secure option available. WhatsApp is a fine alternative, but your best bet might just be to use Signal.
