UPDATE (1/26/17): In response to news about WhatsApp's key management choices, we have added additional information about related trade-offs under "Key change notifications."
After careful consideration, we have decided to add additional warnings and caveats about using WhatsApp to our Surveillance Self Defense guide.
No technology is 100 percent secure for every user, and there are always trade-offs among security, usability, and other considerations. In Surveillance Self Defense (SSD), we aim to highlight reliable technologies while adding caveats to explain how their various strengths and weaknesses affect user privacy and security. In the case of WhatsApp, it is getting harder and harder to adequately explain its pitfalls in a way that is clear, understandable, and actionable for users. This is especially true since WhatsApp’s announcement that it would be changing their user agreement regarding data sharing with the rest of Facebook’s services.
This is unfortunate precisely because of WhatsApp's security strengths. Under the hood, WhatsApp uses the best-in-breed for encrypted messaging: the Signal Protocol. This gives a high assurance that messages between you and your contacts are encrypted such that even WhatsApp can’t read them, that your contacts' identities can be verified, and that even if someone steals your encryption keys and is able to tap your connection, they can’t decrypt messages you’ve already sent. In crypto parlance, these guarantees are termed end-to-end encryption, authenticity, and forward secrecy.
We take no issue with the way this encryption is performed. In fact, we hope that the protocol WhatsApp uses becomes more widespread in the future. Instead, we are concerned about WhatsApp’s security despite the best efforts of the Signal Protocol. Every application includes various components: the user interface, the code that interacts with the operating system, the business model behind the whole operation—and secure messaging apps are no exception. The changes in this surrounding functionality are where we have identified various places where a user can dangerously overestimate WhatsApp’s security.
Below we describe our four greatest concerns in more detail.
WhatsApp provides a mechanism to back messages up to the cloud. In order to back messages up in a way that makes them restorable without a passphrase in the future, these backups need to be stored unencrypted at rest. Upon first install, WhatsApp prompts you to choose how often you wish to backup your messages: daily, weekly, monthly, or never. In SSD, we have advised users to never back up their messages to the cloud, since that would deliver unencrypted copies of your message log to the cloud provider. In order for your communications to be truly secure, any contact you chat with must do the same.
Key change notifications
If the encryption key of a contact changes, a secure messaging app should notify you and prompt you to accept the change. On WhatsApp, however, if your contact changes keys, this fact is hidden away by default. To be notified, users have to search for the setting “Security Notifications” (found under “Security” in the “Account” section of your user settings) and manually switch it on.
Note that even when you turn this setting on, you will be notified of key change notifications only after the message in question has been sent. If your threat model can tolerate being notified after a potential security incident, then turning this setting on may suffice. However, if you are a high-risk user whose security might be compromised by a single revealed message, getting notification after-the-fact poses risks.
Key verification is critical to prevent a Man in the Middle attack, in which a third party pretends to be a contact you know. In this attack scenario, the third party sits in the middle of your connection and convinces your device to send messages to them instead of your contact, all the while decrypting those messages, possibly modifying them, and sending them along to your original, intended recipient. If your contact’s key changes suddenly, this could be an indication that you are being man-in-the-middled (though typically it’s just because your contact has bought a new phone and re-installed the app).
WhatsApp provides an HTTPS-secured web interface for users to send and receive messages. As with all websites, the resources needed to load the application are delivered each and every time you visit that site. So, even if there is support for crypto in the browser, the web application can easily be modified to serve a malicious version of the application upon any given pageload, which is capable of delivering all your messages to a third party. A better, more secure option would be to provide desktop clients in the form of extensions rather than a web interface.
Facebook data sharing
WhatsApp and Facebook could take some simple steps to restore our confidence in their product.
Simplify WhatsApp’s user interface for turning on strong privacy. A slider that would switch on all of the protective options—such as disabling backups, enabling key change notifications, and opting out of aspects of data sharing—would make it far easier for users to take control of their security.
Make a public statement about exactly what kinds of data will be shared between WhatsApp and Facebook and how it will be used. WhatsApp needs to take certain future uses of its data permanently off the table by defining what it will—and, just as importantly, will not—do with the user information it collects.
Until such changes are made, we have to warn users to take extra caution when deciding whether and when to communicate using WhatsApp. If you decide to use WhatsApp, see our SSD guides for Android and iOS for more information on how to change your settings to protect your security and privacy.