While there are different instant messenger apps like Facebook messenger, Hike, iMessage is available around millions and billions of users access the WhatsApp instant messenger app and it is the leading messenger platform across the world.
Security issue flagged
The end to end encryption platform of the WhatsApp instant messenger app is said to be under a vulnerable condition and hence the messages sent by the users can be read and intercepted.
Apart from being the best instant messenger app, WhatsApp is also known for the security features it offers the users with the implementation of the single protocol- end to end encryption service in the messenger platform. But Tobias Boelter, an independent security researcher identified that the instant messenger platform is vulnerable and even reported it to the Facebook in April 2016. Facebook acquired the messenger platform in 2014 for nineteen billion dollars.
When the social media network bought WhatsApp, most of the tradition users of the messenger app left the platform, but the company confirmed that the app will be enhanced with many features that will connect with the businesses and eliminate the third party advertisement. The main purpose of the company to acquire the messenger platform is to provide the basic data connectivity service that can be offered to the users for free. Various advanced features of the messenger platform were implemented only after the acquisition of the company by Facebook, like the e2e encryption, voice call and the two step verification feature.
The report on the security issue of the WhatsApp by the security researcher concerns about the Signal implementation and describes it as the retransmission vulnerability because it gives a set of new encryption keys for the users offline and so the messages can be read and intercepted and forming it a potential backdoor for the e2e encryption process.
The intentional design decision
The messenger platform denies the fact that the platform has security issues and informed that the design decision relating to the new key generation for the offline users relating to their messages to make sure they do not lose the transit and prevents the users from losing their messages. It also claims that the backdoor characterization is a false statement that allows backdoor to decrypt the messages.
The spokesperson also reported that the company would fight with any government that seeks the backdoor of any user’s message stream, and the generation of the encryption key for the offline users is to protect their messages from being lost. The app provides with security notifications that will notify about the potential that might take place. And the company even released the ‘Facebook Government requests report’ and published the technical white paper on the design decision of the messenger platform. WhatsApp has always been transparent about the requests and orders it has received from the government.
When the instant messenger app implemented the Single protocol which included an option called the ‘show security notification’ and this feature will notify the users when any of the security code of the contact is changed- so the users can choose this option to receive notification whenever the key is changed.
The technical white paper published by the messenger platform while implementing the Signal protocol states that the company’s servers will not have the access to the private keys of the users in the platform and the users even have the option to verify the private keys to ensure the integrity of the communication they have with the other users in the platform. By this new implementation, the app users will receive all the benefits like strong encryption protocol, e2e encryption, open source, asynchronous messaging system and a modern forward secure system.
The instant messenger app’s key verification system being characterized as a security flaw is denied by the company and has reported that the app provides cryptographically protects the user communication and the option for displaying the non blocking notification is transparent that provides the efficient user interface.
While an international security researcher said that the signal protocol is a nontrivial bug and found that the protocol is lacking logical errors, but the security implementation of the protocol was not analyzed by him.
Whether the app’s key verification process is a bug or nontrivial or backdoor security issue depends on the user perspective, but the biggest security flaw of the WhatsApp is the not open sourcing the app code for the audits. Even Facebook the parent company of the instant messenger platform has a business model of monetizing the user’s personal information by profiling their targets and preferences using the advertisements.
Proteus- the end to end crypto system
There is another instant messaging platform called Wire that has the e2e crypto system and is open sourced- so the outsiders can instantly test the security claims, unlike the WhatsApp- where the users have to simply trust the app rather than testing it in the real time. The app is also working on its Proteus protocol that can be externally audited by the outsiders.
Wire is an encrypted, cross platform instant messenger app created by the Wire Swiss and is available for almost all the platforms like the Mac OS, Linux, Windows, Android, iOs and other web browsers. The app uses data connectivity to make voice and video calls and the users can send images, videos, files, documents and text messages. The app is protected by the European Union laws within the European Union.
The app does not re-generate the verification keys each time, but when the key fingerprints are verified by the app user and if there is any change detected by the users from both the end, then the information is shown to the user. Since it is open source, all the codes are transparent and it is easy to fix any kind of security risks. Being the open source code, thousands of developers access the code and analyze the codes in depth.
Vulnerability- accidental or purposeful
The doubt about the backdoor security issue of WhatsApp is the main news that prevails among the app users and security experts and other parties in the industry. When asked about the issue to the security researcher, he argues on both sides- accidental design decision and backdoor access.
He said that if the app was asked to implement a backdoor to access the data – they would have built it and like the usual way, it would trigger out certain confidential messages from the message stream. And according to him, he claims that it can be considered as a programming bug and when he complained about this issue to the parent company, they never took an interest in fixing the bug. He said that the closed source software system is a wrong path and the codes will become potentially malicious that handles the entire decrypted message streams. So, there are chances for the instant messenger app to send the decrypted to the users when asked by the FBI or government.
According to the security researcher, he recommends the users to use the Signal app, he also uses the same. As Signal is open source, the app makes an effort to reproducible builds and claims to store less met data – when compared to the WhatsApp server. The app accessibility is similar to that of the WhatsApp messenger platform.