We need your help now
Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
By continuing, you are indicating that you accept our Terms of Service and Privacy Policy.
WHATSAPP, A MESSAGING platform owned by Facebook, is well known as one of the more secure messengers on the market.
Whatsapp redesigned its backend earlier this year so that every message sent using the service will be protected in a way that even Whatsapp would not be able to read it if it wanted to, called end-to-end encryption.
But a Guardian report published yesterday cast doubt on Whatsapp’s security, saying that a “vulnerability” or “backdoor” existed that could allow governments to snoop on people’s private messages.
But don’t worry, there is no backdoor in Whatsapp like the FBI was seeking for the iPhone says Moxie Marlinspike, one of the people behind Whatsapp’s encryption.
Marlinspike is founder of Open Whisper Systems, which helped designed Whatsapp’s security protocol and shot back against The Guardian’s claims in a long and detailed blog post.
Cryptography is detail-oriented and complicated, and often summaries can get important aspects wrong, but here goes: Messaging systems need to know if the person it’s sending a message to is actually who he says he is.
But Whatsapp decided that if one messenger changed his security key, then it would simply give the user a warning — instead of blocking him entirely like some secure messengers do, it would simply display a warning, like this:
This decision led The Guardian to speculate that a government might be able to pull off “man-in-the-middle” attacks and hijack messages meant for another person.
Marlinspike explains:
Most end-to-end encrypted communication systems have something that resembles this type of verification, because otherwise an attacker who compromised the server could lie about a user’s public key, and instead advertise a key which the attacker knows the corresponding private key for. This is called a “man in the middle” attack, or MITM, and is endemic to public key cryptography, not just Whatsapp.
In fact, Whatsapp made a security choice based on usability, because it has 1 billion users, and shutting down people’s conversations could be annoying for its users. Even worse, it could make the entire system less secure. Cryptographers have to make trade-offs all the time.
“Given the size and scope of Whatsapp’s user base, we feel that their choice to display a non-blocking notification is appropriate,” Marlinspike says.
“The choice to make these notifications “blocking” would in some ways make things worse. That would leak information to the server about who has enabled safety number change notifications and who hasn’t, effectively telling the server who it could MITM transparently and who it couldn’t.”
Response
Whatsapp has denied that a “backdoor” exists to its content, providing a lengthy comment from cofounder Brian Acton that’s partly reproduced here:
The Guardian’s story on an alleged “backdoor” in Whatsapp is false. Whatsapp does not give governments a “backdoor” into its systems. Whatsapp would fight any government request to create a backdoor.Since April 2016, Whatsapp messages and calls are end-to-end encrypted by default. Whatsapp also offers people a security notifications feature that alerts them when people change keys so that they can verify who they are communicating with…Like everything else in Whatsapp, it’s designed to be simple. We built end-to-end encryption with encryption as the default so not a single one of our 1 billion users has to turn on encryption.This is also true for people who delete and reinstall Whatsapp or for those who change their phones. For some people, this can be a frequent occurrence as people manage data charges and phone storage, or share devices with family members.
We want to make sure that people in these situations do not lose access to messages sent to them while they are in the midst of re-installing the app or changing their phones. Because a person’s encryption key is changed when Whatsapp is installed on a new phone or re-installed on an old device, we make sure those messages can eventually be read using the new key.
“We appreciate the interest people have in the security of their messages and calls on Whatsapp. We will continue to set the record straight in the face of baseless accusations about “backdoors” and help people understand how we’ve built Whatsapp with critical security features at such a large scale.”
- Business Insider- Kif Leswing
To embed this post, copy the code below on your site
I’m more concerned at the extent of the permissions whatsapp requires to be usable on any phone. Access to phone, files, photos, camera, mic…… You’re giving them everything in return for a free messaging app.
Where else would you get your contacts from? How else would you send pictures or videos from your camera or your gallery? You’re giving them everything they need to operate a messaging service. Anyway you can deny whatever permission you feel the need to.
Files to save/retrieve your files sent or received in messages to your phone. Same for photos. Your camera to take pics within the app. Mic to record voice messages and to also make calls. Not everything is suspicious.
@David Mac Shite: That is the way Android works – Whatsapp needs the photo permission to take a photo and send it, it needs photos permission to send existing photos on your device and so on. Whatsapp without those permissions will just send text messages and probably wouldn’t be as popular as it is…
As a rule of thumb, if you’re not being charged for a service, you’re a product and not a customer.
You’re not giving them access to look at photos whenever they want, it’s allowing the app access to your photo folder so you can send and receive pictures and it’s not access to your mic so they can listen in on you it’s so you can use WhatsApp to make calls.
People think it’s being malicious but they are taking it up all the wrong way.
I’m no expert and understand that it needs access to the files you select to send but I’m uncomfortable with giving them access on the basis that they won’t look at or use anything else. It’s like handling your phone to the guy next door for him to view a picture and leaving him alone with it for the next hour.
@david. Check out the permissions for your in built messaging app on your phone. It uses exactly the same permissions.
@David Mac Shite: Truthfully, the way Android segregates it’s module permissions is not secure anyway. It actually requires an order of magnitude less technical sophistication to hack your entire phone as it does to perform this man-in-the-middle key-exchange attack.
In other words, if the NSA (or non-union Russian-Sino-Euro equivalent) wants to see what you are doing, you weren’t secure anyway. Phones are *inherently* insecure against actors of such expertise and means but unless they have some reason to care about you it’s not a problem. This isn’t a weakness that could be effectively exploited by cyber-criminals, which is all anyone really needs to worry about.
Once your “online” ………nothing is private or secure , and if you believe otherwise , well your a very naive and gullible individual.
Ever ask yourself , what’s in it for WhatsApp or its owner Facebook? As said by another commentator, if it’s free , your the product ….
Yeah right…
If it’s free there’s gotta be a catch = backdoor access to whoever government wants too
I’m all for privicy but I can see why what’s app designed it that way and it makes total sense for them but, they shouldn’t claim it so secure and explain the vulnerabilities better. People who need security don’t use what’s app or anything Facebook, Apple, Microsoft ect it’s a well known fact that they give all your data to the CIA. Thanks to Snowden. For privicy search PGP, TOR, VPNs
Already deleted. Not the firs time I’ve heard this about WhatsApp.
@Ciarán Farrelly: The CIA has back doors to everything… They wanted Apple to give them a back door to their mobiles which Apple refused to do but yet the CIA developed a way to anyway… remember that?
Nothing is secure. People thought GSM network was secure till the nsa got the sim codes and could spy at will. Treat the Internet as you would if your boss was standing over your shoulder.
Next week they will deny that the moon exists…
There all the same.you can’t trust any of them.be careful what you post. Big brother is watching you.
Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised advertising and content, advertising and content measurement, audience research and services development.
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not be able to monitor our performance.
Cookies, device or similar online identifiers (e.g. login-based identifiers, randomly assigned identifiers, network based identifiers) together with other information (e.g. browser type and information, language, screen size, supported technologies etc.) can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here.
Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you).
Information about your activity on this service (such as forms you submit, content you look at) can be stored and combined with other information about you (for example, information from your previous activity on this service and other websites or apps) or similar users. This is then used to build or improve a profile about you (that might include possible interests and personal aspects). Your profile can be used (also later) to present advertising that appears more relevant based on your possible interests by this and other entities.
Advertising presented to you on this service can be based on your advertising profiles, which can reflect your activity on this service or other websites or apps (like the forms you submit, content you look at), possible interests and personal aspects.
Information about your activity on this service (for instance, forms you submit, non-advertising content you look at) can be stored and combined with other information about you (such as your previous activity on this service or other websites or apps) or similar users. This is then used to build or improve a profile about you (which might for example include possible interests and personal aspects). Your profile can be used (also later) to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests.
Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services (for instance, the forms you submit, content you look at), possible interests and personal aspects. This can for example be used to adapt the order in which content is shown to you, so that it is even easier for you to find (non-advertising) content that matches your interests.
Information regarding which advertising is presented to you and how you interact with it can be used to determine how well an advert has worked for you or other users and whether the goals of the advertising were reached. For instance, whether you saw an ad, whether you clicked on it, whether it led you to buy a product or visit a website, etc. This is very helpful to understand the relevance of advertising campaigns.
Information regarding which content is presented to you and how you interact with it can be used to determine whether the (non-advertising) content e.g. reached its intended audience and matched your interests. For instance, whether you read an article, watch a video, listen to a podcast or look at a product description, how long you spent on this service and the web pages you visit etc. This is very helpful to understand the relevance of (non-advertising) content that is shown to you.
Reports can be generated based on the combination of data sets (like user profiles, statistics, market research, analytics data) regarding your interactions and those of other users with advertising or (non-advertising) content to identify common characteristics (for instance, to determine which target audiences are more receptive to an ad campaign or to certain contents).
Information about your activity on this service, such as your interaction with ads or content, can be very helpful to improve products and services and to build new products and services based on user interactions, the type of audience, etc. This specific purpose does not include the development or improvement of user profiles and identifiers.
Content presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type, or which content you are (or have been) interacting with (for example, to limit the number of times a video or an article is presented to you).
With your acceptance, your precise location (within a radius of less than 500 metres) may be used in support of the purposes explained in this notice.
With your acceptance, certain characteristics specific to your device might be requested and used to distinguish it from other devices (such as the installed fonts or plugins, the resolution of your screen) in support of the purposes explained in this notice.
Your data can be used to monitor for and prevent unusual and possibly fraudulent activity (for example, regarding advertising, ad clicks by bots), and ensure systems and processes work properly and securely. It can also be used to correct any problems you, the publisher or the advertiser may encounter in the delivery of content and ads and in your interaction with them.
Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device.
Information about your activity on this service may be matched and combined with other information relating to you and originating from various sources (for instance your activity on a separate online service, your use of a loyalty card in-store, or your answers to a survey), in support of the purposes explained in this notice.
In support of the purposes explained in this notice, your device might be considered as likely linked to other devices that belong to you or your household (for instance because you are logged in to the same service on both your phone and your computer, or because you may use the same Internet connection on both devices).
Your device might be distinguished from other devices based on information it automatically sends when accessing the Internet (for instance, the IP address of your Internet connection or the type of browser you are using) in support of the purposes exposed in this notice.
The choices you make regarding the purposes and entities listed in this notice are saved and made available to those entities in the form of digital signals (such as a string of characters). This is necessary in order to enable both this service and those entities to respect such choices.
have your say