A seemingly damning report has put a big question over how secure the WhatsApp messaging platform really is. Turns out a bug — which WhatsApp reportedly has known about for quite sometime — theoretically allows the company or a government agency to snoop on any encrypted messages sent over the platform. WhatsApp however has categorically refuted the report, calling it a false claim. Also Read - WhatsApp beta for iOS reveals changes, here's what users might getAlso Read - How to temporarily deactivate/permanently delete WhatsApp account
The Guardian was the first to report about the bug, which was discovered by Tobias Boelter, a security researcher at the University of California. This flaw is basically related to how the app deals with security keys that are essential for the end-to-end encrypted messages. In order to send the message to a receiver even if they are offline, the report claimed, WhatsApp compromised the entire encryption system. WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered, the report said. Also Read - WhatsApp COVID-19 relief efforts: How you can get resources during the pandemic
So in theory, this workaround would allow WhatsApp or any government agency to get access to your encrypted messages. But the company is adamant that is not the case. “The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a ‘backdoor’ allowing governments to force WhatsApp to decrypt message streams. This claim is false,” a WhatsApp spokesperson said in a statement sent to TechCrunch. “The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks,” the statement added.
It s not just WhatsApp, but even Open Whisper System has called the claims made by The Guardian report as false. For the uninitiated, Open Whisper System are the developers of the Signal protocol, which WhatsApp uses for its end-to-end encryptions. According to the company, the changing of encryption keys is a normal occurrence in cryptography, and a key is usually changed when someone gets a new device, or even just reinstalls the app, their identity key pair will change . WhatsApp also gives users the option to be notified when those changes occur, but this option is not turned on by default. But the security company assures that the system has been designed in such a way that WhatsApp server has no knowledge of whether users have enabled the change notifications, or whether users have verified safety numbers. WhatsApp could try to “man in the middle” a conversation, just like with any encrypted communication system, but they would risk getting caught by users who verify keys. ALSO READ: WhatsApp reportedly working on Enterprise service, likely to launch later this year
The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works, the company s blog reads. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.
If you are nonetheless worried about your encrypted messages being read by someone else, you can choose to be notified if the security key of the receiver has changed. To do this, head over to Settings -> Accounts -> Security, and turn on Show Security Notifications . ALSO READ: Beware! Message claiming WhatsApp, Facebook to start billing for usage is a hoax
WhatsApp isn t the only messaging app under the spotlight. A Buzzfeed investigation has revealed a potential security hazard in the messaging app Signal. The report claims that when you sign up using your phone number, almost everyone that has your number can see that you are using the app. Since Signal is mostly used by privacy advocates or whistleblowers, you are invariably a part of the guilty party.
The same report also casts doubt over Telegram, which is another of the secure messaging apps. It claims that Russia s Federal Security Service (FSB) has compromised the app. An FSB cyber operative flagged up the Telegram enciphered commercial system as having been of especial concern and therefore heavily targeted by the FSB, not least because it was used frequently by Russian internal political activists and opportunists. His/her understanding was that the FSB now successfully had cracked this communications software and therefore it was no longer secure to use, the report reads.
BONUS VIDEO: WhatsApp Tips and Tricks: How to Change Your Registered Phone Number