Last week, the Guardian published a report highlighting a security researcher’s discovery of what he described as a serious flaw in WhatsApp, the popular messaging service owned by Facebook and used by more than a billion people around the globe.
The findings, published by researcher Tobias Boelter, centered on the end-to-end encryption that WhatsApp uses by default and how it handles encryption keys while offline. “End-to-end” encryption means that a message is coded on the sender’s device, and decoded on the recipient’s device, so that anyone who intercepts the message is left with an encrypted, unreadable jumble of text. The encryption keys are how the app determines that the sender and recipient are who they say they are. WhatsApp “automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.” The bottom line is this: A very dedicated person could exploit this slight window with the right, very specific tools.
Another security researcher quoted by the Guardian explained it thusly: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”
Facebook, when contacted about the app’s behavior, said that it was expected behavior, and not the sort of back door that Boelter was making it out to be. Still, the report set off panic about WhatsApp’s security, with activists reportedly telling each other to leave the app for fear of its security holes.
Should they have? There’s a high-level security debate to be had over the app’s design, but many security experts agree that the perceived vulnerability is not a wide-open back door into the system.
This week, dozens of cybersecurity experts are calling on the Guardian to retract or correct their story, worried that it has scared users into switching to less secure messaging options.
The experts’ letter is extensive in its rebuttal but here’s the tl;dr section toward the end.
So, is WhatsApp safe to use? In 99 percent of applications, the answer is yes. (And if you need a chat app for that other one percent of applications, you probably aren’t getting your security news from Select All.) Certainly, it’s still one of the safest options you can use if you want to easily encrypt your communications, despite what you may have heard.
Now, if you’re particularly paranoid, you may not want to use an app owned by an enormous corporation like Facebook, one that has a documented relationship with the U.S. government. That’s okay, too. The bottom line in current mobile-messaging security anyway is that the independent, open-source app Signal is the all-around safest and most secure option available. WhatsApp is a fine alternative, but your best bet might just be to use Signal.