The vulnerability in the form of a backdoor has been identified as a major security issue in the extremely popular mobile messaging app WhatsApp. This problem can lead to intercepted and read messages sent through its encrypted platform.
According to the reports, this issue was identified in April 2016 by an independent security researcher Tobias Boelter. He reported it to Facebook but the company told him that it was an expected behavior. The company did nothing to solve the problem and it has been verified now that the vulnerability still exits.
The implementation of end-to-end encryption for messages by WhatsApp was extremely admired by the security experts. In April last year, WhatsApp completed the roll-out to end-to-end encryption across its platform. The company’s code has remained a closed source up till now which means that it has always been necessary for users to trust its claim without having the ability for external audits of its code.
The identified issue by Boelter describes it as a retransmission vulnerability and claimed the route for messages to be read and intercepted as a potential backdoor in WhatsApp’s end-to-end encryption. WhatsApp though has denied the backdoor characterization. They refer to it as a design decision relating to message delivery with newly generated keys for offline users so it is ensured that messages do not get lost during transfer. According to company’s spokesman, all such claims are false as WhatsApp does not give government a backdoor into systems and such request will face a strong disapproval. WhatsApp provide people with security notifications in order to alert them with possible security threats whereas the design decision referenced in the Guardian story prevents millions of messages from being lost.
A technical white paper on the encryption design was published by WhatsApp and the company has been clear regarding the received government requests and has published data about such requests on Facebook’s Government Request Report.
The vulnerability issue regarding WhatsApp is considered nothing new by many security analysts. This recent problem indicates the rehashing of the long-standing issue regarding the implementation of key verification within an encrypted system. According to WhatsApp, an option in the Signal protocol offers a “Show security notification” setting that notifies a user when a contact’s security code has changed. WhatsApp servers have no access to private keys of users on WhatsApp and users have the option to verify keys so that the integrity of their communication is ensured.
Either WhatsApp’s key verification process is an intentional security backdoor or a user’s opt-out design decision depends upon one’s perspective. But doubtfully WhatsApp’s biggest security flaws remain hidden sourcing its code to allow for external audits.
Unlike WhatsApp where users rather have to take on trust, the co-founder and CTO another mobile messaging app Wire has wasted no time for allowing its security claims to be tested by outsiders. The company’s spokesman stated that Wire is currently having its proteus protocol being audited by a security outsider.
Encryption keys are not regenerated by Wire and after the verification of key fingerprints by users; changes in keys will be perceived on both ends and will be shown to users. Because all code in “Wire” is open sourced, therefore it is transparent in its working and does not take long in discovering, disclosing, and fixing the security issues. Embracing open source can help in staying ahead in situations like these. The flaw is recently reported by WhatsApp as not a bug, it is a feature because the senders are no longer required to press the extra “OK” button in rare cases they sent a message, the receiver is offline, and has a new phone when coming back online. The flaw should have been fixed immediately after it was first reported in April 2016.
One of the secure messaging apps which are open sourced is Signal. It makes an effort to have reproducible builds and claims to store much less metadata on their servers than WhatsApp allows itself in their privacy policy. Also Signal is as simple to use as WhatsApp. According to the Boelter’s April analysis of WhatsApp’s Signal implementation, proprietary closed-source crypto software is the wrong path. All the decrypted messages are handled through this potentially malicious code.
It is expected that next time FBI will most probably ask WhatsApp to ship a version of their code in order to send all decrypted messages directly to the FBI.