Skip links

Privacy at Risk: What WhatsApp fails to protect

The protection on messages is not even that good…

With thousands and millions so users each day, WhatsApp is popular. And all these users have it downloaded so that they can connect with colleagues, friends, and family, putting faith in the apps encryption protocol to keep their messages protected. Since 2016, all WhatsApp chats, by default, have been secured with end-to-end encryption. However, your privacy is still at risk, as the other parts of the system are not protecting your privacy and can easily be jacked, as this shows.

When it comes to secure messaging apps, having the message encrypted is only one part of a much bigger picture.

WhatsApp encryption: taking a closer look

WhatsApp is a name that many people associate with secure, private, encrypted messages. Only the person on the other end of the message can read what has been sent. With End-to-end encryption (E2EE), the message remains encrypted as it is in transit and is only decrypted once it arrives at the receiver. With E2EE, it should not be able for anyone to view the message, including Facebook and WhatsApp.

To encrypt their messages, WhatsApp, as well as messaging app Signal, use the Signal Protocol, (originally called Open Whisper Systems). However, WhatsApp and Signal are very different apps, with drastically different approached to security and privacy. The process they use to encrypt messages is the one connecting element of both apps.

Hacked and changed without you knowing: your media is at risk images are shared on WhatsApp, the file is instantly saved on to your device, this being one of the app’s features. Instantly, you can send images that you receive from family or friends.

There is a big problem with this. With the way that images, as well as other media, are saved, they are an extreme risk to “Media File Jacking”. As reported on in The Verge , as well as Symantec, media from WhatsApp, being sent and received, can be edited without you knowing thanks to malware. There is the potential that when you go to send an image to someone, it could be drastically changed and what you send could be a completely different image. In Verge, they explain it like this:

On Android, apps can choose to save media, like images and audio files, through either internal storage that’s only accessible through the app, or external storage which is more widely available to other apps. WhatsApp, by default, stores media through external storage, and Telegram does so when the app’s “Save to Gallery” feature is enabled.

According to the researchers, the design means malware with external storage access could be used to access WhatsApp and Telegram media files, maybe even before the user sees them. If a user downloads a malicious app, for example, and then receives a photo on WhatsApp, a hacker could manipulate the image without the receiver ever noticing. A hacker could theoretically alter an outgoing multimedia message as well.”

This problem all stems from the issue of Android devices saving data to unprotected local storage. This reason is exactly why SKY ECC has its protected storage inside the app. The only way for images to be brought onto the device is to take them through the camera, and images cannot be taken out either. With a SKY ECC device, what happened above would not be possible, regardless of it had been compromised with malware.

Previous chats instantly available

If you have a new device, you often want to download the same apps from your old device, and with WhatsApp, after re-authenticating, you can have all your old chats back, as the backups kick in. Sound great right? Sadly, it is anything but.

The reason why is that WhatsApp’s backups are not encrypted. All private chats that are backed up are just in plain text. Which is extremely worrying and ridiculously foolish. As you will read in the next part, this is very risky to your privacy.

Perhaps the most troubling part of this is that with E2EE chats, if you do not have a backup, you should not be able to get any of those chats back at all. This is because new encryption keys should have been generated with the new device. Old chats should not be able to be read with new keys. The protections are in place if your device was hijacked or cloned. But with WhatsApp, the protections are not even there.

Unencrypted backups may be hidden deep within WhatsApp’s fine print in the settings, but the feature is default and instantly jeopardizes your privacy. In the chance that your device is lost, WhatsApp backs up the chat so that you may get all your conversations back. Now this seems to be a fantastic idea. Big problem though. They are stored completely encrypted on both Google Drive and iCloud.

When Federal prosecutors have a warrant, they can turn to Apple and access all chats they want, something that Paul Manafort had to learn the hard way. It does not matter if the authorities are investigating you or not, as the chats are in the open, it just needs someone to get into your iCloud account and then they instantly have access to whatever you send via WhatsApp. Absolutely anything.

With WhatsApp, security is sacrificed in the face of convenience. There is nor warning asking if the user would like back ups enabled or warning that they are unencrypted. At least with these, the user would know what will happen when they go to store data.

Even with the convenience it could potentially bring, we see backups as far too risky. With SKY ECC, there are no backups. If you reset (wiping all items and chats stored within your Vault), then SKY ECC will only give you back your contact list.

Sharing more then you may want to

How many people change their default settings on their devices? Be honest, how many of the default apps do you use on your computer or phone? It is often something we all skip, or simply do not know that we can change if we wanted to. In most cases, this is not a big problem.

And many of the default settings with apps are completely fine. Android, iOS, MacOS and Windows each have updates that are automatically installed as the default choice. This helps protects a lot of users. However, some settings, such as WhatsApp and Facebook’s privacy settings, need your attention. These may be revealing far more about yourself then you may know.

When it comes to WhatsApp’s encryption, setting options to be aware of are Location Status, About and Status (which works similarly to the Stories function in Facebook and Instagram). Location status is simple: you do not want to eb broadcasting your location to the world. Setting to private makes sure that people won’t be able to check if you are at home or attempting to stalk you. It makes sense, logical and smart. But what about the other two? Status, the default is set to let all your contacts to see whatever you have it set as. However, what if you set you status message to something, forgetting who might be potentially reading this? If you have colleagues on your WhatsApp, do you want to tell them if you are going to a political rally? You can limit who is able to see your status, but you change them in the settings from All Contacts to Only, or Contact Except.

As WhatsApp announced it had agreed to be purchased by Facebook for $19 billion in 2014, alarms went off in the security and privacy community. As part of the deal, Facebook had assured WhatsApp’s founders that Facebook would stay out of the app. No data mining, no ads. It would be a secure and private messaging app.

2 years later, WhatsApp’s terms of service were updated by Facebook. This was to allow for data sharing from WhatsApp and Facebook. It was then announced plans to add Stories on to WhatsApp for 2020. By 2018, two years after the data sharing decision, WhatsApp founders, Brian Acton and Jan Koum left Facebook in disagreement with how Facebook was planning to use data from WhatsApp for targeted advertising, amongst other plans.

For advertising to make money, it needs people to click on the ads presented, so they must be relevant to the user. And to know what the user wants, you need to know about them. Gender, age, interests and location are all wanted so that relevant ads can be displayed. However, with the data from users in WhatsApp, how is Facebook going to get this data?

The exact details are unknown and ads are still yet to be fully implemented into WhatsApp, but for the adverts to personalised, they have to be obtaining data from somewhere. For an app to be a secure messaging service, it should not have enough data on you to give relevant ads. If they can do this, they you know that your privacy is no longer secure and is almost certainly compromised.

When using WhatsApp, be wary of how secure you really are

It would be foolish to suggest that people should stop and stay away from using WhatsApp. It’s security and encryption have extremely serious flaws, but despite this, it is utilized by millions of users across the world. It provides good call quality, often regardless of the distance, be it from Mumbai to Montreal and its universality is often its greatest asset. When asking someone if they use WhatsApp, likeliness is they do.

Whilst it is certainly not practical to simply abandon WhatsApp, what can be done is making sure to know exactly what to expect when it comes to security and privacy when it comes to the app. When next using the app, consider the following:

  • If someone you talk with has backups engaged, then regardless of if your chat is encrypted, your communication is no longer private
  • If you let your WhatsApp to save images onto your phone, then all media you send to them is potentially compromised
  • It is highly important to got to your privacy setting and make sure your Stories, About and sharing locations are set so only those you want can view them
  • With adverts coming to the app, WhatsApp will be using your data to target adverts at you, as well as potentially your contacts too

If you want to make sure your communications are secure and private is to not use WhatsApp. To guarantee your privacy you need a secure communication solution, utilizing strong encryption, as well as one that puts the user’s privacy-first before anything else. For this, SKY ECC provides the best communication solution you can get, that will keep your messages and data secure, protecting from the app, hardware, or even the internet connection. All this is done so that your communication remains secure and private.

To learn more about the features of SKY ECC page and be one step closer to real communication privacy.

Leave a comment