WhatsApp privacy & security and the terrorist attack on Westminster

Founded nine years ago as a “geeky” technology messaging start-up, now it is possibly the largest smartphone internet messaging app out there. With a lot of post 2000 tech start-ups, security is barely on the release checklist. Why? Because it would delay or totally stop a release due to cost and resources. Very few apps, services or IoT devices have security embedded from the ground up. With WhatsApp, security was bolted on over the years and it has had a number of security scandals to date.

Facebook who themselves do not have the best of privacy reputation now own WhatsApp which means it needs to make money somehow. Security was an afterthought like with many other companies. End to end encryption was only released a year ago and it is automatically transparent to users. What does this mean? The user does not have to switch it on, enter a password or generate an encryption key (and exchange). Nice this may sound but it reduces privacy since everything is handled non-transparently behind the scenes by WhatsApp.

“Your messages should be in your hands. That's why WhatsApp doesn't store your messages on our servers once we deliver them, and end-to-end encryption means that WhatsApp and third parties can't read them anyway”. A lot of people including myself doubt this claim. Take online backup or sync providers like DropBox, they store the encryption key server-side and do not offer zero knowledge encryption. Simplicity does not usually mean good security. Specify the key yourself and it should cut everyone out if implemented correctly.

What are the options to getting access to WhatsApp messages or future messages streams?
  1. Hack the app provider
  2. Intercept and try and decrypt messages as they travel over the wire
  3. Plant malware on the phone which can often defeat the need for the above including Skype
  4. Intercept the verification SMS*

*When setting up WhatsApp, it asks for your number, then asks if you wish to auto verify the number based on the SMS it sends and self reads. If you take the six-character verification number and put it in another phone, the other phone gets the other phones number. Thus, if someone hacked a phone or intercepted the SMS you could pose as someone else’s number. Government agencies can obviously intercept a SMS full stop.

The moral of the story is mass market apps are not necessarily great for privacy and security. The harder something is to use, the more secure it is but it is then harder for others to talk to you. If you want enhanced privacy and security go with a smaller scale security & privacy focused apps. These type of apps may let you specify your own encryption key thus keeping your secrets safe. Terrorists could hide behind these you may wonder, yes but such open source options as PGP are even hard to crack. The only “easy” way would be get the private key. Strong crypo can be used for good and bad. A normal guy or girl trying to protect his or her traffic while using an open Wi-Fi hotspot. Someone suppressed in an authoritarian regime trying to not get caught while spreading the truth. Then of course terrorists or paedophiles. Not all can be “regulated” like WhatsApp. Open source often answers to no one, commercial or state.

Apart from WhatsApp, the intelligence services will be scouring through his laptops, desktops, tablets, USB devices, smartphones, CDs/DVDs and floppy discs (yes this is unlikely). General mapping of phone calls and text messages is also very useful since it shows friends & family and their connections. Past location data from smartphones and satellite navigation devices would also give a good picture. At times viewing all contacts with suspicion does not work since it could be an old-school friend or workman he/she has used in the past.

Being based within the Five Eyes countries it is hard to believe there is no way to circumvent the app. Many people argue against mass surveillance or back doors but surely most people, even Edward Snowden would accept Amber Rudd’s request to access messages based on overwhelming support, evidence and a court order. Surely if the authorities possess the smartphone they could log in to it and open WhatsApp to see contacts and messages?