Firstly, I am a security and privacy freak with my personal security likely being better than what you would find at the British MoD. I try to avoid mass market services especially those owned by the big players and that includes WhatsApp. Occasionally I use it abroad while using a country SIM since it saves on high bills since it uses the internet not GSM which has high call charges while abroad. As soon as I am on the flight back, I uninstall it, remove its historically entry from the app store and remove left over files.

WhatsApp was once independent and then Facebook bought it up. Facebook, WhatsApp and other mass market services are typically free, and are funded by advertising or worse them selling on your data. WhatsApp has no advertising in it, so you have to wonder how they make money out of it. Their security spiel claims it offer end to end encryption by default and they cannot read your messages. It states the encryption is handled by the devices and they do not store messages once pushed to the end device. There is a short sentence about law enforcement access so obviously there is a way around it.

Their security whitepaper which was written by them and Open Whisper Systems (I trust these people more than Facebook and other companies) is comprehensive and sounds good cryptography wise for a quick glance. As with any encryption product which uses symmetric or asymmetric the flaw is rarely in the cryptography but in the method of unlocking it. AES 256 maybe good but if you can brute force the key vault to where the key lives to encrypt/decrypt files then hey presto you have “defeated” AES. The same goes for PGP, if malware can extract the key from memory then your 4096 private key is exposed.

Let’s jump back to WhatsApp. The encryption is handled seamlessly by the device. When you enrol a phone for the first time or switch handsets you give it permissions and your number, and it sends you a number auth code. This is sent over a bog-standard SMS. If you can grab this auth number, you are then someone else’s number. Yes, it is likely you cannot get back-dated messages, but you could manipulate someone else to reveal sensitive information. What is the problem with bog-standard SMS?

  1. Interception: SMS goes over GSM which is used by 90%+ of worldwide phones and is very dated. The encryption used is weak and the algorithm is called A5/1. It can be cracked in minutes with equipment costing just £20
  2. SIM card swaps: An imposter can get a phone network to transfer a number to a new SIM even if they are not the real owner. This has happened in the United States quite a bit lately
  3. Device infections: Malware can grab the auth code from the target’s device, crash the device and relay the auth code to the attacker
All of these are not vastly hard to do and could be done by criminals or nation states. Thus, beating WhatsApp advanced cryptography implementation. In my view WhatsApp should not be used for any sensitive communications especially when travelling to more authoritarian countries.