WhatsApp was once independent and then Facebook bought it up. Facebook, WhatsApp and other mass market services are typically free, and are funded by advertising or worse them selling on your data. WhatsApp has no advertising in it, so you have to wonder how they make money out of it. Their security spiel claims it offer end to end encryption by default and they cannot read your messages. It states the encryption is handled by the devices and they do not store messages once pushed to the end device. There is a short sentence about law enforcement access so obviously there is a way around it.
Their security whitepaper which was written by them and Open Whisper Systems (I trust these people more than Facebook and other companies) is comprehensive and sounds good cryptography wise for a quick glance. As with any encryption product which uses symmetric or asymmetric the flaw is rarely in the cryptography but in the method of unlocking it. AES 256 maybe good but if you can brute force the key vault to where the key lives to encrypt/decrypt files then hey presto you have “defeated” AES. The same goes for PGP, if malware can extract the key from memory then your 4096 private key is exposed.
Let’s jump back to WhatsApp. The encryption is handled seamlessly by the device. When you enrol a phone for the first time or switch handsets you give it permissions and your number, and it sends you a number auth code. This is sent over a bog-standard SMS. If you can grab this auth number, you are then someone else’s number. Yes, it is likely you cannot get back-dated messages, but you could manipulate someone else to reveal sensitive information. What is the problem with bog-standard SMS?
- Interception: SMS goes over GSM which is used by 90%+ of worldwide phones and is very dated. The encryption used is weak and the algorithm is called A5/1. It can be cracked in minutes with equipment costing just £20
- SIM card swaps: An imposter can get a phone network to transfer a number to a new SIM even if they are not the real owner. This has happened in the United States quite a bit lately
- Device infections: Malware can grab the auth code from the target’s device, crash the device and relay the auth code to the attacker