Reception and criticism of WhatsApp security and privacy features

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Messaging with WhatsApp

This article provides a detailed historic account of the reception and criticism of security and privacy features in the WhatsApp messaging service.

2011[edit]

On May 20, 2011, an unconfirmed security researcher from the Netherlands under the pseudonym "WhatsappHack" published, to the Dutch websites Tweakers.net and GeenStijl, a method by which WhatsApp accounts could be hijacked. The researcher noticed a flaw in the authentication process, which allowed the researcher to hijack an account by trying to login with another phone number and intercepting the verification SMS text message that, under specific conditions, remained in the outbox of the Symbian phone after the WhatsApp client would attempt to send it to itself. On Android, the verification message could be obtained through reading the "radio" with a tool named "logcat". The researcher would then copy and send the intercepted verification message to the real number of the phone, using an SMS gateway to spoof the "sender" phone number to the number the researcher tried to maliciously login with. This method worked, and WhatsApp issued a patch within one day after publication of the articles, to both the Android and Symbian clients. WhatsApp did have a security mechanism, by design, which would disable the account on the phone of the original owner of the phone number, when they had a WhatsApp account.[34][35][36]

In May 2011, another security hole was reported which left communication through WhatsApp susceptible to packet analysis. WhatsApp communications were not encrypted, and data was sent and received in plaintext, meaning messages could easily be read if packet traces were available.[37]

2012[edit]

In May 2012 security researchers noticed that new updates of WhatsApp no longer sent messages as plaintext,[38][39][40] but the cryptographic method implemented was subsequently described as "broken".[41][42] In August 2012 the WhatsApp support staff said that messages were encrypted in the "latest version" of the WhatsApp software for iOS and Android (but not BlackBerry, Windows Phone, and Symbian), without specifying the cryptographic method.[43]

On January 6, 2012, an unknown hacker published a website that made it possible to change the status of an arbitrary WhatsApp user, as long as the phone number was known. To make it work, it only required a restart of the app. According to the hacker, it was only one of many security problems in WhatsApp. On January 9, WhatsApp reported that it had resolved the problem, although the only measure actually taken was to block the website's IP address. As a reaction, a Windows tool was made available for download providing the same functionality. This problem has since been resolved in the form of an IP address check on currently logged-in sessions.[44][45]

German Tech site The H demonstrated how to use WhatsAPI to hijack any WhatsApp account on September 14, 2012.[46] Shortly after, a legal threat to WhatsAPI's developers was alleged, characterized by The H as "an apparent reaction" to security reports, and WhatsAPI's source code was taken down for some days.[47] The WhatsAPI team has since returned to active development.[48]

2013–2015[edit]

On March 31, 2013 the Saudi Arabian Communications and Information Technology Commission (CITC) issued a statement regarding possible measures against WhatsApp, among other applications, unless the service providers took serious steps to comply with monitoring and privacy regulations.[49][needs update]

In February 2014, the public authority for data privacy of the German state of Schleswig-Holstein advised against using WhatsApp, as the service lacked privacy protection such as end-to-end client side encryption technology.[50] WhatsApp started implementing end-to-end encryption in late 2014 and finished in April 2016.[28]

A major privacy and security problem has been the subject of a joint Canadian-Dutch government investigation. The primary concern was that WhatsApp required users to upload their mobile phone's entire address book to WhatsApp servers so that WhatsApp could discover who, among the users' contacts, was available via WhatsApp. While this was a fast and convenient way to quickly find and connect the user with contacts who were also using WhatsApp, it meant that their address book was then mirrored on the WhatsApp servers, including contact information for contacts who were not using WhatsApp. This information, which consisted solely of phone numbers without any additional information such as the name of the contact, was stored in hashed, though not salted, form.[51][52][53][54] Late 2015, the Dutch government released a press-statement claiming that WhatsApp had changed its hashing method, making it much harder to reverse, and thus now fully complies with all rules and regulations.[55]

A user does not need to send a friend request to send messages to another user, due to the contact discovery mentioned above.[citation needed]

In November 2014, WhatsApp introduced a feature named Read Receipts which alerts senders when their messages are read by recipients. Within a week, WhatsApp introduced an update allowing users to disable this feature so that message recipients do not send acknowledgements.[56] On December 1, 2014, Indrajeet Bhuyan and Saurav Kar, both 17 years old, demonstrated the WhatsApp Message Handler Vulnerability, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message of 2kb in size. To escape the problem, the user who receives the specially crafted message has to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely.[57] In early 2015, after WhatsApp launched a web client that can be used from the browser, Bhuyan also found that it had two security issues that compromised user privacy: the WhatsApp Photo Privacy Bug and the WhatsApp Web Photo Sync Bug.[58][59]

In February 2015, a Dutch university student named Maikel Zweerink published an app that set out to prove that anyone could track a WhatsApp user's status and also keep an eye of their changing profile pictures, privacy settings or status messages regardless of their privacy settings.[60]

2016[edit]

On March 2, 2016, WhatsApp introduced its document-sharing feature, initially allowing users to share PDF files with their contacts.[61] However, WhatsApp's default state of automatically downloading attachments raised some concerns in the press about risk and security once support for document sharing expanded beyond PDF files.[62]

In August 2016, WhatsApp announced that it will start sharing account information with Facebook, consisting of the phone number of the account owner and aggregated analytical data. The address books and metadata of users are not shared. According to WhatsApp, this account information is shared to "track basic metrics about how often people use our services and better fight spam on WhatsApp. And by connecting your phone number with Facebook's systems, Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them." This means that Facebook can target advertisements on the Facebook Platform better by making links between users based on the phone numbers, and make "friend suggestions" to its users based on WhatsApp's data. User data will not be shared with advertisers, and is only used internally on the Facebook services. WhatsApp emphasizes the content of user messages is still kept private thanks to its end-to-end encryption, which means WhatsApp cannot read the content of chats.[63][64] However, users are given the choice to opt out of sharing this data with Facebook for advertisement purposes.[65] In October 2016, Article 29 Working Party stated that it has serious concerns regarding the manner in which the information relating to the updated Terms of Service and Privacy Policy was provided to users and consequently about the validity of the users’ consent.[66]

From April 5, 2016, end-to-end encryption for all users' communications, including file transfers and voice calls, is supported for users of the latest client, encryption being enabled by default. It uses Curve25519 for key exchange, HKDF for generation of session keys (AES-256 in CBC mode for encryption and HMAC-SHA256 for integrity verification) and SHA512 for generating the two 30 digit fingerprints of both users' identity keys so they can verify each other as needed. Even the company would be unable to decrypt users' communications. Amnesty International and security professionals praised the move; the US Federal Bureau of Investigation criticised it as threatening the work of law enforcement.[67] Telegram, another messaging service, is reported by the BBC to be used by "Islamic State" extremists.[67]

WhatsApp is not the only messaging service that provides end-to-end encryption; among others, Threema, Wickr, Signal, Silent Phone, and Line also provide such encryption by default. iMessage and Viber provide it under special circumstances.[68][69] Telegram provides end-to-end encryption as an opt-in feature, but does not support end-to-end encrypted group messaging.[28]

As of April 5, 2016, WhatsApp has a score of 6 out of 7 points on the Electronic Frontier Foundation's "Secure Messaging Scorecard". It has received points for having communications encrypted in transit, having communications encrypted with keys the provider doesn't have access to, allowing users to verify contacts' identities, having past messages secure if the encryption keys are stolen, having completed a recent independent security audit, and having the security designs properly documented. It is missing a point because the code is not open to independent review.[70]

2017[edit]

On January 13, 2017, The Guardian reported that security researcher Tobias Boelter had found that WhatsApp's policy of forcing re-encryption of initially undelivered messages, without informing the recipient, constituted a serious loophole whereby WhatsApp could disclose, or be compelled to disclose, the content of these messages.[71] WhatsApp[72] and Open Whisper Systems[73] officials disagreed with this assessment. A follow-up article by Boelter himself explained in greater detail what he considered to be the specific vulnerability. This article has since been removed[74] by The Guardian due to the inaccuracies in Boelter’s representation of the facts. After complaints from 73 renowned security researchers[75], The Guardian was forced to substantially revise and correct their own articles as well. Therefore, in June 2017, The Guardian readers’ editor Paul Chadwick wrote that "The Guardian was wrong to report in January that the popular messaging service WhatsApp had a security flaw so serious that it was a huge threat to freedom of speech."[76]

"In a detailed review I found that misinterpretations, mistakes and misunderstandings happened at several stages of the reporting and editing process. Cumulatively they produced an article that overstated its case."

— Paul Chadwick, The Guardian[76]

Chadwick also noted that since the Guardian article, WhatsApp has been "better secured by the introduction of optional two-factor verification in February."[76] However, it is important to note that this feature was already introduced in public beta versions of WhatsApp as early as November 2016[77], which was months before The Guardian wrote about the alleged issue.

In October 2017, the German software company Open-Xchange criticised WhatApps and Slack for using proprietary software and stated plans to create an open source alternative.[78]

References[edit]

  1. ^ a b c d e Parmy Olsen (February 2, 2014). "Exclusive: The Rags-To-Riches Tale Of How Jan Koum Built WhatsApp Into Facebook's New $19 Billion Baby". Forbes. Retrieved January 14, 2015.
  2. ^ "WhatsApp 2.0 is submitted - WhatsApp Blog". Retrieved June 5, 2016.
  3. ^ "Three-quarters of WhatsApp users are on Android, 22% on iOS (study)". Venturebeat.com. Retrieved June 5, 2016.
  4. ^ "5 years of WeChat". Retrieved June 5, 2016.
  5. ^ "Snapchat". Retrieved June 5, 2016.
  6. ^ Schellevis, Joost (January 12, 2012). "What's app status: van Anderen os nog steeds te wijzigen" (in Dutch). Tweakers. Retrieved January 12, 2012.
  7. ^ rvdm (January 12, 2012). "How What's app net works". Wire trip. Retrieved April 7, 2013.
  8. ^ "Are my messages secure?". WhatsApp (FAQ). Zendesk. August 15, 2012. Retrieved January 29, 2013.
  9. ^ "PrivCo". Privco.com. Retrieved May 30, 2016.
  10. ^ "The Granddaddy Of Messaging Apps, WhatsApp, Finally Goes For A Subscription Model on iOS". Techcrunch.com. Retrieved June 8, 2016.
  11. ^ "WhatsApp, the Internet Messenger, to Become Free". The New York Times. Retrieved August 28, 2016.
  12. ^ "Russia's Zuckerberg launches Telegram, a new instant messenger service". Reuters.com. Retrieved June 5, 2016.
  13. ^ "Voice Messaging Comes To Whatsapp". Techcrunch.com. Retrieved June 6, 2016.
  14. ^ "WhatsApp Was Valued At ~$1.5B In Final Round Before Sale". Techcrunch. Retrieved February 22, 2014.
  15. ^ "Facebook to Buy WhatsApp for $19 Billion". The Wall Street Journal. Retrieved August 28, 2016.
  16. ^ "Hole In WhatsApp For Android Lets Hackers Steal Your Conversations". Techcrunch.com. Retrieved June 6, 2016.
  17. ^ "Whatsapp now lets you disable Read notifications". November 15, 2014.
  18. ^ "WhatsApp Web". January 21, 2015.
  19. ^ "(Updated) WhatsApp begins crackdown on unlicensed 3rd party clients". Androidauthority.com. Retrieved June 6, 2016.
  20. ^ "WhatsApp Says It's Not "Permanently" Banning Users From Its Service, Just Blocking Third-Party Clients". Techcrunch.com. Retrieved June 6, 2016.
  21. ^ "Brazil Restores WhatsApp Service After Brief Blockade Over Wiretap Request". The New York Times. December 17, 2015. Retrieved August 28, 2016.
  22. ^ "WhatsApp Is Briefly Shut Down in Brazil for a Third Time". The New York Times. July 19, 2016. Retrieved August 28, 2016.
  23. ^ Ina Fried (January 18, 2016). "Facebook's Whatsapp is Now Free". Re Code. Vox Media, Inc. Retrieved January 18, 2016.
  24. ^ "Whatsapp to Drop Subscription Fee". Wall Street Journal. Dow Jones & Company, Inc. January 18, 2016. Retrieved January 18, 2016.
  25. ^ "No Subscription Charges For WhatsApp: Does Facebook Have A Monetization Strategy In Place?". Forbes. Retrieved May 30, 2016.
  26. ^ "Brazil Arrests Facebook Executive in WhatsApp Data Access Case". The New York Times. March 1, 2016. Retrieved August 28, 2016.
  27. ^ "WhatsApp adds support for document sharing, but only PDFs at launch". TechCrunch. March 2, 2016. Retrieved March 2, 2016.
  28. ^ a b c Metz, Cade (April 5, 2016). "Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People". Wired. Condé Nast. Retrieved April 5, 2016.
  29. ^ Lomas, Natasha (April 5, 2016). "WhatsApp completes end-to-end encryption rollout". TechCrunch. AOL Inc. Retrieved April 5, 2016.
  30. ^ "WhatsApp Introduces End-to-End Encryption". The New York Times. April 5, 2016. Retrieved August 28, 2016.
  31. ^ "Introducing WhatsApp's desktop app", WhatsApp Blog, 10 May 2016, retrieved 11 May 2016
  32. ^ "Building for People, and Now Businesses". WhatsApp.com.
  33. ^ http://news.klm.com/klm-first-airline-with-verified-whatsapp-business-account/
  34. ^ de Vries, Wilbert (May 21, 2011). "Fout in verificatiecheck Whatsapp maakt meelezen berichten mogelijk" (in Dutch). Tweakers. Retrieved August 24, 2016.
  35. ^ Mutsaerts (May 20, 2011). "WhatsApp. Nu NOG lekker!" (in Dutch). Geenstijl. Retrieved August 24, 2016.
  36. ^ McCarty, Brad (May 23, 2011). "Signup goof leaves WhatsApp users open to account hijacking". The Next Web. Retrieved January 29, 2013.
  37. ^ Brookehoven, Corey (May 19, 2011). "Whatsapp leaks usernames, telephone numbers and messages". Your daily Mac. Archived from the original on May 23, 2011. Retrieved July 18, 2011.
  38. ^ "Whatsapp ya cifra los mensajes" [What’s app already encrypts messages]. Mi equipo está loco (in Spanish). ES: IT Pro. May 11, 2012. Retrieved May 31, 2012.
  39. ^ BB, David (May 8, 2012). "Twitter" (status). Retrieved May 31, 2012.
  40. ^ Sp0rk bomb (May 10, 2012). "Twitter". Retrieved May 31, 2012.
  41. ^ "WhatsApp is broken, really broken". File perms. September 12, 2012. Archived from the original on January 8, 2015. Retrieved July 2, 2015.
  42. ^ djwm (May 13, 2012). "Sniffer tool displays other people's WhatsApp messages". H (online ed.). Heinz Heise. Retrieved January 29, 2013.
  43. ^ "Are my messages secure?". WhatsApp (FAQ). Zendesk. August 15, 2012. Retrieved January 29, 2013.
  44. ^ Schellevis, Joost (January 12, 2012). "WhatsApp status van anderen is nog steeds te wijzigen" (in Dutch). Tweakers. Retrieved January 12, 2012.
  45. ^ rvdm (January 12, 2012). "How What's app net works". Wire trip. Archived from the original on November 5, 2013. Retrieved April 7, 2013.
  46. ^ fab (September 14, 2012). "WhatsApp accounts almost completely unprotected". The H (online ed.). Heinz Heise. Retrieved January 26, 2013.
  47. ^ crve (September 25, 2012). "WhatsApp threatens legal action against API developers". The H (online ed.). Heinz Heise. Retrieved January 26, 2013.
  48. ^ wnstnsmth (September 30, 2012). "WhatsAPI sources back online". The H (online ed.). Heinz Heise. Retrieved January 26, 2013.
  49. ^ "CITC warns Skype, Viber, WhatsApp". Saudi Gazette. Jeddah. March 31, 2013.
  50. ^ ULD empfiehlt nach dem WhatsApp-Facebook-Deal: „Wechseln“ (German)
  51. ^ Wisniewski, Chester (January 29, 2013). "WhatsApp's privacy investigated by joint Canadian-Dutch probe". Naked security. Sophos. Retrieved January 29, 2013.
  52. ^ "Investigation into the personal information handling practices of WhatsApp Inc". Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA). Report of Findings. Privacy Commissioner of Canada. January 15, 2013. 2013-001. Retrieved January 29, 2013.
  53. ^ gh, h (January 28, 2013). "WhatsApp could face prosecution on poor privacy". IDG. CXO Media. Retrieved January 29, 2013. Dutch and Canadian privacy commissioners conducted a yearlong investigation into the popular mobile app
  54. ^ "Dutch DPA: WhatsApp non-users better protected". November 3, 2015.
  55. ^ "Whatsapp now lets you disable Read notifications". November 15, 2014.
  56. ^ "Crash Your Friends' WhatsApp Remotely with Just a Message". TheHackerNews. December 1, 2014. Retrieved December 1, 2014.
  57. ^ "Multiple Vulneribilities found in Whatsapp Web". Hackatrick. January 29, 2015. Retrieved January 29, 2015.
  58. ^ "17-Year-Old Found Bugs in WhatsApp Web and Mobile App". TheHackerNews. January 29, 2015. Retrieved January 29, 2015.
  59. ^ tech2 News Staff (February 13, 2015). "WhatsApp security flaw allows anyone to track you regardless of your privacy settings". Firstpost. Retrieved April 23, 2015.
  60. ^ "WhatsApp adds support for document sharing, but only PDFs at launch". TechCrunch. March 2, 2016. Retrieved March 2, 2016.
  61. ^ "Your mobile could be at risk if you don't deactivate the new function on WhatsApp". Softonic. March 7, 2016. Retrieved March 7, 2016.
  62. ^ Jan Koum (August 25, 2016). "Looking ahead for WhatsApp". WhatsApp. Retrieved August 25, 2016.
  63. ^ James Vincent (August 25, 2016). "WhatsApp to start sharing user data with Facebook". The Verge. Retrieved August 25, 2016.
  64. ^ Lomas, Natasha (26 August 2016). "How to opt out of sharing your WhatsApp info with Facebook". TechCrunch. AOL Inc. Retrieved 4 September 2016.
  65. ^ https://www.cnil.fr/sites/default/files/atoms/files/20161027_letter_of_the_chair_of_the_art_29_wp_whatsapp.pdf
  66. ^ a b "Whatsapp adds end-to-end encryption". BBC News. April 6, 2016. Retrieved April 6, 2016.
  67. ^ Lee, Micah (2 March 2015). "You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone". The Intercept. First Look Media. Retrieved 12 January 2016. Apple’s iMessage ... employs strong encryption, but only when communicating between two Apple devices and only when there is a proper data connection. Otherwise, iMessage falls back on insecure SMS messaging.
  68. ^ "Requirements for enhanced security features". Viber Security FAQ. Viber. n.d. Retrieved 16 July 2016. Note that Viber for Windows Phone 8 will not support the new security features. It will continue to secure calls and messages through standard encryption methods.
  69. ^ "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. April 5, 2016. Retrieved April 6, 2016.
  70. ^ Manisha, Ganguly (13 January 2017). "WhatsApp vulnerability allows snooping on encrypted messages". The Guardian. Retrieved 21 February 2017.
  71. ^ Dan, Goodin (13 January 2017). "Reported "backdoor" in WhatsApp is in fact a feature, defenders say". Ars Technica. Retrieved 21 February 2017. WhatsApp does not give governments a "backdoor" into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks. WhatsApp published a technical white paper on its encryption design and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.
  72. ^ "There is no WhatsApp 'backdoor'". OWS Blog. January 13, 2017. Retrieved January 15, 2017.
  73. ^ "WhatsApp vulnerability explained: by the man who discovered it". The Guardian. 16 January 2017. Retrieved 17 June 2018.
  74. ^ Zeynep Tufekci, Matthew Green, Bruce Schneier; et al. (January 20, 2017). "In Response to Guardian's Irresponsible Reporting on WhatsApp: A Plea for Responsible and Contextualized Reporting on User Security". Technosociology. Retrieved June 17, 2018.
  75. ^ a b c Chadwick, Paul (28 June 2017). "Flawed reporting about WhatsApp". The Guardian. Retrieved 6 October 2017.
  76. ^ Russell Brandom (November 10, 2016). "WhatsApp is rolling out two-factor authentication". The Verge. Retrieved June 17, 2018.
  77. ^ https://www.theregister.co.uk/2017/10/12/openxchange_imap_chat_killer_app/