WhatsApp: Security experts warn that Facebook’s chat app can be insecure, despite Amnesty recommendation

Facebook and WhatsApp were ranked the most secure chat apps by Amnesty, but there are big problems with both of the apps, say security experts

Andrew Griffin
Friday 21 October 2016 12:16 BST
Comments
The new end-to-end WhatsApp encryption means that no-one can spy on your messages
The new end-to-end WhatsApp encryption means that no-one can spy on your messages (Jenny Marc)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

WhatsApp and Facebook Messenger are the most secure chat platforms, according to Amnesty International. But that decision has already met with scepticism from people in the technology community, some of whom have warned that it might not be safe to use the apps at all.

Amnesty gave Facebook and WhatsApp a score of 73 out of 100 – its highest – to the two apps, which it didn’t distinguish between. But it particularly picked out WhatsApp, which it said was “the only app where users are explicitly warned when end-to-end encryption is not applied to a particular chat”.

It did have some criticism for Facebook, which doesn’t apply strong encryption by default and doesn’t warn users that they’re not using the most secure technology. Facebook does that in part because Messenger conversations are valuable information for the company to read and use for advertising.

WhatsApp has been repeatedly praised for its decision to integrate end-to-end encryption into its apps. That technology makes sure that messages can only be read by the person sending and receiving it, and has got WhatsApp into problems in the past – the app was shut down in Brazil because authorities wanted to be able to read the conversations being had on it.

But it has come into criticism from other technology groups, including the Electronic Frontier Foundation. That organisation has even warned people that they should be careful before using WhatsApp for sensitive conversations,for fear that they might be read.

Most recently, WhatsApp’s privacy policies were criticised when it announced that it would start sharing user data with Facebook. That would see it give up information – though not the contents of chats – to its parent company, which would then use those to better target ads.

And the EFF also pointed to a range of other problems with the privacy tools on WhatsApp, despite Amnesty’s encouragement.

It pointed out, for instance, that the app uses unencrypted backups. Those are useful for restoring a phone if it is lost, stolen or a user buys a new one - but it also means that messages are sent to the cloud without any protection, meaning that it would be possible for someone to break into that backup and read whichever messages they like.

Even if a user tells the app that they don’t want conversations backing up, that might not keep them from being stored in the cloud. If the person a user is talking to is using the backup feature, then the messages will be stored without encryption anyway.

The EFF also took issue with the way that WhatsApp integrates encryption into its user experience, and the fact that the web app that can be used to send messages from a computer could also be vulnerable to attack.

The group did praise the fact that WhatsApp makes use of the Signal protocol – a very well-regarded encryption standard that keeps messages secure. But it said the various other problems with it made security and privacy a concern when using WhatsApp.

WhatsApp encryption in 60 seconds

The Electronic Frontier Foundation makes two main recommendations to Facebook and WhatsApp to make themselves more secure.

The first is that the app makes it far easier to enable strong privacy while using it. “A slider that would switch on all of the protective options—such as disabling backups, enabling key change notifications, and opting out of aspects of data sharing—would make it far easier for users to take control of their security,” the group wrote.

The other is that WhatsApp make it far more clear what is being shared with Facebook. It should lay out specifically which bits of information it will be sharing with the site, it wrote, and so show that some information won’t be shared with its parent company.

The group urges that people “take extra caution when deciding whether and when to communicate using WhatsApp”, until such changes are made.

The group also recommends that people use Signal if they want to keep messages more secure. It is expected to publish its own version of Amnesty’s scorecard in the near future.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in