WhatsApp is one of the most popular instant messaging services in the world. The service has more than a billion users.
Perhaps the biggest reason for the app’s popularity is its convenience. You can use it to send text, video and photos unlimitedly for free. WhatsApp also allows you to make worldwide calls absolutely for free (data fees aside). Until now the only issue that concerned a segment of users was privacy, as the service had serious problems with security.
On April, 5 WhatsApp announced that it had finally implemented the end-to-end encryption across the platform. This step will probably make the messenger even more popular and bring a lot of troubles to spies of all stripes (including security agencies): over a billion users’ privacy is now strongly fortified.
— Kaspersky Lab ME (@KasperskyME) November 23, 2015
Let’s clarify, what has changed in WhatsApp and how it will impact you and me.
All the colors of encryption
WhatsApp for Android implemented some kind of encryption a long time ago. The messenger relied on common SSL and TLS protocol that are used, for example, in emails.
But there is encryption, and then there is the way it’s implemented. The old version was implemented poorly: it had some flaws that allowed hackers to steal and decrypt users communications. Besides, a part of data was not encrypted at all.
— Kaspersky Lab (@kaspersky) November 21, 2014
When EFF made a list of the most and the least secured messengers, WhatsApp received two stars from a maximum of seven. As a result, we had to add this app to our “black list” of insecure messengers, but we also noted that with time WhatsApp would sever itself from the D-team. By that time WhatsApp has already announced that Open Whisper Systems would provide its Signal Protocol encryption to make the messenger secure.
Open Whisper Systems is a non-commercial organization, the developer of Signal, one of the most protected instant messaging services — according to aforementioned EFF. It also created RedPhone, the secure software for VoiP communication. These solutions received 7 stars from EFF — the highest score possible. Despite great reliability, they are used by only a few. WhatsApp is a great deal more popular than all of them together.
— Kaspersky Lab ME (@KasperskyME) November 17, 2014
Now that WhatsApp uses Signal Protocol, the app has almost reached the same level of security as the abovementioned solutions: since the announcement on encryption, the EFF has changed their rating of WhatsApp to 6 stars out of 7. In comparison to the previous 2 stars it’s a huge step ahead. So, what has changed?
What’s the fuss about new WhatsApp encryption?
On November 2014 WhatsApp could encrypt messages (poorly) and was audited by an independent organization in less than a year before. This brought the app two stars. On April, 5 WhatsApp went up the rating and got 4 additional stars in one day.
The first star the messenger received for the fact that now even WhatsApp employees cannot decrypt and read users messages. Let us remind you that Apple vs FBI quarrel broke out for almost the same reason: because the company claimed that it cannot hack its own smartphone even despite the request of security services.
— Kaspersky Lab (@kaspersky) December 3, 2015
WhatsApp received another star for proper identity verification mechanism: when the chat begins, users can ensure that they are speaking with the person they expect to connect, and check the integrity of the channel.
The messenger was awarded the fifth star as it always changes encryption keys. So if anybody steals the key, the culprit would be able to decrypt only a part of the conversation, while the previous conversations would be unavailable.
And finally, the sixth star was given because Signal Protocol implementation in WhatsApp is well-documented. This measure lets the audience, including professional cryptographers, review the crypto-design and ensure that encryption keys are generated, stored and sent securely.
— Kaspersky Lab (@kaspersky) April 6, 2016
The last, seventh star was not given to WhatsApp as the messenger does not open its source code. When developers open their code, Internet users can unite their efforts to find new vulnerabilities and make the solution more secure. Facebook, the owner of WhatsApp, seems to be willing to work on this on their own.
However, 6 stars is the highest score for the majority of popular messengers. For example, Skype and Yahoo Messenger still have only one star. The main WhatsApp’s rival — Viber — has two stars. Among popular solutions only Telegram’s secret chats can compete with WhatsApp in terms of security, as they have 7 of 7 possible stars.
The latest WhatsApp version encrypts all data: text, pictures, video and voice calls for any amount of people in chat or on the call. Encryption works on all platforms, starting from Nokia S40 and Symbian to iOS, Android, Blackberry 10 and Windows Phone.
WhatsApp creators Jan Koum and Brian Acton are sure that many people will highly appreciate this change for the better. More than a billion of people are now able to speak securely and share thoughts on any topic privately. This is a huge step towards privacy on the Internet — quite the opposite trend to what we recently observe in the world.
— Kaspersky Lab (@kaspersky) March 28, 2016