Why would I say you to stop using Whatsapp? I know most of you would be thinking, “what’s wrong with Whatsapp”. It is currently the most used messaging platform by people all over the world. Again, why would I say that, read through to understand why you should,
Stop Using Whatsapp
Is Whatsapp Secure?
Whatsapp uses End to End Encryption, it is secure. But let’s go a little deep inside Whatsapp’s Encryption Protocol. Whatsapp uses Signal Protocol developed by Open Whisper Systems. Signal protocol is also used by Facebook’s Messenger, Google’s Allo and Open Whisper System’s own messaging app Signal. So what is Signal Protocol,
The Signal Protocol (formerly known as the TextSecure Protocol) is a non-federated cryptographic protocol that provides end-to-end encryption for instant messaging conversations. – Wikipedia
End-to-End encryption basically encrypts the sender’s message and decrypts at the receiver’s end. After reading the above, you might think all the applications that you use are secure. No, you’re not! Facebook’s Messenger enables End-to-End encryption only for Secret Conversations and Google’s Allo enables only when you use Incognito mode on the app.
That leaves us with Whatsapp and Signal,
Whatsapp Collects Metadata
So what is Metadata,
Metadata is defined as the data providing information about one or more aspects of the data; it is used to summarize basic information about data which can make tracking and working with specific data easier.
Metadata contains data like “when, what and how” about something. Read this Edward Snowden’s Tweets if you did not understand what Metadata is,
Whatsapp does not read your texts but will be able to collect the metadata of your messages. Whatsapp collects metadata like how much you text to one person, your device information, your IP address, at what time in the day you come online the most, from whom you got a call at this time on a particular day and much more. If they can’t obtain information from your phone, then they can do it from your Friend’s phone who is your contact.
Okay let’s assume that you are okay with the metadata collection of Whatsapp. Let’s get to the next part that affects your privacy.
Allows Interception of Encrypted Messages
Guardian posted a news on Whatsapp having a vulnerability or backdoor which allows anyone who has access to Whatsapp servers to snoop on your Encrypted Conversation which are in transit. Basically the vulnerability in a nutshell is that there are two keys used for encrypted messages to work. One is a Public Key which will be used by the sender to encrypt the message and another being the Private Key for the receiver to decrypt the encrypted message.
Whatsapp and Signal store those Public keys in their Central Servers and allows your app to download the keys of your contacts to your phone. Whatsapp basically can give you someone else’s public key instead of your friend’s key. The only way you could verify that is by checking the security code with your friend, which most of us will neglect to do.
There are two processes namely Blocking and Non-Blocking. Blocking is the process when you are notified and allowed to validate when your friend changes his public key. But Whatsapp does not allow you to do that. Instead it accepts the changed key and just sends all the “in transit” messages(those are not delivered to your friend) encrypted with the new key, which could be a malicious one. This process is called Non-Blocking.
Whatsapp basically decides which messages are “in transit” messages, which allows someone to access all of your messages through the malicious key. This happens with Whatsapp call as well, when you call a person, it takes the new key without validating, which could also be a malicious one. There is an option in Whatsapp which allows you to show security notifications when keys are changed but that also is done after sending the “in transit” messages.
How is Signal Better?
Signal follows Blocking and notifies when your friend has changed his Public Key and also has an extra feature named Disappearing Messages which allows you to send messages that would get disappeared after a specific time.
And if you are concerned about the convenience you get out of Whatsapp Web, Signal has a solution for that too. Signal can be used in the desktop via Chrome Web Store.
You could check out Signal for devices here,
For people who think that you have nothing to hide, then I would like to say you one thing,
Of all security threats the primary one is thinking that he/she is secure.
Thank you for reading. Stay tuned for more updates. 🙂