WhatsApp may not be the most secure messaging platform, but it’s certainly the most popular. And while others, such as Signal and Wickr, are designed with a security-first approach, WhatsApp’s combination of end-to-end encryption and easy-to-use functionality has proven a market winner for more than ten years.
And so to WhatsApp’s latest planned update to make its 2 billion users even more secure and protected from prying eyes, while adding some neat new functionality as well. Until this update is available, your data is not as secure as you probably think—there’s a major security gap. But, as reported by WABetaInfo today, May 21, two critical changes are now in beta and are expected to be rolled-out soon.
The first is an absolute game-changer. Right now, hundreds of millions of iPhone users rely on “Chat Backup” to store message history and media on iCloud. When an iPhone is lost or changed, the full chat history with all its media can be restored. The issue, though, and it’s a big one, is that “media and messages you back up aren’t protected by WhatsApp end-to-end encryption while in iCloud.” That means your private data can be accessed—it doesn’t have the same level of security as within WhatsApp itself. Most users are blissfully unaware of this.
Now, according to WABetaInfo, the current iOS beta “enables the encryption of chat histories hosted on iCloud, including media—just check WhatsApp Settings.” This plugs a major gap and should be welcomed by all users. The option to easily store a WhatsApp backup is critical, especially with the spate of social engineering hacks recently that have hijacked user accounts. Without such a backup in place, the temporary loss of your account or the loss of your phone is a nightmare.
The fact that WhatsApp’s end-to-end encryption does not extend to its iCloud backups is a major security vulnerability that has been exposed before. When the chats are backed-up from the device, they are decrypted as you’re one end of that end-to-end encryption. Any security applied to the cloud backup falls outside of WhatsApp’s wrapper. Extending the platform’s encryption, secured under a user password with no man-in-the-middle access, is a critical improvement. Absent that, your data is accessible by Apple or the authorities when required.
The second new feature is a long-awaited option for users to send a personal QR code which will load their contact details into another phone. This will be available for both iOS and Android users and is a simple way of adding to your contact list within WhatsApp. It means, for example, that a user could send their details to a new WhatsApp group, without anyone having to cut and paste fields. It also means that businesses can publish contact details for users to quickly store.
According to WABetaInfo, the QR codes can be changed and revoked, which suggests that if you send one in error, it will no longer work. The security issue for users, of course, is that they are sharing their real phone numbers. That said, this might be an interesting shift away from long-term linkage of a user’s phone number towards independent and anonymized WhatsApp unique identifiers.
No word yet from WhatsApp that this shift is in the works, but there is an expectation of multi-platform access over and above today’s web platform. An iPad version being the obvious next step. As reported by my colleague Kate O’Flaherty, uber-secure messaging platform Signal is introducing a new user identifier as an alternative to phone numbers. It’s the same principle. Right now, the QR code includes your phone number. If the system catches on, there’s no reason why that can’t be replaced by a different unique identifier.
There is of course a deep-rooted irony with WhatsApp: its ownership. The platform has been part of Facebook since 2014, and yet has remained largely undamaged by the trail of security and privacy mishaps with its parent.
Not always, though. This week, German privacy chief Ulrich Kelber “warned federal authorities against using WhatsApp.” As reported by Handelsblatt, the official alleged that WhatsApp collects metadata when users send messages, “and it can be assumed this is then immediately passed on to Facebook.” This, he said, would compromise the privacy of citizens sending messages to federal authorities.”
WhatsApp has categorically denied this, of course, assuring me that no user metadata is sent to Facebook and that reports to the contrary are incorrect. There was no claim that actual message data is collected—it’s end-to-end encrypted, after all. Although German security agencies have been hungry—alongside their U.S. and U.K. colleagues—to break that encryption and access the data. Ironically this would break WhatsApp’s security wrap and would compromise user privacy.
Despite its parentage, WhatsApp takes user security seriously. Every dealing I have had with the platform encourages me as to the intent behind the features it pushes out to users. The recent expansion of its encrypted video chat service is a great example of this. And six years on from the Facebook acquisition, we still don’t have to put up with ads and marketing messages polluting our chat timelines.
But, as ever, there are notes of caution. As I have reported multiple times before, WhatsApp does have its security slip-ups. The advantage of a hyper-scale platform found on most phones is that it’s an obvious target for sophisticated cyber attacks. And we have seen something similar this week again, with the report of a new vulnerability attributed to a German threat group, targeting users in Asia. This follows reports last year around various vulnerabilities, following on from the infamous spyware attacks attributed to Israel’s NSO and targeting victims through WhatsApp accounts. This is the subject of a current court case in the U.S.
Most of the alleged WhatsApp attacks seen in the wild are targeted, a tiny fraction of high-profile users have to concern themselves over such attacks. For most people, it’s the basics—set up two-factor authentication AND the WhatsApp PIN. They are not the same thing. And for iOS users, make sure you encrypt your iCloud backup and make use of that backup option when it’s available. It is hard to overstate how beneficial an encrypted backup option is for your security.
Beyond that, a shift to WhatsApp introducing levels of separation between users and their real phone numbers suggests further security enhancements to come. All told, this is one update that carries real weight for the security of the platform, at a time when encryption has never been more needed and under threat.
And, on that note, Facebook itself confirmed some welcome news for its billions of Messenger users today. The tech giant announced a set of “privacy-preserving tools” would be rolled-out “as we move to end-to-end encryption.” Those tools include warnings when content is suspicious, automated tools to detect when an adults message inappropriately with minors, and filters to screen for scams.
“As Messenger becomes end-to-end encrypted by default,” the company said, “we will continue to build innovative features that deliver on safety while leading on privacy.” Users had hoped encryption would be in place by now—but it has been delayed. Now, though, we have confirmation it’s still coming. The new features, it said, “will be available and effective when Messenger is end-to-end encrypted.”