WhatsApp Becomes The Latest Victim

Is there a truly secure messaging app? One could spend hours examining all the encrypted communications tools available, from popular services such as WhatsApp and Facebook’s Messenger to newcomers such as Signal and Wire.

But while experts agree that some of these options are more secure than others, there always seems to be another flaw waiting to be discovered. This makes the search for a perfect app resemble the hunt for the goose that laid the golden egg.

That point was driven home recently with the revelation that attackers could exploit a security vulnerability in WhatsApp to snoop on its users.

The vulnerability was found in the service’s implementation of end-to-end encryption, which is supposed to make it all but impossible for messages to be read by anyone except their intended recipient, and in WhatsApp’s management of the unique security keys used to scramble and unscramble those messages on users’ devices.

The problem stemmed from WhatsApp’s ability to create new encryption keys for offline users. This is common for secure communication tools, but WhatsApp is set apart by its decision to re-encrypt messages with the new keys without informing their sender or recipient.

This could allow someone to intercept communications with no indication to anyone involved with the conversation. WhatsApp has therefore effectively undermined the basic principle of end-to-end encryption.

It would be easy to overreact to this issue. WhatsApp did not create a backdoor into its service, a claim with which Brian Acton, the company’s co-founder, publicly took issue, saying WhatsApp would “fight any government request” to create one.

Nor did it introduce a vulnerability so critical that people should remove the app from their devices. Concerned users can verify someone’s identity by comparing the “fingerprints” associated with their key, and they can enable a setting that notifies them when a message has been re-encrypted with a new key.

Yet even the nature of those notifications is up to question. There are two options, blocking or non-blocking, which refer to requiring users to manually verify that a new key is legitimate or simply notifying them when a key has been changed.

WhatsApp notifications are non-blocking. Signal, the encrypted messaging tool from Open Whisper Systems (OWS) whose end-to-end encryption protocol is used in WhatsApp, Messenger and other apps, uses blocking notifications.

Some messaging apps follow WhatsApp in not informing users of key changes by default. Others, like Wire, don’t send messages to people with new keys without user consent. These companies will face criticism no matter what they choose, WhatsApp users might worry that their messages are insecure; Wire users might grow tired of security notifications, and might change their approach based on user feedback as OWS is doing with the Signal app.

There is no right or wrong answer. The same can be said for other decisions, such as Google’s Allo and Facebook Messenger’s “secret conversations” not using end-to-end encryption by default, which the companies say allows them to offer features that wouldn’t be possible otherwise.

Apps that do use encryption by default, such as Signal and Wire, among others, require people to convince everyone with whom they wish to communicate to switch to unfamiliar messaging tools.

There will never be a one-size-fits-all in the secure communications market. Just as these services have to decide on what problems they wish to solve, consumers must choose the app that best suits their needs.

More apps support end-to-end encryption than ever, and even if none of them are perfect, this means private communications are more secure than before.

These are nuanced problems that must be considered with care instead of being oversimplified.

Guardian:

WhatsApp Implements Encryption:             Delete/Never-Use Google Allo: Says Snowden:

 

 

« How To Automate Cyber Defense
Technology, Multilateralism, War and Peace »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Maureen Data Systems (MDS)

Maureen Data Systems (MDS)

Our mission at Maureen Data Systems is to digitally transform business environments with the use of cloud infrastructure, security and privacy controls, data analytics, and managed services.

Security Weekly

Security Weekly

Security Weekly provides free content within the subject areas of IT security news, vulnerabilities, hacking, and research.

CionSystems

CionSystems

CionSystems provides identity, access and authentication solutions to improve security and streamline IT infrastructure management.

Inogesis

Inogesis

Inogesis helps blue-chip organisations harness disruptive technologies and thinking to drive new revenues or overcome challenges by connecting them with dynamic small companies.

Security University

Security University

Security University is a leading provider of Qualified Hands-On Cybersecurity Education, Information Assurance Training and Certifications for IT and Security Professionals.

Dynamic Quest

Dynamic Quest

Dynamic Quest is a managed IT, cloud and security services companies, providing a comprehensive range of technology services including cybersecurity, backup and disaster recovery.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

CertiProf

CertiProf

CertiProf has been enhancing professional lives since 2015, offering a wide range of IT certifications and agile framework training.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

Certcube Labs

Certcube Labs

Certcube Labs provide a broad range of services in the areas of Assessments, Development, Risk Advisory, Blockchain, Forensics Investigations, Managed Security Solutions, and IT Security Trainings.

Recast Software

Recast Software

Recast Software exists to simplify the work of IT teams and enable them to create highly secure and compliant environments.

Sensity

Sensity

Sensity is a company that offers an AI-driven solution to detect and verify deepfakes and other forms of identity fraud.

Acumen

Acumen

Acumen's cyber security engineers protect your critical systems, in critical moments. We are here when you need us most.

RightSec

RightSec

RightSec is an emerging market leader and solution provider for cybersecurity and digital resiliency. We provide end to end solutions to suit your specific business lifecycle.

HYCU

HYCU

HYCU was born of the need to simplify data protection and provide equivalent levels of backup and recovery support across on premises, public cloud, and SaaS workloads.

OmniIndex

OmniIndex

OmniIndex PostgresBC is the only commercial solution allowing you to keep your most sensitive and critical data encrypted while analyzing it. Structured and unstructured.