Instant messaging apps have always been under scrutiny for their handling of security and privacy. Recently, The Guardian reported that popular messaging app WhatsApp was found to have a security vulnerability which can be used to look in on users. For those who are concerned for their instant messaging security, this is truly a deal breaker.
When it comes to instant messaging security, WhatsApp has been proud to be one of the most secure messaging apps on the market. It touts its end-to-end encryption as secure for all types of users. The problem with their end-to-end encryption is that they included a scenario which can be exploited. WhatsApp creates new encryption keys for offline users. This is a necessary step done by every other messaging app. However, what sets WhatsApp apart is that it does not inform its users that a new encryption key has been created, and then re-encrypts the new message using the new key.
In this scenario, it is possible for someone to snoop the thread, and intercept the message without anyone knowing that the conversation has been compromised. Although WhatsApp has denied that they have made any backdoors, and that this is actually a side-effect of a policy decision, it is still disconcerting and can be inconvenient for users.
According to Moxie Marlinspike of Open Whisper Systems (OWS), “telling everyone to uninstall WhatsApp does a lot more harm than good, because it’s just going to drive people to other apps that use way less consideration and care that users are also not capable of evaluating the goodness of”.
“telling everyone to uninstall WhatsApp does a lot more harm than good, because it’s just going to drive people to other apps that use way less consideration and care”
WhatsApp had a bold decision to make moving forward with offline users. They could have implemented a notification every time a new key was created. This however, would have halted any ongoing conversation until the two parties have confirmed the identity of one another. Or the conversation would continue, no one knowing any better, and inconveniencing no one.
In contrast, there are other messaging apps which emphasize security. For instance, in this scenario, Wire does not send any messages with the new keys without the consent of the users concerned. The same is true of Signal. These apps boldly require that the users convince everyone that they are the persons they purport to be.
On the other hand, there are apps which have minimal security like Google Allo and Facebook Messenger which do not use end-to-end encryption due to features that they want to pursue.
Messaging apps have ended up with different strategies which would suit their user base in terms of instant messaging security. They have a balancing act where they compromise security against a bigger feature set, or they have tighter security but with less leeway in terms of operations. How to improve these would require bolder and more comprehensive security measures by businesses large and small.