Mobile messaging app WhatsApp is used by millions of people around the world, and while many use it as a convenient way to chat, send pictures, and generally keep in touch with friends and family, there’s another nifty thing about WhatsApp: it promises secure, encrypted communications.
But does it deliver on that promise? Kind of.
WhatsApp uses the Signal Protocol for encryption, and the company even worked with the developers of that protocol to ensure it worked properly. But unlike the Open Whisper Systems Signal messaging app for Android or iOS, WhatsApp will force the creation of a new encryption key for users who are offline, which some security researchers say provides a chance for a man-in-the-middle attack, where a malicious hacker could intercept your data.
The issue is in the news today thanks to a report from The Guardian, which characterizes the WhatsApp implementation as allowing a “backdoor.” Security researcher Tobias Boelter tells The Guardian that it opens up WhatsApp to government or corporate snooping.
WhatsApp denies that claim, saying it fights government requests for user data and that there’s a good reason for the re-encryption: without it, millions of messages would not be delivered to users who are offline at the time the message is sent.
As Gizmodo reports, there are other instances when a security key might need to be re-negotiated, including when a user changes phones or performs a factory reset. WhatsApp, which was acquired by Facebook in 2014, and which implemented the Signal Protocol in 2016, chose to do change those encryption keys automatically for ease of use so that users wouldn’t lose messages.
Want to know how secure your communications are? You can enable a setting in the app to “receive notifications when a contact’s security code has changed.” Just open the settings, go to the account view, and then choose security to find the option.
While that won’t necessarily protect you from an attack, it will let you know when you receive a message that might have been more easily intercepted than some others.
If you’re really concerned about security and want to make sure your messages aren’t intercepted, your best option is probably to install the the open source Signal app for now. But you’ll need to make sure everyone you want to communicate with is also using it… and you’ll also need to be OK with the thought that some messages might not be delivered automatically (instead you’ll see a message about undelivered messages, allowing you to choose whether they should be re-sent).