Mobile phone calls and text messages seem to be going the way of the dinosaurs. In their place, a plethora of multi-functional mobile messaging apps have flooded the market, each offering distinct features. In fact, a study by Informa found that chat apps are now more popular than text messaging among mobile users worldwide, with 19 billion chat messages being sent each day last year alone. Although traditional text messaging may never fully disappear, users today are looking for services offering easy-to-use multimedia functions, group chats, video calls, gaming and more.
Arguably, privacy is a key draw for users when it comes to any mobile chat option, and one of the most popular apps on the market, WhatsApp, has found itself in some hot water after researchers called out a potential security vulnerability. WhatsApp is a multimedia-messaging app that offers secure text, video and picture services for $0.99 per year. Thijs Alkemade, an open-source developer and student at Utrecht University in the Netherlands was the first to point out and explore a flaw in the app’s encryption (the process of encoding messages in a way that cybercriminals cannot view) that would make it possible to read plain text communications sent via WhatsApp. So far, the vulnerability has been found almost exclusively in Android devices, and Nokia Series 40, but Alkemade stated that it’s possible that the vulnerability could be found in iOS devices although such a case has not yet been reported. Nor have researchers found if the flaw affects WhatsApp messages sent across device types, such as an Android message sent to an iPhone. Aside from Alkemade’s investigation, independent security researchers also reviewed the information and agreed that the issue poses a real threat to users on any mobile operating system.
The vulnerability in question involves the use of the same key to decode the encryption on both sides of a conversation, making it possible for someone to intercept messages sent via Wi-Fi and decrypt them. An attacker with access to the encrypted messages can use a specific algorithm to compare and essentially predict the text hidden underneath the encryption. In previous research experiments, cryptographers have already used this method and successfully decrypted short messages in seconds with a 99% accuracy rate. Because the message sent from the user to the server, and vice versa, have the same key to unlock them, when compared against each other, the actual text can be pulled out of the encrypted streams of seeming gibberish. For those who use WhatsApp to either send sensitive messages, or simply get the address for a dinner party, the possibility of someone being able to see plain text content is a major security risk for all 300 million monthly users.
While using the same encryption key to secure two different messages is a well-known security weakness, it is still a labor-intensive process to break through. The algorithm needed to decrypt the intercepted messages is not only difficult and time consuming to develop, but the attacker would have to have access to the wireless network that messages are being relayed over as well. Regardless, a determined hacker could most likely create something general enough to target WhatsApp users as well as other vulnerable mobile apps. WhatsApp processes as many as 27 billion instant messages a day, and chances are there is plenty of private and potentially useful information being shared. However, despite the findings, WhatsApp maintains that their messages are fully secure and it is unclear if they are exploring the issue any further.
In the meantime, Alkemade warns users to assume that if they use unsecure wireless networks, their WhatsApp messages are most likely already compromised, given enough effort. However, users can ensure that any future conversations can’t be used against them by being careful about what they share on WhatsApp. It is a best practice to avoid sharing personal information like your home address, account passwords or risky photos via any mobile app, even if security is supposedly guaranteed. Also avoid connecting to public Wi-Fi in general on your mobile device. You never know who could be looking in.
WhatsApp is not the first, nor will it be the last mobile app to have its security practices called into question, and it is up to users to practice mobile safety no matter what app they are communicating on.
Be sure to check out my other blogs for more top mobile security stories, safety tips and similar app-related issues.