WhatsApp is an instant messaging service with well over one billion global users. To put it into perspective, one in seven people on the planet actively use this popular messaging app to send some 30 billion texts, voice messages and videos every single day.
In 2014, WhatsApp was acquired by Facebook for $19.3 billion. It is now the most powerful communications network in the world by sheer volume. This has governments worried.
CALEA (Communications Assistance for Law Enforcement Act) has traditionally kept telecoms in compliance with federal investigations by requiring them to hand over their users’ data when a court warrant was issued. However, WhatsApp isn’t a telecom – it’s a simple messaging service – but it serves more users than any single communications service in the world. That includes China Mobile, which has 806 million subscribers.
END-TO-END IS THE ONLY WAY TO ENCRYPT
WhatsApp recently implemented full end-to-end encryption to protect users’ content, as well as metadata, such as identity and location. This is important. Not only can data not be decrypted by intercepting parties, but WhatsApp also cannot deliver any data to law enforcement, hackers, or any foreign state.
This might sound like a flaw or some kind of aid to terrorist states but it’s actually by design. Jan Klum, WhatsApp’s founder (and newest billionaire to reach position 62 on Forbes list of 400 richest Americans), was actually born and raised in Ukraine, so he is well aware of the privacy compromises for citizens living under a socialist republic.
WhatsApp has adopted Apple’s basic stance on security, which is a hands-off approach to user data. This keeps data secure, but that doesn’t mean hackers haven’t already begun to plot against users.
PHYSICAL ACCESS ALWAYS TRUMPS ENCRYPTION
Having end-to-end encryption will put many users at ease but no security measure is 100%. One area of concern is the WhatsApp web interface. This is attractive to unscrupulous hackers looking to distribute their own download links – these links deliver malware to unsuspecting clickers.
Like phishing emails, it is important to verify you are using a valid URL (http://web.whatsapp.com/) before clicking on that link. Since you do not need to download any browser extensions or apps, you can simply go to the correct page and sign in.
SPYING ON WhatsAPP CONVERSATIONS
One surreptitious method used to listen into WhatsApp conversations is called MAC spoofing. Every smartphone has a unique identifier called a MAC (Media Access Control) address, which is used to route messages.
If a hacker temporarily assigns someone else’s MAC address to their phone, they can intercept those WhatsApp messages. Since the address is only 12 characters in length and can easily be obtained if someone can get physical access to your phone, it’s a fairly easy hack to perpetrate. Never give your phone to anyone you do not implicitly trust.
Another way to intercept and spy on any encrypted WhatsApp communications is mSpy. mSpy is a ‘monitoring tool’ for smartphones and computers that sends reports on calls, text messages, browsing and WhatsApp conversations back to the owner of the app.
All a hacker needs is brief physical access to your smart phone or computer for a few minutes to install this spy app. It’s like having an automated service that takes screenshots of everything you do on your device, except you don’t know about it and it’s sending all that data to someone who does not have your best security and privacy interests in mind.
THE FUTURE OF WhatsApp
WhatsApp has proven to be the most successful messaging app in the world. And with full encryption for one billion users now in place, the service is taking a step in the right direction. But we should always keep in mind that no messaging app is 100% secure.
Being their parent company, Facebook doesn’t have the best reputation for transparent and secure user data policies, so they have their work cut out for them.
Is this simply a hollow gesture at security or a marketing ploy on Facebook’s part? In the world of hacks and data breaches, no news is usually good news, so we shall see.
About the Author: Scott Schober (@ScottBVS) has lectured and presented extensively regarding cybersecurity and corporate espionage at numerous conferences around the globe. He has recently overseen the development of several cell phone detection tools used to enforce a “no cell phone policy” in correctional, law enforcement and secured government facilities. He is regularly interviewed for leading national publications and major network television stations, including Fox, Bloomberg, Good Morning America, CNN, CCTV, CNBC and MSNBC. He is the author of “Hacked Again” and writes, “In a modern digital world no one is safe from being hacked, not even a renown cybersecurity expert.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock