Why do people confuse “end-to-end encryption” with “security”?
It is very common to hear people make blanket statements like “WhatsApp is secure,” but they rarely truly understand the actual security controls that WhatsApp is providing. In fact, this notion of being “secure” is one of the main reasons why WhatsApp gained so much popularity and built such a big user base.
In today’s world where everything is on the Internet, people tend to crave some privacy, especially when they are communicating with other people and sharing personal conversations, and the fact that WhatsApp offers a secure communication channel where the messages between users are fully encrypted to the point where the company/app that is providing the service cannot see the messages between their users makes people feel a false sense of security when using WhatsApp.
What “security” is WhatsApp really providing?
Let’s first make sure we understand what security control WhatsApp is claiming it provides. WhatsApp uses the Signal protocol. The encryption scheme is simply asymmetric encryption of messages between the users, and the transmission of the encrypted messages are facilitated by a server provided by WhatsApp.
So, the way the message is protected while in transit from the sender to the intended recipient is secure.
What other aspects of security do people need to be mindful of?
When it comes to security, there’s a lot more involved than just securing the data while it’s in transit. If securing applications were as simple as securing the communication channel, then websites wouldn’t have any vulnerabilities in them once they had implemented SSL, but we know that is not the case. So why would it be any different for WhatsApp, or any other mobile app for that matter?
Just because the communication channel is secure, doesn’t mean that the rest of the application is secure too. What people tend to forget is that the content of the messages that they’re receiving may still be malicious and have a security impact based on the user’s behavior.
Let’s say a user is sent a phishing link, and the user clicks on it to see where it takes them – they will fall victim to the attack just like they would have if they had received the same link via email or any other method. Just like people are told never to click on a link from an email – especially if it’s from someone they don’t know or trust – the same rule applies here.
Malware is everywhere on the internet, and being able to identify and avoid opening infected files is a common challenge. Just like malware can be downloaded from web-browsing or from opening email attachments, similarly, opening files that may be infected that were received by a messaging app has the same consequences. There are many stories on the news today about how people are affected because they opened a video clip, audio file, etc. and were infected with malware.
The App Itself
The app that you are using, may itself be vulnerable too and allow attackers to remotely execute code on a user’s device. WhatsApp had a buffer overflow vulnerability that allowed attackers to easily execute code on WhatsApp users’ devices. Details of the vulnerability itself can be found on the CVE-2019-11931 page. Almost all users of WhatsApp on Android, iOS, and Windows were affected. This wasn’t the only vulnerability found on WhatsApp, but attackers were able to inject spyware on to phones by exploiting a zero-day vulnerability. The most damaging part of this attack was that it did not require any action to be taken by the user that was being infected. Read more in this article by the Financial Times.
Other than WhatsApp, there are also cases where the app itself was created for secure communications but was designed incorrectly and ended up all over the news. The most recent example that comes to mind is when the French government launched a new message app for their state employees only, but the account sign-up process was flawed, and allowed anyone to sign up and message using the system. Details of the issue can be found here.
Why should you care?
People need to understand the consequences of using apps for communication purposes, especially when they may be using these apps for business. Organizations will typically have contracts with service providers like Slack, Microsoft Teams, etc. to have official channels of communication. This allows the organization to securely manage their employee’s communications, and ensure that sensitive information stays secured correctly, both in transit and at rest. In addition, in the event of lost devices, these services allow organizations to remotely delete any sensitive data that may have been stored on the devices themselves.
An example of where there’s serious concern around public officials using WhatsApp for official communications was raised when it was discovered that Jared Kushner may have been using WhatsApp for his official communications. Read more about the concerns here.
Using proper communication channels is very critical when conducting business, given the sensitive nature of almost all communication and data that enables running a successful business.