The cautionary tale of WhatsApp slipping on strong default user security

WhatsApp received a lot of praise in April for making a complete switch for its messaging system to the Signal Protocol from Open Whisper Systems, which features a number of cryptographic elements to ensure the privacy of any communication. It was doing so well, and then the company and its owner, Facebook, had to muck about.

The Electronic Frontier Foundation (EFF) explains in a recent post where it believes WhatsApp went wrong, both in choices made at the April launch and in the months since.

It’s a cautionary tale for all of us about remaining vigilant to changes in security and privacy technology, and about how deeply we need to examine basic setup choices.

Burying choices

WhatsApp offers options to secure your conversations in such a way that makes it nearly impossible for any third party to gain access, and those options remain in the app across its many platform versions. But to enable them, you have to go more out of your way than you should, sometimes digging deeply in settings, instead of the app turning them on by default or offering you a clear choice at setup.

WhatsApp configured to your best advantage uses end-to-end encryption between you and other parties. Neither WhatsApp nor Facebook can intercept those messages for any purpose, and neither can government agencies, law enforcement, criminal enterprises, stalkers, and everyone else.

The ecosystem lets you verify that other people are who you think they are, so you don’t have to rely on an identity provided by the WhatsApp system. You can meet people in person and scan QR codes within the app or use an out-of-band method (like a phone call) to verify someone’s WhatsApp cryptographic fingerprint. And the system changes keys in such a way that each time a new message session starts, it uses new encryption keys, or “forward secrecy.” That keeps older messaging sessions secure even if someone manages to break into a current session and obtain the keys in use.

That all remains in place, but the EFF notes that several elements aren’t as strong as they first appeared due to default settings, and there’s one change the organization finds downright disturbing.

In an April column explaining how WhatsApp has outpaced iMessage, I noted that you could choose to turn on iCloud-based backups for WhatsApp, but that would weaken the integrity of your message history, since it’s easier for someone to gain access to iCloud backups than WhatsApp sessions. The EFF noted that WhatsApp recommends on its initial installation that you pick an interval to back up messages. Picking Never is the right choice, but it should be the default for most people.

I discovered in testing that when I set up WhatsApp for macOS, and confirmed my installation via the iOS app, all the messages cached in iOS were synced to the desktop without any prompt or warning. You can wipe any previous sessions cached in any copy of WhatsApp you’re running. I deleted a chat in the macOS version and it disappeared from iOS as well. (The macOS app is missing many features found in the iOS version, including an option to delete all chats with a tap.)

WhatsApp’s identity verification is one of the best aspects of the system, and something that’s not offered by Apple for iMessage. But the EFF notes something important that’s not obvious: If any of your contacts’ encryption details change, such as their account regenerating an encryption key, you’re not notified. In a well-designed system, you should be alerted of that by default, because it could indicate a man-in-the-middle (MitM) attack, in which someone has been able to gain access to an account, but isn’t using a piece of hardware owned by your contact. (EFF notes you can change this in your WhatsApp preferences. In iOS, this is Settings > Account > Security, but you can’t make this change in the macOS desktop app.)

When WhatsApp was acquired by Facebook in 2014, the company promised to protect users’ privacy as much as they did when independent. That didn’t last long. Changes to the privacy policy and app allow WhatsApp to share with Facebook your phone number, usage data, and other less well-defined information. (You can disable part of this sharing in Settings > Account; tap Share My Account Info to turn it off.)

Less critically, using the Web version of WhatsApp is a terrible idea, because you’re punching in your credentials on a website. It’s very easy to subvert a browser. If you want to maintain the maximum privacy with WhatsApp, don’t use its web app, something that’s true of most apps that you use for private communications.

Apple remains behind

WhatsApp’s setup and changes undermine the premise of its April update, that WhatsApp defends your privacy with the strongest available protections by default. That’s not the case. The EFF suggests the apps offer a privacy slider, so that someone who wants none of the convenience of backups and the irritation of alerts could agree to avoid those, and those who want the strongest possible configuration can simply slide and click to enable them all.

Apple is still behind in all aspects except the Web app weakness, despite this. It didn’t take advantage of its iOS and macOS refresh to improve any of iMessage’s fundamental out-of-date and missing protections. It remains strong, but fragile.

Because Apple doesn’t let you disable protections or guide you down a path to do so, it could pair its highly principled message about keeping its customers’ data as private as legally possible with technical improvements to the system that make all efforts to do so. Right now, the company is falling down. Apple could compete by offering more.