WhatsApp Encryption Protects Messages, But Not Your Privacy

And the messages aren’t even that well protected…

WhatsApp is one of the most popular apps in the world. Millions and millions of people rely on the WhatsApp encryption protocol to stay in touch and connected with friends, family, and coworkers. While all chats have been end-to-end encrypted by default since 2016, this doesn’t mean the rest of the system protects your privacy as a media jacking demonstration will show. The catch with secure messaging apps is encrypting messages is only part of the picture.

Quick look at WhatsApp encryption

When people think about WhatsApp they think private, secure, encrypted messages. The messages you send can only be read by the people in the chat. End-to-end encryption (E2EE) means the message is encrypted when it leaves your device and stays that way until it gets to your contact(s) and decrypted. Using end-to-end encryption means no one, not even WhatsApp or Facebook, should be able to read the message.

WhatsApp uses the Signal protocol (formerly Open Whisper Systems) to encrypt messages. This is the same encryption scheme used by the secure messaging app Signal as well. It’s important not to confuse how WhatsApp encrypts messages with how the rest of the app works. Signal and WhatsApp are fundamentally different apps in their approach to privacy and security. The only thing they have in common is the math used to encrypt messages between people.

Problem: Your media could be hacked and changed without you knowing

One of the features in WhatsApp is when someone shares an image with you, it’s automatically saved to your photos on your device. You get a picture from friends from your latest adventure and you have it to use and share anywhere.

Except because how images (and other media) are saved, they are vulnerable to “Media File Jacking”. As posted on The Verge and documented by Symantec, malware can be crafted to access media going to and from WhatsApp and change it without you even knowing. In theory an image could be changed the moment before you see it on your device or you might think you’re sending one image to someone, but they might get something entirely different. Here’s how it is explained in the Verge:

On Android, apps can choose to save media, like images and audio files, through either internal storage that’s only accessible through the app, or external storage which is more widely available to other apps. WhatsApp, by default, stores media through external storage, and Telegram does so when the app’s “Save to Gallery” feature is enabled.

According to the researchers, the design means malware with external storage access could be used to access WhatsApp and Telegram media files, maybe even before the user sees them. If a user downloads a malicious app, for example, and then receives a photo on WhatsApp, a hacker could manipulate the image without the receiver ever noticing. A hacker could theoretically alter an outgoing multimedia message as well.”

Here are a couple videos showing how images and PDFs can be altered with media file jacking:

The crux of the issue is Android devices can save media into unprotected local storage. This is why SKY ECC uses protected storage within the app. You can’t bring images into the app except through the camera, and you can’t get images out of it either. The example above wouldn’t be possible on a SKY ECC device even if it were infected with malware.

Problem: New phone gets all previous chats

I discovered this problem when I got a new phone and was setting WhatsApp back up on the new device:

  1. After the settings and apps had been restored I opened WhatsApp. 
  2. I knew I would have to re-authenticate the new phone back with my phone number (new device, but same phone number), that makes sense and is what I had to do with all my other apps.
  3. After I entered my phone number and WhatsApp recognized it, the app launched … and all my chats were back.

You might think “oh, you had backups turned on”. Nope, because, as you’ll read in the next problem, WhatsApp backups aren’t encrypted. Backing up private chats in plain text is…there isn’t a good enough metaphor for how silly that is. Maybe because I used the iOS migration tool it transferred data from my old phone the chats were moved too.

But the troubling part is if you are using end-to-end encrypted chats, and you don’t have backups, you shouldn’t be able to get those old chats back, because:

  • A new device should generate new encryption keys. 
  • New keys should mean you can’t read old chats
  • It should let all your contacts know you have a new device and new keys when they chat with you again. 

These protections should be in place in case someone finds a way to clone your phone or hijack your phone number onto a new SIM. But they aren’t.

Problem: Backups aren’t protected by WhatsApp encryption

WhatsApp discloses this in the fine print on the setting, but this default feature puts your privacy at risk. WhatsApp backs up your chats so if you lose your device you can get all those conversations back. Seems like a good idea. Except to bring chats back from a backup, WhatsApp stores them unencrypted on both iCloud and Google Drive.

As Paul Manafort learned the hard way, a simple warrant to Apple was all Federal prosecutors needed to get all his chats. Even if your chats aren’t being investigated by the authorities, because the chats are out there in the open, if someone were to get access to your iCloud account, they could get the messages, photos, everything you’ve sent via WhatsApp.

WhatsApp chooses convenience over security when turning things on by default. A warning like “Would you like to enable backups? Note your backups are not encrypted on (iCloud/Google Drive) so they could expose private information from your WhatsApp chats.” would at least let people know what’s going on before data is stored.

We think backups are too risky to be worth the potential convenience. SKY ECC doesn’t have backups of any kind. If you have to reset SKY ECC (wiping out all chats and items stored in your Vault), the only thing you get back is your list of contacts.

Problem: You might share more than you realize

I’ve worked in computer support in various capacities—both formal and informal—for well over thirty years and if there is one surety in how people use computers it’s most people never change the default settings on anything. From the blinking 12:00 on VCRs to using the default apps you get with a phone or computer, a lot of people don’t think about changing things, that it’s even possible, or how to change something if they wanted to. Most of the time, this isn’t so bad.

A lot of default settings on apps are fine. Windows, MacOS, iOS, and Android have automatic updates turned on by default—and this is a very good thing that protects users. There are some settings—like privacy settings within apps like Facebook and WhatsApp—that need your attention. Those default settings may reveal more about you than you realize.

With WhatsApp encryption, the settings to pay attention to are:

  • About
  • Location Sharing
  • Status (which now works more like Stories in Instagram or Facebook)

Location Sharing is a simple issue, you shouldn’t broadcast where you are to the whole world, much less all your WhatsApp contacts. From stalking to seeing you’re not at home, keeping your real, up-to-date, location private is the better course to take. But this makes simple, logical, sense, what about About and Status?

The default for Status updates is set so all your contacts will see it, which seems okay, you should know all of these people. However it’s very possible you can put something in a Status message forgetting who might be reading or seeing it. Blocked contacts are out of the picture, but what about people at work? What if you are going somewhere like a political rally and you have work colleagues as contacts? WhatsApp lets you limit who sees a Status, but you might not have gone to the settings and changed them from All Contacts to Contact Except… or Only these contacts by mistake.

Your “About” setting is a little more interesting, and dangerous, than Status. About messages are public by default, and don’t change unless you change them. This is okay if you never changed from “I”m using WhatsApp…” but what if you used something like “On Vacation” or “Hawaii here I come!”? Because About statuses are public by default you are telling the world you aren’t home.

Problem: Facebook and advertising

From the moment WhatsApp agreed to Facebook’s $19B purchase offer in 2014, alarm bells started ringing in the privacy and security community. WhatsApp’s founders were assured as part of the deal, Facebook would stay out of WhatsApp. No ads, no data mining. WhatsApp would remain a secure, private messaging app.

In 2016 Facebook updated the WhatsApp terms of service allowing for some data sharing between the two companies/apps/services, and plans to put ads in Stories in 2020. Two years after the data sharing change, both WhatsApp founders, Jan Koum and Brian Acton, left Facebook for similar reasons: Facebook’s plans to use user data in WhatsApp for advertising and other targeting.

To make money from advertising, you need to put relevant ads in front of the right people so they click. To put the right ads in front of the right people you need to know something about them. You need some mix of age, gender, interests, and location to display a relevant ad. The question is: how will Facebook get this data from WhatsApp.

We might not know the details of how data is moving from WhatsApp to Facebook and back for some time, but we do know that come 2020, there will be ads on WhatsApp and that personal data is coming from somewhere. A secure messaging app shouldn’t know enough about you to serve relevant ads to you. If enough is getting out of the app for an advertiser to target you, there is enough information to compromise your privacy.

Lower your expectation of privacy when using WhatsApp

It’s naïve to suggest everyone stop using WhatsApp. As much as WhatsApp encryption and security has serious flaws in its privacy model, it is used by millions of people around the world. I’ve used WhatsApp to talk to colleagues half a world away and was amazed at how good the call quality was. WhatsApp’s universality is one of its greatest strengths. If you ask someone you need to talk with if they use WhatsApp, there is a very good chance they will say yes.

If it’s not practical to abandon WhatsApp as a communications tool, the next step is adjusting your expectations when you use it. Consider the following when using WhatsApp:

  • Your chats might be encrypted, but if the people you are chatting with have backups turned on, they aren’t private anymore
  • Media you send and receive could be compromised if you (or your contacts) allow WhatsApp to store images on their device
  • You need to confirm your privacy settings to make sure you’re only sharing locations, your About information, and your Stories with the people you want
  • WhatsApp is going to have ads in 2020 and the information to target those ads to you will come from information gleaned from the app (and possibly your contacts)

The safest route is if you want to keep conversations private and secure, don’t use WhatsApp. Use a more secure communications solution using strong encryption and a user privacy comes first ethos behind it. SKY ECC is the most secure communications solution you can get. SKY ECC is a separate device protected from the hardware to the app to the internet connection itself to ensure your communications are and remain private.

You can learn more about SKY ECC on our features page—you’re only a step away from true communications privacy.