Whatsapp susceptibility increases the risk of third party interruption
Security is the major concern for all the individuals and the data communication systems are also working hard to provide the secure and reliable transmission to the users. The famous messaging or communication apps such as Whatsapp Messenger, Viber, Yahoo Mail, Messenger, Snapchat and more have been building the new security approaches to offer high secure transmission.
A new security problem has arisen for the well-known messaging app Whatsapp stated that the messages sent through the app were read or intercepted by any other third parties.The company has opposed the statement and answered that there is no any interception has been made and it ensures the data privacy to the transmitted messages.
End to End Encryption in Whatsapp
In the year 2016, the Whatsapp has introduced the end to end encryption method to ensure the safeness of the sent messages, photos, video and documents along with the group chats and Whatsapp calls. During the release of this feature, Whatsapp Co-Founder announced that the crews have been experimenting that update for almost two years and it would keep the user’s information out of the reach of any cyber attackers and hackers.
The Signal Protocol is the cryptographic protocol used by the Whatsapp to offer end to end encryption that was designed by Open Whisper Systems. This protocol gives authentication, confidentiality, forward and backward secrecy, integrity, message repudiation, and more. It also supports the encryption for the group chats. The group chat protocol integrates the multicast encryption and pair-wise double ratchet.
Process of encryption
Encryption is the process of converting the text messages into an encoded message so that the intended recipient can only access that information. The encryption scheme consists of plaintext, ciphertext and security key. Generally, the intended message is plain text and the encrypted or encoded message is cipher text.
In the encryption process, the user provided plain text is converted into cipher text, by using the security key and by implementing any of the encryption algorithms. There are two types of encryption process available and they are symmetric key and public key encryption. These two methods differ by the usage of keys in transmitter and receiver end.
Encryption is used on the network for many long years where the transmission of confidential data occurred such as in government departments and militaries. In recent years, there are many numbers of data have been transmitted over a network and that data must be encrypted to protect the data from eavesdropping.
Plain text to cipher text conversion
The Signal Protocol explains the detailed description about the technical process happened in the end to end encryption. During the transmission of data from the transmitter to receiver side, two message keys are used. The user exchanges the messages, which are secured with the Message Key by using HMAC-SHA256 for the authentication process and for encryption AES256 in CBC mode.
This key varies for the every transmitted message and it is ephemeral in nature so that the Message Key used for the encryption of the plain text cannot be retrieved from the process. This procedure is also applicable for the larger size files and voice and video calls.
This feature is always enabled by default in the Whatsapp and it means if both the users are using the latest version, then all the transmitted messages will be end to end encrypted. In the Telegram App, the users must begin a secret chat to activate the feature, but in Whatsapp, it would not allow the users to switch off the feature and available at every time.
If there is any unexpected error occurs in the software system or code, then it will pave the way for any other exploitations like unauthorized access and mischievous behavior like worms, viruses, Trojan horses and few other types of malware. Generally, security vulnerabilities occurred as the result of any weak passwords, software bugs, or any software that has been already affected by the computer malware or script injection.
If the user needs to read the received messages, then the application requires the public key of the sender. To overcome this problem, Whatsapp stores all the keys on its central servers and the app automatically download those keys from the servers.
The issue present in this method is that the server may intentionally provide false information about the keys.For an added security, the user can verify their key through the security code. Whenever the user reinstalls the app, the server will generate a new public key.
A security researcher found out the problem in April 2016 and while reported it to the facebook it was told as an expected behavior. The company does not take the issue as serious and not take any actions to fix it. But the reports verified the existence of the vulnerability. PCADVISOR posted an article similar to this issue but there exist different opinions and one such is from Open Whisper Systems, the creator of Signal Protocol.
The implementation of Whatsapp signal feature forces the server to generate new encryption keys for the offline users and it is called as retransmission vulnerability. It provides the route for any malware that intercepts or read the message. Hence, the end to end encryption of Whatsapp acts as a potential backdoor for any attacks.
The company’s security has remained as a closed source that shows that the users have to trust the privacy policies of the app and there are no any possibilities for the external audits of the codes. The Whatsapp denied the backdoor claim and answered that it was a design decision that related to the message delivery. In order to ensure that there is no any lost in the transmission, the new keys are generated for the offline users. If the messages have not been delivered to the recipient, it will re-encrypt the messages with the new keys and it will be unknown to the both sender and receiver.
The company refused the statement by replying that the Whatsapp does not provide any backdoor to the governments and would reject the request of the Government to form a backdoor. It also added that the followed design approach is preventing the number of messages from any attacks and the app also gives security notifications to the user when there are any potential security risks. The Whatsapp also issued a technical white paper and it is more transparent in its operation includes the requests it has received from the government.
It also said that the app has a settings option “Show Security Notifications” that alerts the user whenever the security code of the contacts has changed. There is an approach called blocking that allows the user to validate the new key whether it belongs to intend contact or any other third party and this feature is not available in the Whatsapp.
Article Contributed by Anand Rajendran
Anand Rajendran is the Co-Founder and CEO of Dectar a well-known Software products development and Mobile App Development Company based in Chennai, India. He has extensive experience in building and leading innovative and collaborative software development teams to deliver major software applications like Scimbo – Whatsapp Clone Script. He loves exploring new things and sharing his knowledge with others.