Smartphones are not only incredibly helpful and let us always stay in touch with our family and friends but can be used against us. In the past five years, the public was shocked many times when they discovered that Facebook, Twitter, and Google stored their user private information without encryption or sold it to third parties.
What about one of the most popular messengers – WhatsApp? Is it safe for you to use it? How does its tech stack and architecture affect its functionality? Let us find out.
What kind of security flaws can a messenger have?
First of all, let us find out what kind of security problems a messenger can have.
● Data leak. When confidential information (confidential materials important for various companies or the state, personal data of citizens) get stolen or accidentally leaked, this can be called data leakage.
● Data breach. When a company or a certain person makes public a private or confidential data of other people and companies, intentionally or unintentionally, we call it a data breach.
How does WhatsApp work?
WhatsApp is a cross-platform application that processes billions of messages every day. It was built with the help of the FreeBSD and the Erlang programming language, which advantages are well described here. The co-founders of WhatsApp say that their original chat servers were built with Erlang. Thus, they were able to use the capabilities of the Erlang language while developing their service and maintain very high uptime. Erlang proved itself to be a very reliable and performant language. This language is ideal for real-time communication solutions.
All messengers that you use are built around one of the following: a centralized server or P2P technology. In both cases, your data is not safe. The hackers can attack a server or your device and get access to all the information.
Even the most secure messengers using the most advanced encryption technologies can be completely non-anonymous and collect user information for various purposes. Developers can be understood – they need to somehow earn money, and if the application itself is free (as happens in the overwhelming majority of cases), then collecting data and displaying ads becomes the only tool for monetization.
At the same time, companies cannot introduce a fee to get rid of the need to make money. In order to attract funding from venture capitalists, they need to show high rates of audience growth. Paid access or lots of ads will clearly not contribute to this.
What is the problem with WhatsApp?
We live in a world where data breaches and leakages happen every day. User data is a valuable item to sell, so there is no surprise that even large companies like Facebook, Twitter, and WhatsApp cannot be fully protected from hacker attacks. That’s just the reality.
However, for all those who are interested in the protection of their privacy, there is another concerning fact. WhatsApp is not an open-source messenger. In general, this is normal for commercial applications. But open-source products are more trust-worthy. When the code base is closed, you cannot see what the difference between versions is or what kind of info the app gathers about you.
Experts look for vulnerabilities in WhatsApp only based on the behavior of the app. This does not provide the full picture.
What is more, the WhatsApp developers are obfuscating the code. It is deliberately confused to complicate the analysis.
Most likely, this was done at the request of the special services. WhatsApp and Facebook can be required to disclose data by the FBI order on nondisclosure (the so-called Gag order). However, regular users do not know much about how the app really works.
WhatsApp was originally full of security holes
The creators of WhatsApp have stated that “security is in its DNA.” But everything turned out to be exactly the opposite.
For example, in 2011-2012, even mobile providers and Wi-Fi hotspot administrators could get access to your WhatsApp correspondence. At that time, the encryption keys could be changed right in the chat. It is unlikely that the company’s testers did not notice this. And back in 2013, researchers found that WhatsApp copied all mobile phone numbers from the address book to its servers. Formally, to show which of them has already installed WhatsApp. But a skillful hacker can do anything with this data.
When standard encryption was introduced, the keys were made available only to some governments as a safety measure. But no one encrypted the backups of the data stored in the cloud. Even end-to-end encryption, which was integrated in April 2016 and is used today, does not fully protect against data theft. For example, the developers admitted that backups to Google Drive were uploaded without encryption.
A great scandal happened in May 2019 when cybersecurity experts found a data breach in WhatsApp’s voice calling system that was being used to spy on activists. This worked on both Android and iOS.
The malware was developed by the Israeli company NSO Group and allows to install spy applications on any smartphone that uses WhatsApp.
To hack the smartphone, the hackers simply called the victim via WhatsApp. The application automatically answered the call – without the owner’s knowledge! Then the smartphone was loaded with spyware to steal data. Call records were deleted so that no one would suspect anything.
WhatsApp acknowledged the problem. The developers compared the malware code with other NSO Group developments and came to the conclusion that the style is indeed the same. Then, in just four days, they developed a security patch and asked all its users to install it.
Many people love WhatsApp because it simple, fast, and reliable. There is no need to quit this app if you use WhatsApp to chat with your family and friends. However, it is advisable to apply two-factor authentication and do not share confidential information online. Remember that even the most secure programs in the world are not 100% from bugs and data leakages.