WhatsApp provides users with an easy-to-use secure
communication tool with a few minor drawbacks.
It was not so long ago that mobile phones were used primarily for
making voice calls. The ability to send and receive short message
service (SMS) text messages was effectively a bonus feature that
became immensely popular, thanks to clever foresight by the
architects of the GSM (Global System for Mobile communications)
mobile phone system in the 1980s and 1990s. Text messages are so
popular now that we collectively send about eight trillion every
year. The evolution from cell phones to smartphones has effectively
changed how individuals communicate by giving them the ability to receive, create, edit and send almost any kind of content, from email and documents to pictures and videos, all “on the go”. In short, communication has become incredibly easy.
Communication only occurs when the sender and receiver understand each other. The fact that nearly
everyone has access to email and text messages is the measure of their ongoing success. Nevertheless,
ubiquitous though they are, email and text messages are not secure and were never intended to be.
This is where a free app with the catchy name “WhatsApp” has found success in the smartphone world and
acquired more than one billion users. WhatsApp allows users to exchange messages, including images,
videos, files and even real-time voice calls. Communication between sender and receiver is encrypted end to end. The beauty of the Open Whisper Systems encryption protocol used by WhatsApp is that it prevents third parties (including people from WhatsApp itself) from having unencrypted access to messages or calls.
When a user downloads and registers for WhatsApp, the software assigns a public Identity Key, a public
Signed Pre-Key (with its signature), and a batch of public One-Time Pre-Keys that are stored on the server.
These public keys allow the server to relate to the user’s identifier. The WhatsApp server does not have
access to any of a user’s private keys; in the event the server is compromised, no private authentication
credentials will be revealed.
Any data transmitted to other users never gets stored on the WhatsApp server; thus, any form of
communication is sacrosanct. Only the recipient who also has an assigned key can decrypt the message sent; only the sender and the receiver have knowledge of the data stored on their smartphones.
The app is compatible with Android, iOS and Windows Phone, and is also available for Mac and Windows
PCs. WhatsApp requires a telephone number for registration on the primary device; as such, one of the
limitations is that tablet support is limited and WiFi-only devices are not supported at all. Messages are sent over the Internet, and can be sent over a WiFi connection even if you have no cellular signal. In the past you may have been concerned about using your smartphone where free WiFi was available (e.g., at your favourite coffee shop); with this application the encryption process should all but eliminate this concern.
The app will not provide end-to-end encryption for an iPhone device that has been “jailbroken” (i.e., where security features and restrictions have been disabled, allowing the installation of unauthorised apps).
Overriding established software restrictions can compromise the security of the device and allow malware to infect the smartphone.
WhatsApp allows transmission of documents.
WhatsApp’s service allows you to transfer your contacts seamlessly from existing Google or Outlook
directories, identifies those contacts that have signed up for WhatsApp, and indicates whether each person’s app is on a mobile or home device.
The system allows transmission of documents such as PDFs, spreadsheets and even slideshows up to 100MB
per transmission. Other features include the ability to take an in-app photo or video, search a directory, and group contacts by category.
Another security feature for this application is a two-step verification to protect your phone number (which is your user ID). In order to verify your number, a six-digit PIN is assigned by the user. In the event you forget your password, you can provide your email address to activate a two-step process to change it.
Security Is Never Perfect
WhatsApp is acknowledged to be an excellent product, with security that is more than adequate for the
average user. However, as with any security, a determined attacker may still be able to obtain information.
For example, WhatsApp messages are transmitted using end-to-end encryption; however, those same
messages may be stored on your device and automatically backed up without encryption to the cloud (e.g.,
to Google Drive). The servers on which these backups are stored may be located in a jurisdiction such as
the United States, where the government or law enforcement may be able to access your data without your
knowledge. For iPhone users, WhatsApp data is encrypted in iCloud backups (which are also encrypted by
Apple). Security research firm Oxygen Forensics has claimed the ability to defeat this encryption;
however, their technique requires access to the SIM card. If security is a concern, you may wish to
consider using a different secure messaging platform or, alternatively, backing up your WhatsApp
messages to the cloud.
WhatsApp is owned by Facebook. If you have a Facebook account, your WhatsApp messages will not be
posted to your Facebook page; however, if user privacy is a concern, it is worth noting that your data will likely be shared behind the scenes to improve the accuracy of targeted advertising, among other things.
The information provided on this page is intended to provide general information. The information does not take into account your personal situation and is not intended to be used without consultation from accounting and financial professionals. Allan Madan and Madan Chartered Accountant will not be held liable for any problems that arise from the usage of the information provided on this page.