25 October 2016

WhatsApp: Security experts warn that Facebook’s chat app can be insecure, despite Amnesty recommendation



Facebook and WhatsApp were ranked the most secure chat apps by Amnesty, but there are big problems with both of the apps, say security experts 

The new end-to-end WhatsApp encryption means that no-one can spy on your messages Jenny Marc

WhatsApp and Facebook Messenger are the most secure chat platforms, according to Amnesty International. But that decision has already met with scepticism from people in the technology community, some of whom have warned that it might not be safe to use the apps at all.

Amnesty gave Facebook and WhatsApp a score of 73 out of 100 – its highest – to the two apps, which it didn’t distinguish between. But it particularly picked out WhatsApp, which it said was “the only app where users are explicitly warned when end-to-end encryption is not applied to a particular chat”.

It did have some criticism for Facebook, which doesn’t apply strong encryption by default and doesn’t warn users that they’re not using the most secure technology. Facebook does that in part because Messenger conversations are valuable information for the company to read and use for advertising.

Gadgets and tech news in pictures

WhatsApp has been repeatedly praised for its decision to integrate end-to-end encryption into its apps. That technology makes sure that messages can only be read by the person sending and receiving it, and has got WhatsApp into problems in the past – the app was shut down in Brazil because authorities wanted to be able to read the conversations being had on it.

But it has come into criticism from other technology groups, including the Electronic Frontier Foundation. That organisation has even warned people that they should be careful before using WhatsApp for sensitive conversations,for fear that they might be read.

Most recently, WhatsApp’s privacy policies were criticised when it announced that it would start sharing user data with Facebook. That would see it give up information – though not the contents of chats – to its parent company, which would then use those to better target ads.

And the EFF also pointed to a range of other problems with the privacy tools on WhatsApp, despite Amnesty’s encouragement.

It pointed out, for instance, that the app uses unencrypted backups. Those are useful for restoring a phone if it is lost, stolen or a user buys a new one - but it also means that messages are sent to the cloud without any protection, meaning that it would be possible for someone to break into that backup and read whichever messages they like.

Even if a user tells the app that they don’t want conversations backing up, that might not keep them from being stored in the cloud. If the person a user is talking to is using the backup feature, then the messages will be stored without encryption anyway.

The EFF also took issue with the way that WhatsApp integrates encryption into its user experience, and the fact that the web app that can be used to send messages from a computer could also be vulnerable to attack.

The group did praise the fact that WhatsApp makes use of the Signal protocol – a very well-regarded encryption standard that keeps messages secure. But it said the various other problems with it made security and privacy a concern when using WhatsApp.

WhatsApp encryption in 60 seconds

The Electronic Frontier Foundation makes two main recommendations to Facebook and WhatsApp to make themselves more secure.

The first is that the app makes it far easier to enable strong privacy while using it. “A slider that would switch on all of the protective options—such as disabling backups, enabling key change notifications, and opting out of aspects of data sharing—would make it far easier for users to take control of their security,” the group wrote.

The other is that WhatsApp make it far more clear what is being shared with Facebook. It should lay out specifically which bits of information it will be sharing with the site, it wrote, and so show that some information won’t be shared with its parent company.

The group urges that people “take extra caution when deciding whether and when to communicate using WhatsApp”, until such changes are made.

The group also recommends that people use Signal if they want to keep messages more secure. It is expected to publish its own version of Amnesty’s scorecard in the near future. 

No comments: