On Monday, WhatsApp successfully launched its end-to-end encryption for all in-app communications, across all mobile platforms. While we’ve known this was in the works for some time, it’s big news: WhatsApp is used by over one billion people around the world, and yet its privacy and security ratings had long been poor. It now becomes one of few messaging apps that end-to-end encrypts all communicated content on all devices.
In November, 2014, WhatsApp partnered up with Open Whisper Systems to encrypt its simple, text message exchanges with end-to-end encryption for all media forms and all mobile platforms set as an eventual goal. A year and half later, here we are.
The Facebook Messenger (a product of Facebook: owner of WhatsApp) is not encrypted end-to-end, though that’s rumored to be in the works, too. Apple’s iMessages, on the other hand, are encrypted end-to-end – with a caveat. You’re relatively secure if you’re texting between iPhones. If your texts are showing up green on your iPhone (an indication that you’re sending messages to non-Apple phones), there’s a good chance they’re insecure. And if you’re backing up your iMessages on iCloud, they’re insecure.
End-to-end encryption, unlike mere encryption, theoretically ensures that no one but the two communicators can access the content: the cryptographic keys that secure the text or media are inaccessible to all. Even the app’s engineers. And especially the government. Most systems, however – like iMessages – fail to extend the security across mobile platforms. Others neglect some media: phone calls or videos aren’t always included in the deal, for instance. So, if such a company is ordered by a court to hand over one of its user’s communications, it essentially must comply: since it can access the content, it must access the content.
But no longer. WhatsApp will no longer be able to access its users’ text discussions, calls, or picture exchanges, and so will no longer be able to comply with court orders. (What a shame.) The government and strict national security stalwarts will at the very least bemoan this move. One billion people’s conversations and exchanges will now go into the dark, and there’ll be no way for anyone but the senders and receivers to retrieve them.
Here’s WhatsApp’s explanation from the white paper (downloadable here):
Messages between WhatsApp users are protected with an end-to-end encryption protocol so that third parties and WhatsApp cannot read them and so that the messages can only be decrypted by the recipient. All types of WhatsApp messages (including chats, group chats, images, videos, voice messages and files) and WhatsApp calls are protected by end-to-end encryption.
WhatsApp servers do not have access to the private keys of WhatsApp users, and WhatsApp users have the option to verify keys in order to ensure the integrity of their communication.
WhatsApp is relying on Open Whisper Systems to ensure that this lockbox remains secure.
Open Whisper Systems, for its part, is known as one of the most secure messaging softwares. Matt Green, a notable cryptographer at Johns Hopkins University, blurbed: “After reading the code, I literally discovered a line of drool running down my face. It’s really nice.”
Edward Snowden is also quoted on the company’s website: “Use anything by Open Whisper Systems.” Snowden, then, would presumably now have to endorse WhatsApp. Except that even this encryption leaves some vulnerabilities – vulnerabilities that Snowden probably knows all too well:
This development will nonetheless improve the trustworthiness of WhatsApp for bank or airline communications. More importantly, it will improve WhatsApp’s security rating. Previously, it had just two of seven checkmarks in the Electronic Frontier Foundation’s scorecard for secure messaging apps, and accordingly did not make the cut for Inverse’s secure messaging app rundown.
And, hey, if WhatsApp can do it, then so can the big dogs. WhatsApp employs just 50 engineers. Reportedly, only 15 of those 50 worked on this encryption.