WhatsApp provides users with an easy-to-use secure communication tool with a few minor drawbacks.
It was not so long ago that mobile phones were used primarily for making voice calls. The ability to send and receive short message service (SMS) text messages was effectively a bonus feature that became immensely popular, thanks to clever foresight by the architects of the GSM (Global System for Mobile communications) mobile phone system in the 1980s and 1990s. Text messages are so popular now that we collectively send about eight trillion every year. The evolution from cell phones to smartphones has effectively changed how individuals communicate by giving them the ability to receive, create, edit and send almost any kind of content, from email and documents to pictures and videos, all “on the go”. In short, communication has become incredibly easy.
Communication only occurs when the sender and receiver understand each other. The fact that nearly everyone has access to email and text messages is the measure of their ongoing success. Nevertheless, ubiquitous though they are, email and text messages are not secure and were never intended to be.
This is where a free app with the catchy name “WhatsApp” has found success in the smartphone world and acquired more than one billion users. WhatsApp allows users to exchange messages, including images, videos, files and even real-time voice calls. Communication between sender and receiver is encrypted end to end. The beauty of the Open Whisper Systems encryption protocol used by WhatsApp is that it prevents third parties (including people from WhatsApp itself) from having unencrypted access to messages or calls.
When a user downloads and registers for WhatsApp, the software assigns a public Identity Key, a public Signed Pre-Key (with its signature), and a batch of public One-Time Pre-Keys that are stored on the server. These public keys allow the server to relate to the user’s identifier. The WhatsApp server does not have access to any of a user’s private keys; in the event the server is compromised, no private authentication credentials will be revealed.
Any data transmitted to other users never gets stored on the WhatsApp server; thus, any form of communication is sacrosanct. Only the recipient who also has an assigned key can decrypt the message sent; only the sender and the receiver have knowledge of the data stored on their smartphones.
The app is compatible with Android, iOS and Windows Phone, and is also available for Mac and Windows PCs. WhatsApp requires a telephone number for registration on the primary device; as such, one of the limitations is that tablet support is limited and WiFi-only devices are not supported at all. Messages are sent over the Internet, and can be sent over a WiFi connection even if you have no cellular signal. In the past you may have been concerned about using your smartphone where free WiFi was available (e.g., at your favourite coffee shop); with this application the encryption process should all but eliminate this concern.
The app will not provide end-to-end encryption for an iPhone device that has been “jailbroken” (i.e., where security features and restrictions have been disabled, allowing the installation of unauthorised apps). Overriding established software restrictions can compromise the security of the device and allow malware to infect the smartphone.
WhatsApp allows transmission of documents.
WhatsApp’s service allows you to transfer your contacts seamlessly from existing Google or Outlook directories, identifies those contacts that have signed up for WhatsApp, and indicates whether each person’s app is on a mobile or home device.
The system allows transmission of documents such as PDFs, spreadsheets and even slideshows up to 100MB per transmission. Other features include the ability to take an in-app photo or video, search a directory, and group contacts by category.
Another security feature for this application is a two-step verification to protect your phone number (which is your user ID). In order to verify your number, a six-digit PIN is assigned by the user. In the event you forget your password, you can provide your email address to activate a two-step process to change it.
Security Is Never Perfect
WhatsApp is acknowledged to be an excellent product, with security that is more than adequate for the average user. However, as with any security, a determined attacker may still be able to obtain information. For example, WhatsApp messages are transmitted using end-to-end encryption; however, those same messages may be stored on your device and automatically backed up without encryption to the cloud (e.g., to Google Drive). The servers on which these backups are stored may be located in a jurisdiction such as the United States, where the government or law enforcement may be able to access your data without your knowledge. For iPhone users, WhatsApp data is encrypted in iCloud backups (which are also encrypted by Apple). Security research firm Oxygen Forensics has claimed the ability to defeat this encryption; however, their technique requires access to the SIM card. If security is a concern, you may wish to consider using a different secure messaging platform or, alternatively, backing up your WhatsApp messages to the cloud.
WhatsApp is owned by Facebook. If you have a Facebook account, your WhatsApp messages will not be posted to your Facebook page; however, if user privacy is a concern, it is worth noting that your data will likely be shared behind the scenes to improve the accuracy of targeted advertising, among other things.
This article is reprinted from the newsletter BUSINESS MATTERS with the permission of CPA Canada. BUSINESS MATTERS is a bimonthly newsletter prepared by the CPA Canada for the clients of its members.
BUSINESS MATTERS deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.
Although every reasonable effort has been made to ensure the accuracy of the information contained in this letter, no individual or organization involved in either the preparation or distribution of this letter accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.
Richard Fulcher, CPA, CA – Author; Patricia Adamson, M.A., M.I.St. – CPA Canada Editor.