Security is one of the biggest concerns WhatsApp users have because the solution’s record on data safety is checkered. Longtime observers know that the messaging application has a history of security breaches that dates back several years, but it has also won praise for implementing end to end encryption.
End to end encryption means that every WhatsApp message between phones is protected by an application called Textsecure, which is created by a group called Open Whisper Systems. Wired claimed that this system is “practically un-crackable” in an article last year.
Textsecure protects data by scrambling information before it leaves your device. Theoretically, the information can only be unscrambled by a special cryptographic key or code in the recipient’s phone. Okay, that’s the theory, but as we all know, any encryption can be cracked with enough time, money, effort, and resources.
Since WhatsApp has around 800 million users worldwide, some of whom are sending private information or financial data, the bad guys obviously have a strong incentive to crack it. Naturally, users will want to know if the claims about WhatsApp’s encryption are true and if it is really as secure as its proponents claim.
So How Secure Is WhatsApp Anyway?
The jury is still out on WhatsApp’s new encryption regime, which was implemented in November 2014. Even though its encryption efforts won praise, the rest of WhatsApp’s security efforts were widely criticized.
The service received a rating of two out of seven on a messaging security scorecard created by a well-respected advocacy group called the Electronic Frontier Foundation, or EFF. The Foundation gave WhatsApp a low score because its security design was poorly documented, there was no way to verify a user’s identity, and WhatsApp and its parent Facebook still possess the encryption key that can unscramble messages.
The biggest security flaw is the encryption key, which can be stolen or copied by hackers and used to access WhatsApp accounts. It is also fairly easy to fool WhatsApp users with classic hacking tactics such as Trojans (malware disguised as something else) and phishing messages, which try to gather data about users.
One major problem that WhatsApp users in a number of countries have reported is false messages that look as if they come from a friend or loved one. Users answer the message and receive malware instead of a word from somebody that they know.
Another flaw many users are not aware of is that the end to end encryption only works with certain devices, such as Android phones or iPhones. That means a message sent between two Android phones is very secure but a message sent to something like a Blackberry might not be. Messages received or sent through WhatsApp Web, the version of the app for desktops and laptops, do not appear to have end to end encryption either.
All WhatsApp messages are encrypted. When Textsecure is not available, WhatsApp uses another algorithm called RC4, which is not as secure, myce.com reported. RC4 is very hard crack because it takes some effort to decrypt the message, although it is fairly easy to crack if a hacker can get the user’s password.
Therefore it is safe to say that WhatsApp is fairly secure. The encryption is strong enough to protect it from everyday hackers but not a defense against sophisticated cyber criminals. That means WhatsApp is safe enough to send everyday messages but not any detail you really want to keep secure, such as details of financial accounts.
How to Protect Your Messages
Something to remember is that no message is completely secure. If somebody really wants to invest time and effort in cracking your messages, they probably will succeed.
Therefore the first rule of security should be not to put vital or important data such as bank account or credit card numbers or potentially incriminating secrets in messages. A good rule of thumb is if data can hurt you or make you look bad, keep it off of WhatsApp. One way to thwart hackers is to use two or more messaging services. You could use WhatsApp for everyday chat and a more secure solution for important data or business communications.
If you have to send important data, it would probably be a good idea to use a more secure messaging service. The Hacker News reported that there are a number of these highly secure messaging apps available through Google Play and the App Store that combine end to end encryption with extra protection such as secret chat features. The most popular of these include:
- Telegram: This service is considered very secure because it destroys messages right after the communication.
- Threema: This is a more secure service you will have to pay for. Many people like it because it looks and feels like WhatsApp. Threema currently costs $2.49 at the App Store, but the extra protection might be worth it.
- RedPhone: This is an Android App that provides encryption for messages and voice calls. It uses your normal phone number for an added layer of security.
- Surespot: This is a highly encrypted solution that supposedly can only be decrypted by sender and receiver. It is popular because it can support multiple identities on a single device, which provides an even higher layer of protection.
Sending Money Securely
If you wish to send money securely, there are a number of apps that can facilitate such transactions fairly safely out there. They include:
- Venmo, which is a free digital wallet that lets you transfer money to or from a bank or PayPal account quickly. It is not scam proof, but it is very secure. A big drawback is that Venmo does not work for business transactions such as purchases from stores yet.
- Square Cash, which is a slightly more sophisticated digital wallet with 128-bit encryption and a pass code. A big advantage to this solution is that it can be used with Visa, MasterCard, or Discover credit cards as well as bank accounts and can be used for business purposes.
- PayPal Mobile, which is an add-on to the popular digital wallet that is accepted in some businesses. It can be linked to most bank and credit card accounts.
- Apple Pay, a digital wallet created by Apple Inc. that is only available to iPhone, iWatch, and iPad users in the United States and the United Kingdom. Apple Pay is not accepted at many stores, including most large U.S. retailers, but it can be linked to most bank accounts and Visa, MasterCard, and American Express credit cards. Apple Pay offers the added protection of fingerprint encryption.
As you can see, WhatsApp encryption is fairly safe and secure, but it is not foolproof, so your data will be safest when you use a variety of solutions, including WhatsApp.