Experts are increasingly warning that users of the popular instant messaging service, WhatsApp, may be getting exposed to hackers when using the service.
It has emerged that WhatsApp, which uses a Signal-based form of encryption to encrypt the messages that people send and receive when using the platform, has largely ignored specific technical features in the encryption protocol of the service, which leaves users of the service vulnerable.
Experts have noted that the manner in which WhatsApp handles the process of encrypting and decrypting the messages of its clients makes a backdoor in its security features that hackers can easily take advantage of.
WhatsApp uses Signal encryption protocol and a set of private and public keys to create a sophisticated end-to-end encryption for the messages of its clients.
However, it has now emerged that the company uses a novel process to re-encrypt the messages that users send to those who are offline for a reason. When the messages cannot be delivered because a user is offline, WhatsApp usually re-encrypts the message before sending for the second time. It is this process of re-encrypting messages that have been sent to offline users that many experts are raising concerns about.
It appears that hackers, and even Facebook, the company that owns WhatsApp, can easily access the messages of users because it uses an entirely new set of encryption keys that only the company controls.
However, in a quick rejoinder, WhatsApp has repeatedly defended its use of sophisticated re-encryption procedures for undelivered messages, saying that the feature helps to make the app more user-friendly.
WhatsApp’s director, Brian Acton, has vehemently defended the company, saying that the firm does not create backdoors in its products and that it would never create backdoors even if it is ordered to do so by the government.
‘Our process does not introduce a serious security vulnerability to make our clients start uninstalling WhatsApp from their devices,’ he said.
Also, Open Whispers Systems, the company that creates the Signal protocol that WhatsApp uses to encrypt client messages, has said that the Signal protocol does not contain any form of a backdoor.
‘WhatsApp has managed to develop a wonderful product using this protocol, and it would be inaccurate to say that the product is insecure,’ said Moxie Marlinspike of Open Whispers Systems.
It has further been pointed out that WhatsApp notifies clients of changes when it has to create new encryption keys of undelivered messages. However, the process dictates that users can choose to receive or block the notification messages.
For now, it appears that WhatsApp, like many other instant messaging apps, is not as secure as many believe it is.