What happened to WhatsApp?

On May 14, 2019, it came out that a major vulnerability in WhatsApp enabled the installation of surveillance software on mobile devices. Simply calling a target on WhatsApp (even if they didn’t pick up) would enable a hacker to install that software, while the call could also subsequently be removed from the device log, essentially leaving the hack without a trace. Once installed, victims' WhatsApp messages could be read and potentially calls and other data monitored - we don’t know the full extent of the hack's capabilities at this time.

One author at Bloomberg Opinion, was quick to jump on the story, but used it to claim “End-to-end encryption is a marketing device used by companies such as Facebook to lull consumers way about cyber-surveillance into a false sense of security.”

The tech community was quick to respond, with articles like this expletive-filled tirade on The Next Web slamming that author and a major media site like Bloomberg Opinion for their negligence in potentially leading people down a path of ignorance with regard to the security of their communications.

What's the point of End-to-End Encryption?

End-to-End Encryption can most basically be described as "a secure channel between 2 or more end-points". This channel is encrypted (wrapped up with secure code) and any data, such as messages, calls or files transmitted through this channel are only accessible at those intended end-points. If End-to-End Encryption is done correctly, there’s no way to intercept and decrypt that data in transit between the end-points.

While I may not agree with the way The Next Web’s author put it, his headline is clear: “No, end-to-end encryption isn’t a marketing gimmick” and his key takeaway in his article is this: “[End-to-End Encryption is] a technical term with a very precise, universally-accepted definition. That just isn’t up for debate.”

As per this universally-accepted definition, you should also be aware that the phrases: “End-to-End Security” and “Encrypted in transit and at rest” are NOT the same as “End-to-End encryption”. When you see communications applications using these phrases, these are in fact hazy marketing gimmicks, making up for those apps’ security short-comings, and you should think twice before using such applications if communication security is remotely important to you.

Virtually anyone with basic technical skills and the ability to Google could figure out how to eavesdrop on the communications of using channels without End-to-End Encryption. End-to-End Encryption is the very least you should expect today from your communication apps.

What's the problem?

The author at Bloomberg Opinion did get one thing right though: End-to-End Encryption is only as secure as the end-points (and people) you use it with. If the device you (or the people) you’re communicating with have some kind of spyware or other malware installed, that does put you and your messages/data at risk of being read or otherwise compromised. That doesn’t negate the need for End-to-End Encryption, it just means you also need other security measures to protect your end-points.

What's up with WhatsApp?

In recent times, WhatsApp has been in the news for several security-related issues in the past year: In August 2018 it was revealed that replies in WhatsApp messages could be exploited and the original message’s text changed, while two stories surfaced in October 2018: A bug would let hackers take over the app when answering a video call and WhatsApp accounts could be hijacked through voicemail hacking.

So why does this keep happening to WhatsApp? It’s primarily a factor of scale - Having such a huge user base makes it an attractive target for would-be hackers.

You also should know by now that Facebook acquired WhatsApp several years ago, and WhatsApp is not really making money of its own accord, but rather being potentially another data silo for Facebook’s marketing efforts. One of WhatsApp’s founders has criticized Facebook’s approach to monetizing WhatsApp, and he believes their focus will be on ads. So you should be wary of your data in their hands.

What's the alternative?

In the personal messaging space, Signal is generally considered as being the most secure option. We believe you should separate your business communications from your personal communications and that you should use appropriate tools for each.

For business communications, we’re building Rolo, the secure business chat application with End-to-End Encryption provided by BlackBerry, the Canadian company that has powered secure communications for governments and banks for decades. Not only does BlackBerry’s secure messaging technology use best-in-class End-to-End encryption, but also provides additional layers of digital signing, message encryption, and message integrity checks.