Yet more reports have emerged today claiming massive issues right at the core of the cross platform messaging service Whatsapp.
Mashable has reported that security consultant Bass Bosschert, in light of reports that originally emerged on Hacker News, have suggested that ALL Whatsapp messages are vulnerable to ordinary downloadable Android apps:
‘When you use the app’s built-in back-up mechanism — let’s say to prevent losing messages after uninstalling/reinstalling the app or moving them to a new device — WhatsApp is allegedly using the same encryption code to protect you and everyone else (instead of creating a unique key for each user).
This means the back up is going to a database with insecure storage and the chats could potentially be read and stolen by another app. In theory, the developer behind another app could decrypt and ultimately gain access to those messages.
Bosschert notes on his website that the WhatsApp database is saved on your phone’s SD card, which can be read by any Android app if a user gives it access to do so. This is a common practice in the app space (apps that want to store non-secure data would be interested), so if an app asks for SD card access many, in theory, would grant it.’
Strong stuff indeed!
The question is, does it matter?
The debate raged at Hacker News with one poster saying the following@
‘They have consistently shown to be unable to implement any kind of effective cryptography. Take this case as an example. They seem to have tried to prevent such kind of attack by encrypting the data on the SD Card with a static key. How hard would it have been to generate a random key and save the key on the internal storage?
An other example is the transport, i.e. client-to-server encryption. Even their new protocol looks like it has been hacked up by someone who learned his/her cryptography by 5 hour wikipedia reading: https://blog.thijsalkema.de/blog/2013/10/08/piercing-through… . You would think that for a market value of 19×10^9 dollar you could afford to hire a single cryptographer or IT security specialist. Especially after you have been criticized for your bad security for years.’
But another countering:
‘Hrm. I’m torn both ways. I think a world with whatsapp is less oppressive than a world without whatsapp, even if people can spy on it, tap into it, etc- because it allows people to communicate where they previously might not have been able to. A world with secure whatsapp would, of course, be even better than a world with insecure whatsapp.’
All that said, I think this sums up why this DOES matter as this poster says here:
‘I think the illusion of secure communication is more dangerous than insecure communication. People who think they can’t be spied on will expose themselves in ways they otherwise wouldn’t.’
This is very true.
It matters because you don’t know. You don’t know who is using your information and in what context.
For example, I have copied and pasted the quotes above. If I didn’t then provide you with the links at the base of this article how are you to know where they are from or in what context they have been written?
You may agree or disagree when you read the full transcript, but you have a right of reply, you have a CHOICE.
Here is the UK there have recently been some high profile trials over phone hacking by journalists.
Apparently this has been going on for YEARS with stories seemingly popping up out of thin air, ruining careers, causing a huge amount of pain to individuals and families alike.
That’s just the press.
What government will you get next? What will they want to know? Will they have a clampdown on something for some reason?
And who knows where you will be in 5 or 10 years time, what you will be doing, who you will be with.
Can you imagine how dangerous something you write as an 18 year old could be to the 35 year old you?
THAT’S why it matters.
And THAT’S why your safest option for Messaging is BBM right now.