WhatsApp has confirmed that a security flaw in the app let attackers install spy software on their targets’ smartphones.
That has left many of its 1.5 billion users wondering how safe the “simple and secure” messaging app really is.
On Wednesday, chip-maker Intel confirmed that new problems discovered with some of its processors could reveal secret information to attacks.
How trustworthy are apps and devices?
Was WhatsApp’s encryption broken?
No. Messages on WhatsApp are end-to-end encrypted, meaning they are scrambled when they leave the sender’s device. The messages can be decrypted by the recipient’s device only.
That means law enforcement, service providers and cyber-criminals cannot read any messages they intercept as they travel across the internet.
However, there are some caveats.
Messages can be read before they are encrypted or after they are decrypted. That means any spyware dropped on the phone by an attacker could read the messages.
On Tuesday, news site Bloomberg published an opinion article calling WhatsApp’s encryption “pointless”, given the security breach.
However, that viewpoint has been widely ridiculed by cyber-security experts.
“I don’t think it’s helpful to say end-to-end encryption is pointless just because a vulnerability is occasionally found,” said Dr Jessica Barker from the cyber-security company Cygenta.
“Encryption is a good thing that does offer us protection in most cases.”
Cyber-security is often a game of cat and mouse.
End-to-end encryption makes it much harder for attackers to read messages, even if they do eventually find a way to access some of them.
What about back-ups?
WhatsApp gives the option to back up chats to Google Drive or iCloud but those back-up copies are not protected by the end-to-end encryption.
An attacker could access old chats if they broke into a cloud storage account.
Of course, even if users decide not to back up chats, the people they message may still upload a copy to their cloud storage.
Should people stop using WhatsApp?
Ultimately, any app could contain a security vulnerability that leaves a phone open to attackers.
WhatsApp is owned by Facebook, which typically issues software fixes quickly.
Of course, even large companies can make mistakes and Facebook has had its share of data and privacy breaches over the years.
There is no guarantee a rival chat app would not experience a similar security lapse.
At least, following the disclosure of this flaw, WhatsApp is slightly more secure than it was a week ago.
Some rival chat apps are open-source projects, which means anybody can look at the code powering the app and suggest improvements.
“Open-source software has its value in that it be can tested more widely but it doesn’t necessarily mean it’s more secure,” said Dr Barker.
“Vulnerabilities can still be found with any tech, so it’s not the answer to our prayers.”
And if someone did decide to switch to a rival chat app, they would still have to convince their contacts to do the same. A chat app without friends is not much use.
Is any device ever safe?
In theory, any device or service could be hacked. In fact, security researchers often joyfully pile in on companies that claim their products are “unhackable”.
They quickly discover vulnerabilities and the embarrassed companies retract their claims.
If people are worried data may be stolen from their computer, one option is to “air gap” the device: disconnect it from the internet entirely.
That stops remote hackers accessing the machine – but even an air gap would not stop an attacker with physical access to the device.
Dr Barker stressed the importance of installing software updates for apps and operating systems.
“WhatsApp pushed out an update and consumers might not have realised that security fixes are often included in updates,” she told BBC News.
WhatsApp did not help the cause, however, by describing the latest update as adding “full-size stickers”, and not mentioning the security breach.
“People need to be made aware that updates are really important. The quicker we can update our apps, the more secure we are,” said Dr Barker.
As always, there are simple security steps to remember:
- Install app and operating system security updates
- Use a different password for every app or service
- Where possible, enable two-step authentication to stop attackers logging in to accounts
- Be careful about what apps you download
- Do not click links in emails or messages you are not expecting