Considering that WhatsApp has a user base of more than 600 million, it may have just implemented the largest deployment of end-to-end encrypted communication in history, as it claims. This one change “basically absolved them from being one of the apps that didn’t really provide much security to being one of the most secure mainstream messaging apps out there,” said EFF fellow Joseph Bonneau.
WhatsApp has added end-to-end encryption and enabled it by default in the latest version of its Android messaging application, partner Open Whisper Systems announced Tuesday.
The new feature taps Open Whisper’s open source TextSecure encryption protocol to ensure that only a conversation’s participants can read the messages they exchange. WhatsApp itself won’t be able to decrypt the messages, in other words, even if law enforcement should try to require it.
Encrypted messaging isn’t yet available for group chat or media messages within WhatsApp’s Android client, but those features are coming next, Open Whisper said, along with support for more client platforms. Key-verification options also will be forthcoming once protocol integrations are completed.
A Rare Quality
Facebook-owned WhatsApp is one of several messaging applications called out in a recent scorecard report from the Electronic Frontier Foundation.
The EFF rated the security of more than three dozen such apps on seven different dimensions, including encryption. Also taken into consideration was whether or not the apps’ code was audited and open to independent review.
Only six tools scored all seven stars, including ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text and Open Whisper’s TextSecure app.
WhatsApp, on the other hand, was among those whose lack of end-to-end encryption resulted in a lower ranking. Included in that category were Google, Facebook and Apple’s email products, along with Yahoo’s Web and mobile chat and Secret.
Lacking encryption altogether were messaging platforms QQ, Mxit and the desktop version of Yahoo Messenger, the EFF found.
One Fell Swoop
“I think it’s great news,” said Joseph Bonneau, a fellow at both the EFF and Princeton University’s Center for Information Technology Policy.
“One of the things we were hoping with the scorecard project is that we’d be able to push others to do the same thing,” he told TechNewsWorld.
This one change “basically absolved them from being one of the apps that didn’t really provide much security to being one of the most secure mainstream messaging apps out there,” Bonneau said.
The Open Source Advantage
WhatsApp’s choice of TextSecure was a good one, noted Bonneau.
“TextSecure has really been refined over the years,” he said. “It’s great to see them using a public application that has earned a lot of confidence and has a lot of strong security features.”
The fact that TextSecure is open source is a particularly compelling advantage, Bonneau pointed out. “In practice, it means that any weaknesses are far more likely to be found and fixed. Open source is the way to go.”
Billions of Encrypted Messages
Open Whisper Systems has been working with WhatsApp for the past half year or so to implement the new feature in what it called the largest deployment of end-to-end encrypted communication in history.
Billions of encrypted messages now are being exchanged each day through the enhanced service.
Users likely won’t even notice that the additional security is there, however.
“It shouldn’t affect the user experience at all,” Bonneau remarked.
Of course, whether they realize it or not, the app’s more than 600 million monthly active users are benefiting from the superior security the TextSecure code provides, Jean Taggart, senior security researcher at Malwarebytes, told TechNewsWorld.
“Implementing the Open Whisper Systems protocol under the hood of a popular messaging platform is a huge improvement,” he said.
Looking ahead, moves like this one will begin to make it clear to users that there are “big security differences among messaging platforms,” EFF’s Bonneau observed. “Hopefully users will start demanding this kind of security.”