If you’re Jan Koum, co-founder and CEO of WhatsApp, then your life, at least on the professional side, is going pretty well. Facebook recently worked out a deal to purchase Koum’s company for $19 billion, and Koum, if the deal passes regulatory scrutiny, will join Facebook’s board. WhatsApp has over 450 million average monthly users, and 70 percent of those users are active every day. The daily messaging volume produced by WhatsApp users approaches the daily SMS volume created by the entire global telecom industry.
Jan Koum does have two pressing concerns. First, regulators may shoot down the acquisition, but even if that happens, Koum still gets $1 billion in cash and $1 billion in Facebook shares for his trouble. Second, WhatsApp has been dogged both by privacy and data protection concerns. Consumers and businesses are understandably worried about data loss prevention and enterprise security, particularly as they watch more companies fall victim to massive and expensive data breaches. WhatsApp has some security work to do before it can earn full consumer confidence.
What’s Wrong With WhatsApp’s Security Infrastructure?
Around the time of the acquisition announcement, which took place in late February 2014, security experts discovered several SSL-related problems with WhatsApp. One company, Praetorian Labs, reported on multiple issues including SSL export cyphers support, which made the app susceptible to brute force attacks; null cypher support, which could result in unencrypted data being transmitted in plain text; and SSLv2 protocol support, which uses MAC encryption and is vulnerable to sniffing and man-in-the-middle attacks. According to Praetorian’s blog, the company’s Project Neptune tool could find no remaining traces of those vulnerabilities. However, WhatsApp still fails to enforce a process called SSL pinning.
SSL Pinning Explained
SSL pinning, according to OWASP, is the process of connecting a host to its expected public key. In some cases, when a certificate has multiple acceptable keys, the host is associated with a pinset instead of with a single key. SSL pinning happens either during the application development process or when one application first encounters another. Pinning during application development is more secure because breaches can occur if an attacker has certain access privileges during that first encounter.
WhatsApp claims to fully encrypt communication between a user’s mobile device and its backend servers. However, since WhatsApp doesn’t use SSL pinning, users can fall victim to spoofed security certificates. A man-in-the-middle attack could easily steal user credentials, session identifiers or other important information. WhatsApp has said publicly it’s actively working to add SSL pinning to its security protocol, but until it does, user data remains vulnerable.
What Are Man-in-the-Middle Attacks?
Man-in-the-middle attacks intercept data as it travels between two endpoints. For example, an attacker who possesses a security certificate from a trusted authority could read all communication between WhatsApp users and could steal unencrypted passwords. As OWASP explains, man-in-the-middle attacks use spoofed SSL certificates to create a proxy that can view, modify and insert data into an intercepted conversation. In addition to stealing data, a man-in-the-middle attack could install malware onto a user’s device.
Using public Wi-Fi makes people vulnerable to man-in-the-middle attacks. An attacker can easily reroute online traffic to another Wi-Fi router that looks legitimate, or the attacker could exploit weaknesses in an existing router to eavesdrop on conversations. The whole point of WhatsApp is to circumvent carrier SMS costs and when possible, carrier data costs, so many users rely on Wi-Fi hotspots when using WhatsApp for text messaging.
Man-in-the-middle is also significant if you’re concerned about NSA snooping. Apple recently released an iOS update that fixed a major SSL security flaw that left iOS users vulnerable to spoofed security certificates and man-in-the-middle attacks. Some experts have speculated the NSA gained access to Apple devices through this flaw, though the company has denied the NSA can track Apple device communications.
Thanks to the Facebook acquisition, WhatsApp has become “the chosen one” of all of the messaging applications on the market. However, until the company resolves its security flaws, one of these apps can provide users with a secure messaging alternative:
Most likely, WhatsApp will take care of its problems before the Facebook acquisition is complete. Until then, WhatsApp users are vulnerable both to data interception and to remote malware installation.