WhatsApp is now encrypting all your messages, by default, all the time, end-to-end

Very cool.

Whatsapp

WhatsApp has made a big announcement, that will help protect the privacy of its one billion users.

End-to-end encryption on all communications sent via WhatsApp, enabled by default.

Whatsapp blog

"From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats.
The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation."

In short, there isn't a way to intercept and decipher the message sent via WhatsApp. A hacker can't do it. WhatsApp can't do it. A government can't do it.

The only places that the message could potentially be grabbed are on the two devices themselves that are communicating with each other - not in between.

The timing of WhatsApp's announcement couldn't come at a more important time, as law enforcement agencies and governments have been rallying against encryption and demanding backdoors in technology to spy upon communications.

My opinion is that encryption is a powerful tool which can be used for good, helping protect our personal and collective liberty - and that those who seek to water down encryption are putting us in more danger than those who they are seek to protect against us.

That's a belief that WhatsApp appears to share:

"Encryption is one of the most important tools governments, companies, and individuals have to promote safety and security in the new digital age. Recently there has been a lot of discussion about encrypted services and the work of law enforcement. While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people's information to abuse from cybercriminals, hackers, and rogue states."

From the sound of things, WhatsApp implementation of end-to-end encryption is built on solid foundations. A technical paper about its implementation of end-to-end encryption reveals that it is based upon the Signal Protocol, designed by Open Whisper Systems. Signal, of course, is the messaging app that Edward Snowden himself recommends.

It is very cool what WhatsApp has done - but it is clearly not going to be popular with everyone. If you thought the recent FBI/Apple iPhone debacle in the courts was a big story, you ain't seen nothing yet...

Don't delay. If you're not already running the latest version of the WhatsApp app on your iPhone, Android device, Nokia or Blackberry, now would be an excellent time to update.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

11 Responses

  1. Bob

    April 5, 2016 at 8:50 pm #

    Amazing news and very glad to hear it.

    People should upgrade their software immediately and ensure all of their contacts do the same. No excuses!

    Then, in person (or over the phone if you're familiar with their voice), you should exchange the 60 digit fingerprint. Confirming this in person gives you the benefit of a nice QR code (like a barcode) that you can scan (instead of a long code) which proves that ONLY you and your friend are party to conversation.

    For the paranoid you can activate a special feature which will <Show Security Notifications>. You'll receive an alert if that person's fingerprint changes. Normally it'll be because they've got a new phone or reinstalled WhatsApp BUT if neither of these apply then it's time to worry.

    People who are not technologically literate should realise, and be pleased to hear, that this will NOT prevent the police from catching terrorists despite what will inevitably be suggested in the media or by politicians. This stops bulk surveillance against the public at large – it does not prevent the police from catching criminals.

    A person who is a target can still have their phone hacked or their Google Drive / iCloud records seized (with a full conversation history) by the police or have their conversations compromised by many other techniques.

    This new end-to-end encryption will only prevent everybody being spied on – it'll mean the police will have to go back to targeting suspects (which actually is much more effective) instead of scooping up the data of innocent citizens.

    It'll also go some way to legitimising encryption by making it the norm. The FBI grossly overstepped the mark by lying to the courts and lying to the public (originally they promised that they "only" wanted to break "one" iPhone – now they're breaking into dozens) and saying that they could only hack the phone with Apple's assistance (again, not true). Now they're going to have to go back to the drawing board and only target people who they actually suspect.

    • coyote in reply to Bob.

      April 8, 2016 at 12:41 am #

      'For the paranoid'

      Say rather for those who are security conscious.

      And of course the FBI did what they did. Sadly many people believe their blatant lies (and will continue to do so). That they will (and have) continue(d) is implied by the very meaning of exception. To me it wasn't a matter of if but when and how frequent. I would also say that that iPhone wasn't the first device they've targeted (not that I can specifically name an example case off hand but a phone is one of many examples). And obviously the types of cases would vary (hence drug charges in New York). What doesn't change very much is the excuse (modified here and there but it's all about bringing justice and making people safer – supposedly).

      • Bob in reply to coyote.

        April 8, 2016 at 8:01 pm #

        In a related development Apple have said they "won't demand" (probably because they cannot) to learn how the FBI have hacked the Apple iPhone 5C but an Attorney representing Apple said he suspects "that the hack won't last long as Apple continues to fortify its security."

        http://arstechnica.com/tech-policy/2016/04/apple-wont-demand-to-learn-how-fbi-cracked-terror-suspects-phone/

        Strangely the FBI say that the hack only works on the 5C and not the 5S (the model involved in the ongoing New York drugs litigation). Maybe the FBI are lying because they still want to set precedent but I think Apple might have a chance of getting a court to compel the FBI to disclose why their other 'hack' won't work on the 5S.

        http://arstechnica.com/tech-policy/2016/04/us-government-still-pursuing-court-order-to-unlock-iphone-in-new-york-case/

    • Deb in reply to Bob.

      March 21, 2017 at 1:22 pm #

      Good information!

  2. JungleMartin

    April 6, 2016 at 4:55 pm #

    I have Android app version 2.12.556 which says it was updated on 24 Mar 2016 and this version appears to have the end-to-end encryption, though I've not tried to 'verify' a contact yet.

    • Bob in reply to JungleMartin.

      April 6, 2016 at 5:58 pm #

      The latest version for Android is 2.16.15; you really should update it.

      Verifying a contact in person via the QR code is the best way to confirm that there is no man in the middle. Or, if that person is too far away, you can read the 60-digit number aloud during a voice call.

      For the best security you should activate the corresponding 'Show security notifications' feature. WhatsApp will then notify you if a friend changes their key: this is a red flag although it could be caused by reinstalling etc.

      • JungleMartin in reply to Bob.

        April 8, 2016 at 10:40 am #

        2.12.556 was the latest available to me when I wrote the comment. I know because I checked before writing the comment.

        Play has made an update available to me today and I am now on 2.16.13. This is still the latest version available to me via Play.

        • JungleMartin in reply to JungleMartin.

          April 13, 2016 at 1:09 pm #

          2.16.13 is still the latest available to me via Play.

  3. Dinesh

    April 23, 2016 at 3:42 am #

    Are the names of WhatsApp Groups also encrypted? I am not talking about the messages encrypted in the group, but the name of the group itself (or other meta-information, such as Group Admins, etc.).

  4. Mason Boyle

    April 28, 2016 at 8:14 am #

    There are still many 10s of mobile messaging apps which are not encrypted and millions of users use them daily. Apart from Whatsapp and Viber, we need to know how to encrypt and become private.

    https://www.purevpn.com/blog/messaging-apps-encryption/

    • JungleMartin in reply to Mason Boyle.

      April 28, 2016 at 11:22 am #

      VPN would only help mitigate against any potentially insecure points (e.g. open Wi-Fi networks) between you and the VPN exit point though. If the person you are messaging is not using VPN, you are both still exposed. Plus potential exposure to and from the messaging service's own servers, which your messages will presumably go via.

      Better to use a well-secured service, verified by independent industry experts if possible.

Leave a Reply