Tuesday, March 28, 2017

4 Security Threats WhatsApp Users Need To Know About

By   James Frew

Since the messaging platform WhatsApp was acquired by Facebook in 2014, its growth has been unstoppable. The app now boasts over a billion users each month who send over 30 billionmessages per day.
WhatsApp has strengthened their security over recent years by adding two-step verification, and automatic end-to-end encryption. Despite this, there are still some security threats you need to know about.

Web Malware

With over a billion users, it’s almost certain that malicious cybercriminals would look to exploit the popular messaging app. WhatsApp announced the launch of a web interface and desktop application in January 2015. Unsurprisingly, hackers were quick to pounce with fake WhatsApp websites and applications that stole data and distributed malware.WhatsApp Web: Everything You Need To Know WhatsApp Web: Everything You Need To KnowAlong with supporting all mobile platforms, WhatsApp has now launched a web-based client, so you can finally use WhatsApp on your PC and sync with your phone.READ MORE
Some attackers created malicious software downloads that would masquerade as WhatsApp Desktop applications. Once installed they could install and distribute malware or otherwise compromise your computer. Others turned to creating websites pretending to offer access to WhatsApp Web. They ask for your phone number in order to “connect you to the service” but in reality use it to bombard your WhatsApp with spam messages.
Although WhatsApp does offer a client for both Windows and Mac, the safest option is to go directly to the source at http://web.whatsapp.com.
Advertisement

Unencrypted Backups

The messages you send via WhatsApp are end-to-end encrypted meaning that only your device has the ability to decode them. This prevents your messages being intercepted during transmission, but says nothing of their safety while on your device. On both iOS and Android it is possible to create a backup of your messages to either iCloud or Google Drive. The backups that WhatsApp create contain the decrypted messages on your device.6 New WhatsApp Features You Should Know About 6 New WhatsApp Features You Should Know AboutWhen you're using an app day in and day out, it's easy to miss out on new features that get added. But what did you get in all those WhatsApp updates? Lots.READ MORE
The backup itself is not encrypted. If someone wanted access to your messages, they would only need the latest copy of your daily backup. It is also vulnerable as there is no ability to change your backup location, meaning that you are at the mercy of the cloud service to keep your data protected. iCloud in particular has suffered a poor reputation for security, especially after its role in the largest celebrity leak in history.
One of the supposed benefits of encryption is, for better or worse, being able to prevent government and law enforcement from being able to access your data. As the unencrypted backup is available on one of two US based cloud storage providers, all it would need is a warrant and they would have unfettered access to your messages. In many instances, this renders the end-to-end messaging encryption as redundant.

Facebook Data Sharing

When Facebook decided that it wanted to app WhatsApp to the “Facebook Family”, the EU approved the deal after Facebook made it very clear the two companies, and their data, would be kept separate. Of course, being the responsible company it is, Facebook complied. For about two years at least. Then on 25 August 2016 WhatsApp changed its Privacy Policy to allow sharing of data from WhatsApp to Facebook. According to their FAQs:
“We plan to share some information with Facebook and the Facebook family of companies…some of your account information with Facebook and the Facebook family of companies, like the phone number you verified when you registered with WhatsApp, as well as the last time you used our service.”
In a great use of weasel words, they also state that none of your information will be publicly visibleon Facebook. Instead, it will be hidden in Facebook’s deep, and inaccessible, profile of you. It is possible to turn this data sharing off in the settings. However, to the chagrin of almost all privacyadvocates, the data sharing was turned on by default, requiring every single one of WhatsApp’s over one billion users to manually head into the settings to turn it off if they weren’t comfortable.
After the change, there were expressions of concern from officials in Germany, the US, and the UK. There is now even a possible investigation into Facebook and WhatsApp’s practices by the European Commission. Since November 2016, Facebook has paused data collection from UK users after the Information Commissioner’s Office wrote to Facebook outlining the issues and asked Facebook to clarify to users how their data will be used.

Encryption Vulnerabilities

In January 2017, The Guardian published a story claiming that WhatsApp’s implementation of encryption protocol could be exploited. While your messages are end-to-end encrypted so that they can’t be read during transmission, they are decrypted locally on your phone. To verify the device receiving the message is the intended recipient, each user has a public security key. This key can be changed when reinstalling the app or moving to a new phone.
The Guardian’s report claimed that as WhatsApp had the ability to change security keys for offline users, they may be able to intercept and unencrypt messages. WhatsApp could then force you to resend your messages with the new security key, and allow themselves access to the messages. They claimed that this was a problem, or intentional feature, of WhatsApp’s implementation of Open Whisper Systems’ protocol.
However, Open Whisper Systems responded in a lengthy blog post, where they refuted the claims of an “encryption backdoor”. Instead, they noted that a man in the middle attack “is endemic to public key cryptography, not just WhatsApp”. They also dispute the over simplification of the issue made by The Guardian. They did not include the fact that there are two encryption keys, one public and one private on your device. This is done to prevent an attacker compromising the server and “[lying] about a user’s public key, and instead [advertising] a key which the attacker knows the corresponding key for”.What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon ExplainedREAD MORE
The consensus from the technical community is that The Guardian did very little verification of the details before publishing the story. However, it did highlight that even systems that are viewed as secure, like end-to-end encryption, are not entirely flawless.

One More Thing…

WhatsApp recently revamped their Status feature, morphing it from a line of simple text into a disappearing photo and video updates. This brought it in line with Instagram Stories and Snapchat. Despite their parent company’s seeming aversion to simplifying privacy controls, WhatsApp has made it quite easy to control who you share your Status with.

If you head into the settings you are now greeted with three privacy levels for your Status updates;
  • My contacts
  • My contacts except…
  • Only share with…
Despite this simplicity, it isn’t immediately clear if your blocked contacts would be able to see your Status. WhatsApp seems to have done the sensible thing and blocked contacts are unable to view your Status. As with Instagram Stories any videos and photos added to your Status will disappear after 24 hours.

Time To Change?

If these reasons were enough to make your question your messaging app allegiance, then there are other secure alternatives available. WhatsApp’s end-to-end encryption protocol was developed by Open Whisper Systems, who make their own secure messaging app Signal. Then there is the popular Telegram which combines the messaging capabilities of WhatsApp with the ephemeral nature of Snapchat.
Will you continue using WhatsApp? Have you ever been caught out by these security threats? Are there other alternatives available? Let us know in the comments below!
Originally written by Dann Albright on February 25th 2015
Source: www.makeuseof.com

No comments:

How to Recover Data From a Corrupt Memory Card or USB Drive

By  Dan Price   We keep a lot of data on memory cards and USB drives. Often, you might even use a high-capacity USB drive as your prima...