WhatsApp is unsafe, and extremely popular, handling over 10 billion messages per day and sends as many texts in one month as iMessage has in its lifetime. They have been struggling with a slew of security breaches, account hacks and even apps and websites devoted to illustrating WhatsApp’s weaknesses, so much so that they are even lucky enough to have their own Wiki page section on security concerns.
I love free messaging apps and have been using them for years. Estimates suggest a carrier revenue loss in excess of $13.5 Billion due to the use of WhatsApp in place of traditional texting services for 2011, indicating that I am, perhaps, not the only one who loves things that are free. The app reached the number one download position in several European countries before attaining the same sort of notoriety here in the United States.
In their 2.8.3 release they began “hiding” message data. Due to a series of valid technical concerns, this cannot be considered encrypting your data (more on this later). Despite the updates, WhatsApp is STILL easily hacked and this hack does not require elaborate means, nor, necessarily, any specific knowledge. All the tools required are freely available online i.e. WhatsApp Sniffer on the Google Play store (though it was recently removed) that allowed users to intercept WhatsApp messages directly. or Whatsappstatus.net (also removed, though you can see how simply it worked from the screenshot above) which allowed users to change the status message of… anyone. Passcodes and authentication are generated from information that is often written on the phone itself (in the case of android, it is on a sticker on the inside of the phone by the battery) and can be obtained extremely easily. If you are using the device on a public WiFi, the information broadcasted can be used to take over your WhatsApp account. If you are using the app on your iPhone, the hackers can grab your phone number.
Hacks and tests have been conducted around the globe on multiple levels of the WhatsaApp process. Mathy Vanhoef in his blog “Whatsapp Considered Insecure” conducted a series of tests on security and authentication processes, so did Jose Selvi in his post “WhatsApp Account Hijacking”. This post is written in Spanish, Google translate does a good job if you are looking for the gist and are not fluent in the language. For a more technical explanation of the problems see “WhatsApp is Broken, Really Broken.”
Secure messaging with Gryphn’s app:
“Go from unsure to secure in 60 seconds or less — with the ‘year’s most innovative startup for national security‘
10/9/12 Update: Whatsapp “encryption” hides your data, but does not protect it. A measure defended as “commercial reasonable effort”.
10/24/12 Update: WhatsApp popularity is so vast that it sends as many messages in one month as iMessage has in its lifetime.
11/30/12 Update: A hack out of Heise Security generates users’ passwords from the phone number and and the phone’s serial number.
12/11/12 Update: Cat and mouse game of Whatsapp security continues, with updates that still don’t close the gap.
01/07/13 Update Whatsapp security issues do not deter users: Whatsapp Hits 7 Billion Inbound Messages a Day – 75% Growth in Four Months
01/23/12 Update: Whatsapp partially solves security issues investigated by the Hague.