So-called experts and organizations have raised their voices in alarm. An study made by the Spain Cryptologic Centre on WhatsApp. This warning pointing in an entirely different direction: to use this app is risky because it is an attractive platform for intruders and criminals.
CCN produced a report that presents weaknesses of instant messaging application such as the intrinsic weakness registration process, unsafe deletion of conversations, and the possibility of carry out account theft. The organization also indicates that the wide acceptance of the platform makes it a target for criminals who pretend to get as much information from its users.
The document also accuses the creators of having neglected some basic elements of protection and management of the data. Documentation suggests that the most significant deficiency has to do with the registration process and verification, which could “encourage a third had been done in an account that does not belong “, with the consequent intrusion of their privacy, access to your messages and a long and uncomfortable so that you can already suppose you.
The possibility of being exposed during the initial connection if we do through public WiFi networks or such doubtful, the option to steal accounts by SMS are other points it reflects. Downloading the tool through unofficial sites or the risks arising from the local storage of information locally. Moreover, exchange data with Facebook identified as a polemical case.
Fortunately, the analysis also includes a section of recommendations to minimize them, such as setting a password to unlock the phone and make access if it falls into the wrong hands, “be careful permit applications” disable WiFi and Bluetooth phone when not to be used and be aware of the “potential danger perform jailbreaking or rooting the smartphone”.
The encryption in Whatsapp, the Signal Protocol (previously named TextSecure), developed by Open Whisper Systems, is one of the strongest out there. Nowadays it is used by Signal, Whatsapp, Facebook Messenger (Secret chats) and Google Allo (incognito mode). It uses a combination of the Double Ratchet Algorithm, prekeys, and a triple Diffie–Hellman (3-DH) handshake, and uses Curve25519, AES-256 and HMAC-SHA256 as primitives.
Which means that it has “confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.” http://ieeexplore.ieee.org/document/7467371/
The most important parts are: authentication, forward secrecy and future secrecy. The Signal protocol uses public key fingerprints which users can manually compare to verify that the one you’re talking to is really the right person (phone). Forward secrecy means that your past messages are protected against future compromises of secret keys or passwords. (so if someone steals your encrypted messages, and then figures out an encryption key for one message at a later point in time, he cannot read those previous messages with it). Future secrecy is the same but then future messages are unreadable with an encryption key of a current message.
“possibility of carry out account theft” –> if you enable notifications for Security Code changes you’ll notice something is off with your contact. To be sure no one is listening in on your conversation, you can manually compare authentication keys. https://www.whatsapp.com/faq/en/general/28030015 & https://www.whatsapp.com/faq/en/general/28030014
See also:
https://en.wikipedia.org/wiki/Signal_Protocol
https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm
https://www.whatsapp.com/faq/en/general/28030015
https://www.whatsapp.com/faq/en/general/28030014
http://ieeexplore.ieee.org/document/7467371/