WhatsApp is secure enough

There has been some panic in the last few days regarding the latest update of WhatsApp Messenger's terms of service. While it's true that they are loosening their policy for sharing data with external services, these changes seem necessary. If they want to provide in-app shopping and third-party integrations, they need to open up the ecosystem a bit.

No need to panic. End-to-end encryption works.

When WhatsApp launched, it quickly became a hit due to its multiplatform availability and smart use of the phone contacts list. Other messaging apps at that time required you to add contacts one by one.

Despite its success, it was infamous for its security flaws. For a long time, the app sent messages and phone numbers in plain text. These could be easily intercepted and read by anyone in the same network.

As more privacy-focused competitors appeared, they addressed many of the user data security concerns. Eventually, in 2016, they even adopted the Signal Protocol (a peer-reviewed and open-source end-to-end encryption strategy) in all their apps. This change guarantees that only the intended sender and receiver of a message can see its contents and that the intermediary server cannot modify it in any way.

Currently, the weak points of WhatsApp in terms of user data confidentiality are:

• Facebook is progressively adding features aiming to monetize the service. And the way that Facebook makes money (until now) is by profiling its users for advertisement purposes.
• Cloud backups of message history are not encrypted, which is one reason that their competitor Telegram uses to justify their use of server-side encryption by default.
• Security researchers have found several vulnerabilities in the WhatsApp Web client that allowed capturing and modifying messages exchanged with the connected device.
• Both the apps and server are proprietary software. Nobody outside the company can easily audit it. Also, users need to trust that WhatsApp will never deliver a rogue version of their app that steals encryption keys or compromises communications.

Are its competitors any safer?

During the years of WhatsApp's disregard for user privacy, two clonic competitors appeared: Signal and Telegram. These two services still focus their marketing on pointing at WhatsApp's security flaws and user privacy concerns, especially after its acquisition by Facebook.

Signal is a messaging service operated by the non-profit Signal Foundation. All their apps enforce end-to-end encryption, and the source code of both the mobile apps and the server is free to use and modify by anyone. This fact allows any developer or cybersecurity enthusiast to audit their encryption system and discover security flaws before anyone can abuse them. As mentioned before, the creators of Signal and WhatsApp worked together to implement this protocol into WhatsApp.

Telegram is a service sponsored by the Russian businessman Pável Dúrov, widely known for his previous successful social network: VK. All official Telegram apps are open-source, and anyone can build client-side apps by using their open API. While Telegram claims to be an application focused on security, there are many concerns regarding their practices. They have an opt-in feature for end-to-end encrypted conversations, despite their default messaging capabilities rely on storing encryption keys in the cloud. Otherwise, they would not be able to synchronize conversations among devices.

Moreover, their encryption schemes rely on a protocol designed in-house: MTProto. The source code of their server-side software is proprietary, and therefore this protocol cannot be audited. All these facts have raised a lot of concerns among the cybersecurity community.

It's not wrong to monetize.

WhatsApp tried to charge money for using the service, unsuccessfully. The $1 cost of downloading in the iOS App Store and the (kind of) opt-in $1/mo subscription service on other platforms didn't cover costs. Moreover, it was a huge risk in such a competitive environment. Apart from BlackBerry Messenger and other corporate solutions, all instant messaging platforms were free to use (despite the abuse of advertisement placement).

We can assume that Facebook was aware of that when they acquired the company for $19 billion. They had to have other plans to monetize it.

The Signal Foundation relies on donations for sustaining the service, which doesn't sound realistic for a service with such a massive infrastructure. 

Relying on a "philanthropist" benefactor operating in complete opacity from a limited liability company in Dubai doesn't inspire much confidence either, which is the situation of Telegram. His track record of acting like an eccentric and immature new millionaire doesn't help at all.

I believe that Facebook can come up with a way to insert non-intrusive promotional content in the app or, at least, drive traffic to other profitable apps and services. Both the media and western governments seem to overreact at every attempt to drive the product towards self-sustainability. I think all the panic has had no sound justification, so far.

So, what's at stake here?

Unfortunately, the most popular instant messaging protocol in every market will always be really difficult to overcome. As a result, they will always acquire a powerful position where their interests might prevail over their users'.

The best scenario possible would be the dominance of a decentralized and encrypted protocol, like the ones used in GNU Jami. The main problem with the latter is that it lacks the ease of use of centralized alternatives.

We are lucky that the WhatsApp team and Facebook kept end-to-end encryption enabled by default. We are talking about the most popular instant messaging app in the world. How much would we lose if telecom carriers managed to establish their (still insecure) revision of SMS? We would end a monopoly, but governments and hackers would be really happy; indeed.