WhatsApp adds end-to-end encryption to its Android app

4 Comments

WhatsApp just got a whole lot more secure for Android users. On Tuesday, secure messaging company Open WhisperSystems announced that it has helped add a strong encryption protocol to the WhatsApp Android app, which means that WhatsApp (or its parent company, Facebook) can no longer read your messages in transit.

Even better, for supported devices, encryption is on by default. While there are apps with similar levels of security, WhatsApp, by many measures the most popular messaging platform in the world, is by far the largest messaging system to adopt strong end-to-end encryption.

WhatsApp is using the TextSecure protocol, which is developed by Open WhisperSystems and is also used in its own standalone app, TextSecure (currently transitioning to the Signal brand, which it is already using in its iOS incarnation.) The idea behind end-to-end encryption is that WhatsApp won’t be able to decrypt messages sent on its network, even if requested by police or national security agencies.

Other messaging systems, like Apple iMessage or BlackBerry BBM, feature strong encryption. But in the case of iMessage, it’s possible for Apple to change encryption keys so it could be able to read messages in transit, and BlackBerry certainly has the power to peek at your messages. WhatsApp won’t — the TextSecure protocol is open source and audited, so you can be sure your messages can’t be read by anyone besides you or your recipient (barring an unforeseen vulnerability.)

WhatsApp is wildly popular in developing markets like India, which has compelled messaging providers like BBM in the past to give up their encryption keys.

There’s no word on when end-to-end encryption will become available for the iOS version of WhatsApp, and there’s no way to encrypt group chats and media messages (like photos), or to verify users’ keys yet. Open WhisperSystems said in its blog post: “WhatsApp runs on an incredible number of mobile platforms, so full deployment will be an incremental process as we add TextSecure protocol support into each WhatsApp client platform.”

Encryption can be very complicated and non-user-friendly — by building it into WhatsApp and turning it on by default, Facebook is making our world a little more private.

4 Comments

007

While I agree this is a step forward, if I read this correctly WhatsApp will encrypt the message “in transit” – meaning when it goes from your mobile to their servers, and again when it goes from their servers to your friends mobile. Sounds good, but what about when it is on their servers – this has long since been the issue – is it encrypted on the server and who holds the keys? I am sticking with end-to-end encryption that is device-to-device direct – no server touchdowns, so no one can read my message except the recipient. RakEM and SlientText, have this.

Kif Leswing

Yes, I agree purely peer-to-peer is preferable from a security standpoint, but it does make discovery of contacts and solid reliability significantly harder. This is a classic example of “good enough” which should help keep millions of messages private.

A Ch0w, sneeze

The current protocol as explained means Facebook can’t read the data, even if it touches down on their servers. This is how textsecure works too. The difference here being that photos aren’t yet encrypted and you have no way of verifying that there is no man in the middle (for now)

tearfang

good point. Full in transit encryption is helpful but it is NOT end to end encryption- we should be very careful about using that term as it implies encryption is everywhere and complete. case and point:

//The idea behind end-to-end encryption is that WhatsApp won’t be able to decrypt messages sent on its network, even if requested by police or national security agencies.//

is directly contradicted by 007’s above comment. If the messages are stored on WhatsApp’s servers unencrypted 3 letter gov agencies CAN access them. Even if they are stored encrypted, if WhatsApp stores the encryption keys same thing. Even if WhatsApp doesn’t store the keys, if you have to go through their servers to get your keys, they can be compelled to perform a man in the middle attack by 3 letter agencies and thus it isn’t true. Misunderstanding this in the US may relatively no big deal, but in other parts of the world ppl are entrusting their lives to encryption and these distinctions matter.

Comments are closed.