Operational WhatsApp (on iOS)
Recently WhatsApp completed their roll out of the end to end encrypted Signal Protocol (previously known as Axolotl.) This is great news because now there is an easy to use secure messaging app used by millions of people. While WhatsApp provides strong end to end encryption for data in motion, the app itself has a number of issues that prevent it from being the ultimate secure messenger.
This guide will reference issues raised in my previous posts about Telegram and Signal, please read those for additional information. I provide some recommendations on how to harden WhatsApp defaults, but there are limitations on what can be done with the facilities provided.
The Good, The Bad and The Ugly
- The app is very easy to use.
- The encryption for the data in motion is top notch.
- The app is very mainstream with a large user base, ensuring good network effects and providing excellent cover.
- There is the capability to securely transfer documents, as well as other media.
- WhatsApp aggressively tries to force the user to store their plaintext chat logs on iCloud.
- Pictures and videos are automatically stored in the Camera Roll, which may automatically upload them to iCloud.
- The Address Book is slurped up as a requirement for the app to work.
- No automatic message deletion.
- WhatsApp won’t install on iPod Touch or iPad.
- Update: Deleted messages are not overwritten or removed from the messages database. They are easily recoverable via digital forensics.
- Messages sent/recv are logged at a granular level — wiping this information generates a new “log wiped” entry.
- Metadata is available to Facebook.
- The notifications cannot be made sufficiently private.
- There is no application level passcode.
- The screen is captured as an image and saved to disk when the user switches apps or locks the screen.
Update: originally I stated there was no encryption to BlackBerry users. I was wrong, however BlackBerry users may have to force update to the latest version.
What Is To Be Done?
Although the transport level security of WhatsApp is extremely high, the app’s default settings must be tweaked to ensure more private messaging. In some cases there is not sufficient granularity, and even missing functionality, which prevents hardening the app properly.
To reduce risk and increase privacy when using WhatsApp, configure the following settings:
Settings >> Account >> Privacy
- Last Seen: My Contacts
- Profile Photo: My Contacts
- Status: My Contacts
- Read Receipts: OFF
Settings >> Account >> Security
- Show Security Notifications: ON
Settings >> Chats
- Save Incoming Media: OFF
- Chat Backup >> Auto Backup: OFF
Settings >> Notifications
- Show Preview: OFF (unfortunately, this still displays the sender’s name)
Settings >> Profile
- The name entry here is what is displayed in the recipient’s notifications. Feel free to change to a generic value, e.g. Friend
These settings are a reasonable middle ground for reducing the amount of data that the app creates locally, and minimizing what is exposed as clear text on iCloud.
Problems remain. It is not possible to automatically delete old messages after an expiry date. It is not possible to configure notifications to hide potentially sensitive data. The Chat Backup feature will regularly nag the user to enable it, one wrong tap during app startup could be a fatal error.
iCloud Backstabbing Backups
Update: iCloud backups must be disabled separately for the WhatsApp application. This is done from the main Settings application on iOS:
Settings > iCloud > Storage > Manage Storage > This iPhone > Show All
- WhatsApp: OFF (Turn Off & Delete)
Keeping it Fresh and Clean
It is important to have a procedure to follow when conducting a sensitive discussion. Part of that procedure must include destruction of the logs, wherever possible, to minimize the risk of future discovery by malicious parties.
- After completing a conversation, or at regular intervals, old messages should be deleted
- From the Chats tab, swipe the conversation to the left. Tap the More button. Tap the Delete Chat button. Tap the Delete Chat button, again.
- Go to the Settings tab. Tap Data Usage. Tap Network Usage. Scroll to the bottom and tap Reset Statistics. Tap Reset Statistics, again.
This will remove the local traces of the conversation, to the extent possible. There will still be metadata available at the ISP and on WhatsApp’s servers. There may be additional forensic artifacts left over on the device. However, accessing that data requires a level of investigative effort above merely opening the app and looking at who the user has been chatting with.
Update: forensic analysis of a WhatsApp message log demonstrates that there is not sufficient security provided by deleting a thread. Until Facebook address this issue, the only work around may be to use very short conversations and delete them frequently. This may minimize the amount of data in the SQLite free pages and increase the chance of sensitive data being overwritten. Or maybe not.
Fantasy Features List
The most important points that need to be addressed are the excessive message logging, the lack of automatic message deletion, and the dependance on a mobile phone number (and thus the Address Book).
Messenger apps should allow the user to configure the messages to expire after a set time period. They should allow the user to use a custom identifier, rather than a phone number, and allow users to add contacts manually. They should not log granular message counts, unless they allow the user to disable that functionality. Notifications should be configurable to provide the user with a generic notification without exposing any data.
The Bottom Line
WhatsApps adoption of a strong encrypted protocol is a significant improvement in secure messaging, but problems remain. Although the data is well protected on the wire, there is still significant metadata leakage and there are significant privacy issues related to using the app.
WhatsApp is a great replacement for iMessage, but it is not the final word in secure messaging.