Instant Messaging on Smartphones: WhatsApp's Lack of Security
WhatsApp has become a very popular (read: FREE) alternative to traditional text messaging. Over the past few years, many smartphone users have shifted from using BlackBerry Messenger and other instant messaging apps to WhatsApp. This is especially true for activists in much of the Middle East and Sub-Saharan Africa.
The growing popularity is understandable considering that this cross-platform instant messaging application for smartphones only costs $0.99 for iPhone users and nothing for other platforms. With more than 200 million active users monthly, WhatsApp CEO Jan Koum boasted that “We’re bigger than Twitter today,” at a conference in April. According to company statistics, WhatsApp users are quite active - sending 12 billion and receiving 8 billion messages per day.
With WhatsApp you can send free messages to friends, family, colleagues, etc. anywhere in the world. In addition to messaging, you can create groups and exchange an unlimited number of images, video and audio media messages. Sounds pretty great, right?
Unfortunately, WhatsApp is less than perfect when it comes to issues of privacy and security. In 2011, the app came under scrutiny when researchers found a security hole that left user accounts vulnerable. Until August 2012, messages were sent in unencrypted plain-text format. Currently WhatsApp support staff claim that messages are encrypted; however, they have not specified what type of cryptographic method is used. According to one blogger, WhatsApp tried to implement some level of cryptography in 2012, but researchers quickly found that they were using a broken system of RC4 ciphers. In addition, researchers found that anyone can hack into a user’s account by logging in with the MD5 hash of the reversed IMEI number.
For those who use WhatsApp to send relatively mundane personal messages, security may not seem very important but for activists operating in hostile environments where government surveillance of online activities is commonplace, using encrypted methods of communication is a must. In Syria, many activists now rely on digital technology to organize, communicate and coordinate with one another. Many of these activists who use VoIPs and Instant Messaging applications to communicate and facilitate collaboration on projects have expressed deep concerns about the increasingly aggressive measures taken by the Syrian government to monitor their conversations.
In countries like Syria, Bahrain, Iran and China, activists can never be too cautious in terms of their digital security. The question is – are there viable alternatives to WhatsApp? Alternative open source software such as Text Secure, Gibberbot, Pidgin and GPG4USB provide encrypted SMs and chat communication, they are not as accessible or user friendly as commercial solutions than WhatsApp. Well encrypted and easy-to-use mobile chat is still elusive in much of the more difficult countries we work in. To read more about digital security tools and strategies, visit Tactical Tech’s Security in-a-box page.