Are WhatsApp messages really safe now?

Privacy and security are two controversial terms when found in the same sentence with WhatsApp And the fact is that the most widely used messaging application throughout the world has not exactly been the most secure in the communication landscape Until now. The announcement of its full encryption (or encryption for the less technical) has caught the attention of users , security experts and many agents from the technological world.Everything a step forward in the history of this application, but also in terms of the history of the security of mobile users But how does this encryption actually work? Is it really safe? What has changed since 2014, when you applied your first barriers? In this article we clear up all those doubts.

A little history

Starting at the beginning, let's talk about an app that came from the mind of Jan Koum and Brian Acton, former employees ofYahoo, and that had little or nothing to do with today's messaging. Actually, the origins of WhatsApp focused on showing the status of the contacts, knowing so if they were available to receive calls or SMS messages Due to the reaction of the first users, who began to use the status phrase to exchange messages, the creators were developing the potential of what is now WhatsAppUpdate to update. Change to change. Patch by patch. Something that pleased the most communicative users, but that prevented us from creating a basic and secure system from the beginning,leaving many loose fringes regarding security.

So much so that it has come to star in the news in which security experts, hackers and crackers managed to impersonate people a through the app. Or they even managed to alter the messages of other users without their knowledge Situations that can make the most jealous of their privacy's hair stand on end, and that served to show how the growth of WhatsApp did not match the real needs of users An increase in success which further attracted the eyes of cybercriminals, who found different ways to attack the system and get hold of data that was not protected or within the terminal, nor during its shipment.

Brian Acton and Jan Koum, co-founders of WhatsApp

At this point, prior to 2014, the WhatsApp application did not encrypt its communications , nor its contents in the terminal. However, the more than 500 million users at that time continued to use this application for their daily communication, exchanging all kinds of data, and even sensitive information such as bank accounts, addresses or even compromised photos and videos In addition, these messages were increasingly presented as evidence in legal proceedings All this knowing that there were ways to modify messages already sent from a history or delete them from a terminal intervened. A process that can be discovered by computer experts.

The situation was serious, and WhatsApp needed to take serious measures regarding privacy A concept that became even more valuable for users after the disclosure of Edward Snowden and the espionage service of the United States government, and other scandals more related to listening and theft of information. This is where the plan to secure begins WhatsApp It's time to build relationships with Open Whisper Systems

And message encryption arrived

It was in November 2014 when WhatsApp announced the encryption of part of its system They would do it with the platform Android and only in individual conversations, initially. To do this, they would use the TextSecure protocol, developed at the security company Open Whisper Systems, whose top representative is Moxie MarlinspikeThis encrypter has dedicated himself to creating all sorts of security barriers and is the true architect of what today many celebrate on WhatsApp In this way, and gradually, encryption has been extended to more functions of the WhatsApp service, resulting in a real work of computer engineering, and finally protecting the messages, but also the calls, thephotographs, the videos and even the documentsshared through chats.

To avoid getting into technicalities, we will say that this security system adapted to WhatsApp consists of the use of a code that encodes the sender's message before leaving his mobile, passing temporarily through the company's servers already encrypted, and decoding once it enters the recipient's mobile with the same codeWith this in mind, the really interesting thing about this system lies in the encryption key, which is only known by the terminal sender and by the receiving terminal. End-to-end This translates into the impossibility for third parties, and even your own WhatsApp, can read the information that is transmitted in the messages or in any other content sent, either through an individual or group chat. But let's dig a little deeper.

Infographic via Wired: User A asks a WhatsApp server for a public key that also applies to User B. User A then uses the public key to encrypt the message. User B's private key (only available on his phone) decrypts the message.

This encryption, called end-to-end, also creates a different code for each message which is being sent and which, again, can only be decrypted by the recipient.In between, other systems are in charge of creating security steps that prevent the most nosy ones like cybercriminals, hackers or crackers access the code or message. In short, a security structure that is practically impossible to penetrate And, if that were the case, as explained to tuexperto.com the computer expert and security expert, Carlos Aldama, only managed to invest a lot of time to read a single message, as protection is updated for each content sent, creating new barriers that “would take many years and a lot of luck to crack” , according to comments.

With this we would answer one of the initial questions of this article, affirming that it is a barrier really safe and effective in itselfAn option with which neither WhatsApp, nor governments, nor cybercriminals can read our messages, listen to our conversations or see our picturesOf course there are certain exceptional points to take into account. There is also a cost, such as reduced quality on calls through Internet via WhatsApp, which would be less clear because of the new encryption.

Exceptions

The system is secure, all right. However, we must not lose sight of what is protected by WhatsApp and what is not Thus, although the communication is secure and totally private, there are other parts of WhatsApp that are not so private A good example is data storage on the device, which is not as secure and whose data can be read as long as you have physical access to the terminal, in addition to the necessary computer skills and tools

There is also all that data about the terminal, the user's account, his connection, his hours of activity in the application and others issues that this app also logs.In this case we are talking about metadata that WhatsApp not only knows, but also stores it on its servers and that is not encrypted In other words, if they are intervened by a third party, they can be read for not wearing any type of protection Something that is very little It will likely get better in the future, as it would involve a major system change and even more engineering than the past two years to apply encryption to all of WhatsApp.

This way, the application remains vulnerable to spyware attacks or information theft when you have direct access to the terminal, being able to know the contents and even delete messages ( although it is a process that leaves traces). Of course, a relative vulnerability. In the same way, the company WhatsApp fails to protect the metadata that it may provide in response to particular requests for reasonslanguage or security filter, according to the computer expert consulted by Tuexperto.com

Also, there is a question as to whether WhatsApp is actually applying end-to-end encryption. Or if you have told the whole truth about your security system According to Carlos Aldama, This type of protection system should not allow a user with the mobile phone turned off to receive an encrypted message correctly and read it without problems when turning it on after several days After all, WhatsApp doesn't store messages nor do you know the encryption key So how can this situation occur with the current protection?

But then, can they spy on us or not?

WhatsApp has made it clear that its system is peeper-proof. So much so that not even those responsible can access the information that passes through the company's servers, since they do not know the encryption code of each message.

In Spain, the intelligence services and state security forces use the Sitel service of wiretapping and reading SMS messages, among other virtues. With it, and prior judicial order, they can intercept communications However, WhatsApp was left out of the possibilities of espionage or listening to the system already since 2014 Now, the reinforcement of encryption It only means an increase in the privacy of users, without the Government, nor the state security forcesNot even the most advanced espionage methods can access our conversations.

Of course, if governments can't access our messages, photos and calls, neither can cybercriminals, hackers and crackers As confirmed the Aldama expert, the base system on which the encryption of WhatsApp has already been violated a long time ago, but the adaptation to this application and its different intermediate barriers make it an almost impossible task in this case.

Privacy vs. Safety which is more important?

Faced with this situation of almost total security, an important dilemma arises: is it better to protect everyone's privacy or safety? Apple was recently asked by the FBI to unlock an iPhone related to a terrorist attack in order to investigate the information it contained.Apple has entrenched itself in its protectionist position, preventing it from opening back doors or giving in to the FBI , who has finally been able to access the information “suspiciously fast”, as Aldama points out For Apple , opening a back door means in the long run putting all its users at risk, being able to pave the way for the creation of tools with whichspy on your users

Those responsible for WhatsApp and Facebook (its owner) have also defended privacy for above national security in this case. But is it appropriate in a state of terrorism alert like Spain to protect communications from the espionage of governments and security forces? Our consulted expert, with extensive experience in legal proceedings, believes that privacy is necessary, but also giving access to information in pursuit of security as a measure guarantee and citizen security.The key, he says, is in “who and how can have access to our data”, understanding that only those responsible for warranted police investigations should be able to do so.