SECURITY EXPERTS have highlighted a number of issues with WhatsApp and warned users to “take extra caution” with the hugely-popular chat app.
Amnesty International this week named WhatsApp and Facebook as the most secure chat platforms available.
But the decision has been met with scepticism from a number of security experts in the technology community, including the Electronic Frontier Foundation.
Last year, the Electronic Frontier Foundation – dubbed EFF – ranked the most biggest technology companies in the world, based on how transparent and protective they are of their users’ data.
WhatsApp was criticised in almost every aspect of the damming report.
Since the report was published, the Facebook-owned messaging app has rolled-out end-to-end encryption to its 1 billion users worldwide.
WhatsApp has been repeatedly praised for the decision, which means any text messages, pictures, video clips, PDFs or files sent through the app will be scrambled and indecipherable to any criminals or law enforcement agencies that intercept your communications.
“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to,” WhatsApp posted on its company blog.
“No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us.”
Default end-to-end encryption ensures WhatsApp is one of the most secure chat app platforms on the market, according to Amnesty International.
However the Electronic Frontier Foundation has warned users to be very careful when using WhatsApp for sensitive conversations – for fear that they might be read.
The EFF criticised WhatsApp for using unencrypted backups.
Although messages and media sent between users is encrypted, according to the EFF, the hugely-successful app does not encrypt the online back-ups it makes for your conversations.
Online backup allows users who have bought a new phone – or whose smartphone was lost or stolen – to quickly restore their data.
However it also means your messages, photos, video and more, could be stored in cloud without any protection.
Cybercriminals could potentially break into those backup files and read whatever messages they like.
In a blog post, the EFF wrote: “In order to back messages up in a way that makes them restorable without a passphrase in the future, these backups need to be stored unencrypted at rest.
“Upon first install, WhatsApp prompts you to choose how often you wish to backup your messages: daily, weekly, monthly, or never.
“In [our Surveillance Self Defense guide], we have advised users to never back up their messages to the cloud, since that would deliver unencrypted copies of your message log to the cloud provider.
“In order for your communications to be truly secure, any contact you chat with must do the same.”
According to the Electronic Frontier Foundation, the ability to send and receive messages via the web app on your computer also leaves WhatsApp open to attack.
“As with all websites, the resources needed to load the application are delivered each and every time you visit that site,” the non-profit digital rights group posted on its official blog.
“So, even if there is support for crypto in the browser, the web application can easily be modified to serve a malicious version of the application upon any given pageload, which is capable of delivering all your messages to a third party.
“A better, more secure option would be to provide desktop clients in the form of extensions rather than a web interface.”
The Electronic Frontier Foundation has published two recommendations for WhatsApp.
The first, to ensure the app makes it easier for users to enable stronger privacy options.
“A slider that would switch on all of the protective options – such as disabling backups, enabling key change notifications, and opting out of aspects of data sharing—would make it far easier for users to take control of their security,” the group claims.
WhatsApp should also be clearer about what data is being shared with parent company Facebook, EFF wrote.
It also specifies that WhatsApp should explain to users how the data will be used.
The Electronic Frontier Foundation urges people to “take extra caution when deciding whether and when to communicate using WhatsApp” until the changes suggested in the blog are implemented.