WhatsApp is the world’s leading messenger—with two billion users sending 100 billion messages each day, no other platform comes close. WhatsApp built its userbase by offering a secure alternative to SMS, popularizing the availability of end-to-end encryption. On the surface, security remains central to the WhatsApp proposition. “Privacy and security are in our DNA,” it says. But that’s a mantle that’s now slipping. Delve beneath those marketing messages, though, and WhatsApp is not as secure as you might think.
Nowhere is this more evident than for new iPhone 12 users right now. When you come to move your WhatsApp account from your old device to your new one, you’ll be directed to use WhatsApp’s iCloud backup option to transfer your message history, media and settings. But those backups are not protected by WhatsApp’s end-to-end encryption. It’s a serious privacy and security vulnerability—one that rivals iMessage and Signal have resolved.
In reality, the risk you run using this backup option is that you’ve given Apple a key to your message content—breaking the point of end-to-end encryption, which means your secure content can be provided to law enforcement if requested. It’s a genuine risk, albeit one that is unlikely to impact more than a small number of users. There’s a more serious risk, though, buried in WhatsApp’s settings. And this is one you need to do something about.
The irony here is that this security vulnerability was neatly highlighted by the latest security enhancement launched by WhatsApp. I first reported on the development of “disappearing messages” earlier this year—users can elect to automatically delete messages in any 1:1 chat or in groups where they have admin rights. That feature is now rolling out. Pitched as a security and privacy fix, it’s not really anything of the sort. While it may give some comfort to users that content won’t come back to haunt them, there are plenty of caveats.
If users reply to a “disappearing message” or forward it elsewhere, then the “disappearing message” will likely be quoted and that will not be deleted. Any backup before a message disappears will include it, albeit the message will disappear if the backup is restored. And there is obviously nothing to stop recipients' screenshotting messages. Originally, it seemed that WhatsApp would offer a choice on the expiry period for disappearing messages—from as little as an hour to as much as a year. This would have offered better protection. By way of example, uber-secure Signal offers to autodelete after as little as five seconds.
The real issue is buried in WhatsApp’s disappearing messages explainer: “By default, media you receive in WhatsApp will be automatically downloaded to your photos. If disappearing messages are turned on, media sent in the chat will disappear, but will be saved on the phone if auto-download is on.” There are two serious problems here.
First, the photos and videos you send are arguably more likely to compromise you than straight text. This is why the expiring media option offered by Snapchat and Instagram is commendable. There’s a chance WhatsApp has this option in development—if so, that would be welcomed and will protect users from the personal or viral media they send. In the meantime, though, your photo and video attachments—disappearing messages or not—will be saved by default on the phones of all those you send them to.
Second, and much more critically, you should never save messaged photos to your phones. As ESET’s Jake Moore warns, “simply being sent a file which automatically saves sounds dangerous by any means but tends to be the norm for so many people.”
Video and image files appear deceptively safe—unlike an Office or PDF document, you see a preview of the image and assume it’s safe. That’s not the case. In September, researchers at Check Point disclosed that a maliciously crafted image file could have hijacked Instagram accounts. “Think twice before you save photos onto your device,” the firm’s Ekram Ahmed told me. “They can be a Trojan horse for hackers to invade your phone. We demonstrated this with Instagram, but the vulnerability can likely be found in other applications.”
The attack vector suggested by Check Point was a dangerous image shared over a messenger like WhatsApp, saved to a user’s device, which was then able to hijack another application—in this case, Instagram. Those images are almost certainly safe when viewed as a preview within the messenger itself—just don’t save it to your phone. The only exception is where you know the sender and are certain it’s a photo or video capture by the sender themselves, not forwarded from an unknown source or found online or on social media.
iPhone users rightly assume their devices are safer than Android equivalents. The App Store is more tightly locked down than Google’s Play Store. There are more onerous restrictions on the access to data and settings provided to third-party apps—especially with iOS 14. The ecosystem is rigidly controlled. But as reported by Check Point, that can be undone if users don’t take sensible precautions for themselves. The malicious image Instagram vulnerability they reported in September impacted both iPhone and Android devices.
Fortunately, the remedy is simple. Open WhatsApp on your iPhone, then click on Settings, Chats, and ensure that “Save to Camera Roll” is switched off. In each and every chat, there’s also the option to apply this default or to override it for each individual chat. By default, this will follow the master setting–just make sure you don’t change it.
source
