WhatsApp group chats not as secure as users might believe

Researchers have discovered flaws in the way WhatsApp,is messaging app handle secure (encrypted) group communication,which could result in unauthorized users getting added to closed groups and monitoring future conversations within them.

The problem with WhatsApp:
Paul Rösler, Christian Mainka, and Jörg Schwenk analysed the three widely used protocols and their implementations, and found that if someone – e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) – gains control of WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator(s).

The other participants will get a notification about a new user joining the group, but they have no way of knowing whether the new member was invited by the administrator(s). Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.

As noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed.

“When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server.”

What now?
The main problem is this: end-to-end encryption, which WhatsApp purports to offer, should not depend on uncompromised servers. “We haven’t entirely achieved this yet, thanks to things like key servers. But we are making progress. This bug is a step back, and it’s one a sophisticated attacker potentially could exploit,” Green noted.

The researchers disclosed their findings to WatsApp last summer. WhatsApp said that the “group invitation bug” is a theoretical danger that’s additionally minimized by the fact that users will receive a notification about a new user joining the group. Also, the spokesperson noted, administrators could warn users about the new, unauthorized addition via private messages. That seems to be enough for them at the moment, especially because a fix for the flaw could end up breaking the convenient “group invite link” feature.

There are apps for most things; use them safely and securely

Thanks to apps, your phone, tablet and maybe your smart watch have become the smartest and fastest way to communicate, navigate, shop, bank, book, pay, get your entertainment … and much more. But convenience can be accompanied by disadvantages, so we’d like to pass on a few expert tips about making sure you choose and use apps safely and securely.

Use only official app stores

Avoid downloading fraudulent or otherwise illegitimate apps by using only the official store for your device’s operating system, and avoiding unauthorised sources such as bulletin boards and peer-to-peer networks. Even then, read reviews and choose with care, as some rogue apps occasionally make their way into app stores.

Read the small print

When downloading apps, you’re usually asked to agree to terms and conditions. These can be quite lengthy and complex, but it’s important to do so as some small print includes details on data sharing, in-app payments and other conditions.

Know what permissions you’re granting

You may be asked for permission for an app to access your location, photos, camera, contacts or other functions or data. Before agreeing, think about if you really want this type of access enabled, and the safety aspects of others knowing what you’re doing and where you are (especially important for children).

Check settings

Where possible, check app settings to determine whether downloading updates and day-to-day data are enabled automatically. This may be convenient, but it could also make it easier for your data to be intercepted, and may use up your data allowance.

Check content ratings

Most apps found in the official app stores feature ratings with guidance on the content and intensity of various aspects of the app. Each store has its own policy, so ratings may vary from store to store. A nice-to-have for you, but essential for apps which may be accessed by children.

Use public Wi-Fi safely

When you’re out and about, remember that you shouldn’t use Wi-Fi hotspots for confidential communications or transactions in places like cafés, pubs and hotel rooms, as there’s no guarantee of security. Instead, use your data, or wait until you get back to your secure Wi-Fi.

Always log out

When you’ve finished using an app – particularly one for banking, shopping or payments – always log out, as simply closing the app may not necessarily do it for you. This also goes for location-based apps, when you want to keep your whereabouts to yourself.

Download updates

Always download app updates when prompted, because as well as providing new features and better functionality, updates usually contain at least one security fix.

Look after your devices

With today’s apps, your mobile device becomes a computer, wallet, satnav, photo album, TV, filing cabinet, and much more. You shouldn’t leave any of these items in an unlocked house or vehicle, or unattended in a café or on a train …your mobile device is no different. And always PIN or password-protect your device as a first line of security.

Keep an eye on those bills

Be aware of the data used by apps when you’re out and about, including roaming charges abroad. And remember that some apps enable in-app purchases, which can be very attractive to use – especially to children – but at a price.

Do your housekeeping

Filling your phone or tablet with dozens of apps you don’t use can affect its performance, including reducing battery life. Remove the ones you haven’t used for a while, apart from security apps. If you’re disposing of your phone by any means, erase all data and apps, also preferably doing a factory re-set.

Click here for the full story