December 3rd, 2013
WhatsApp is the clear leader in messaging on mobiles with over 300 million active users monthly. Yet WhatsApp’s security history has been less than exemplary and they seem to show an utter disregard for user’s privacy. For example, in a joint Canadian-Dutch probe, it was found that WhatsApp not only uploads the phone numbers of non-app users from your address book, but stores them perpetually though it appears that this has been subsequently fixed.
WhatsApp in July 2013 also had a SSL vulnerability exposed that could allow Paypal/Google Wallet details to be exposed when paying for its services.
Another important question is, are your conversations secure? The official stand in the FAQ sounds pretty good in theory:
Note that WhatsApp prior to August 2012 did not even encrypt their messages. Everything was sent in plaintext which could be easily intercepted and read. If you were using WhatsApp on Wi-Fi, anyone could snoop the airwaves and read what you were sending and receiving word for word. In fact tools such as WhatsAppSniffer were designed to be able to intercept these messages so it was pretty darn easy for the average Joe to do so.
Subsequently, WhatsApp implemented encryption but very poorly, leaving your mobile number still unencrypted and worse, using your IMEI number or your MAC address as a basis for their cryptographic keys (in layman terms, passwords). This is a bad idea since MAC addresses and IMEIs can be easily discovered.
WhatsApp subsequently fixed this as well but its woes do not end! Thijs Alkemade, a Dutch mathematics and computer science student, as recent as October 2013, found more security flaws that render WhatsApp’s encryption useless and to date, there has been no official comment or fix from WhatsApp.
So what other alternative IM clients are there that are secure?
BBM which is now also available on Android and iOS is possibly the best widespread alternative with high grade security though there are questions as to how it would comply with government requests as it has been pressured by India into revealing its cryptographic keys so that the Indian government can spy on BBM messages. Furthermore the Snowden leaks do indicate that the NSA does have some capability against BBM. iMessage is probably ok for casual security but can be broken by authorities. WeChat is horrible security wise and probably can be compelled by the Chinese authorities to hand over data. LINE is even worse whereby messages are sent in plaintext.
Silent Circle is excellent with a very high security and privacy focus but it requires a monthly fee. Threema and Chat Secure are interesting alternatives but adoption remain low. There is no one app that offers both widespread adoption and high security (though if I had to pick, it would be BBM). I hazard a guess that no one would stop using WhatsApp from this article however if you do want to speak on sensitive matters, use a different IM client.