If you haven’t heard by now, Facebook just made its biggest move ever, buying the messaging service WhatsApp in a deal worth some $19 billion. That’s 19 times what Facebook paid for Instagram two years ago.
The WhatsApp Service run by the team of just 32 engineers, handles more than 50 Billion messages daily, and approx 385 million active users.
WhatsApp acquisition has also brought out fresh criticism over security for the billions of messages delivered on the platform. Security Researcher at Praetorian Labs identified several SSL-related security issues in WhatsApp application using Project Neptune, a mobile application security testing platform.
"WhatsApp communication between your phone and our server is fully encrypted. We do not store your chat history on our servers. Once delivered successfully to your phone, chat messages are removed from our system." Company said in a blog post.
But researchers found that WhatsApp is vulnerable to Man-in-theMiddle attack because the app has not enforced SSL pinning and hence user credentials can be easily stolen. SSL pinning prevents the user of the application from being a victim of an attack made by spoofing the SSL certificate. SSL pinning won't prove a great solution is not validated properly.
"WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information."
WhatsApp is allowing its backend servers to use weak 40-bit and 56-bit encryption schemes, which can be easily cracked using brute force attack. 'This is the kind of stuff the NSA would love,' researchers said.
WhatsApp team has confirmed that they are actively working on adding SSL Pinning to their app, but still that is not enough to protect our privacy.
Facebook and WhatsApp assured that nothing is going to change after the acquisition and WhatsApp will continue to function as an independent service, but is that statement satisfied? May be we can trust Facebook, Google, WhatsApp.. But we really can't trust the U.S. Government and the Security agencies like the NSA, that don't respect our privacy and freedom of speech.
Mobile messaging apps often used to deliver sensitive data or used for personal and corporate communications, so the data stored by the service provider should be encrypted end-to-end, which is not yet in the case of WhatsApp.
But there are many other free secure chat applications are available like Telegram, Surespot, Threema, TextSecure, RedPhone etc., that you should use to keep your data private and Secure, until WhatsApp will not adopt end-to-end encryption.
0 comments:
Post a Comment