WhatsApp, one of the most popular instant messaging services, scaled its highest point recently when it handled more than 64 billion messages in 24 hour period in a day, just weeks after its acquisition by Facebook for a whopping USD 19 billion, according to media reports.
Last year, the daily message traffic of the application was just around 27 billion a day. Over 450 million people are connected through the application globally, handled by a team of 32 diligent engineers.
The acquisition of WhatsApp was embroiled in controversy not for unsettled issues between the dealers but for its users who feared security of messages being delivered through the platform.
In August 2013, Facebook General Counsel, Collin Stretch, did admit “in the last six months of 2012, a small fraction of one percent of Facebook user accounts were the subject of any government data requests of any kind, national security-related or otherwise.”
Facebook has been already dragged in the courts for ‘treading outside the bounds of the bounds of responsible data use on a fairly regular basis’ by the Electronic privacy Information Center (EPIC) and the Center for Digital Democracy (CDD).
That’s not the only thing about Facebook. Just a couple of months ago, White House had confirmed that Facebook collects user data, following with a lawsuit accusing the social media giant for spying on private messages and sharing them with third party.
WhatsApp CEO, Jan Koum, blogged last month officially that the Facebook partnership would not affect the user privacy.
If partnering with Facebook meant that we had to change our values, we wouldn’t have done it. Instead, we are forming a partnership that would allow us to continue operating independently and autonomously,” he said. Our fundamental values and beliefs will not change. Our principles will not change. Everything that has made WhatsApp the leader in personal messaging will still be in place,” he added.
But much earlier than that, WhatsApp was plagued with issues concerning safety of data handling.
As early as 2012, The H Security researchers warned vulnerabilities in messaging through WhatsApp.
Anyone using WhatsApp on a public Wi-Fi network risks having their data sniffed and their account used to send and receive messages. Once hacked, there is no way to restore account security — attackers will be able to continue to use the hacked account at their discretion,” read the official blog of the security group.
The culprit according to them was the use of internally generated password to log onto the server. The passwords were generated on Android devices from the device’s IMEI number, and on iOS devices from the device’s MAC address.
The problem with this is that the information is anything other than secret — the IMEI can often be found on stickers inside of Android phones (usually under the battery) and can also be obtained using a shortcut key combination or by any app,” said the blog.
That was not an isolated case of holes in WhatsApp services. Many versions with improved security setting were released thereafter and every time security researchers were able to breach through their security settings highlighting how opaquely security issues are handled at WhatsApp.
F-Secure gave a detailed explanation of how easy it was for anyone ‘to sniff incoming and outgoing messages’ and how their claims of using encryption to safeguard the user’s message was hollow. The security researchers provided a snapshot view of the user’s mobile number being uploaded in plain text messages.
The same research group also highlighted a ghastly app, BalloonPop2, that once installed can upload text conversations and photos to a website from where unrelated individuals can buy them and is thus a serious security threat to WhatsApp users.
BalloonPop2, which was originally offered in Google Play, was taken down for obvious security concerns because apparently the game was a hack in disguise. The game application, once downloaded, accessed the phone’s WhatsApp account, its serial number of the SIM card, copied the folder containing profile pictures and conversations, which were then uploaded to the developer’s WhatsAppCopy website.
Any cell phone user with this application installed could download any other user’s conversations for a small charge.
This was a clear case of stealing data from likely unsuspecting users. The developers claimed the app should be used as a backup service, implying that users need to put the app on their phone, thereby allowing transmission of all data to the WhatsAppCopy website.
Users were later charged for retrieving their own information should it somehow be lost on their phone or in the WhatsApp system.
What would one make out of it—a blatant breach of conversations and phone records privacy.
Did the user realize the danger they were willingly being escorted to? Shady individuals could use this data for identity theft.
Dutch security expert, Bass Bosschert, has also confirmed that flaws in Android could be used to allow hackers to read WhatApp chats, which could be used by hackers to create ‘rogue’ apps.
He says the WhatsApp database is saved on the SD card, which can be read by any Android application if the user allows it to access the SD card.
And since majority of the people allow everything on their Android device, this is not much of a problem,” said Bas Bosschert.
He has explained it in great detail along with the outline of steps needed on his blog. He also added, “Facebook didn’t need to buy WhatsApp to read your chats.”
Whatsapp reacted to these security flaws in its usual rhetoric that the claims have been overstated.
“We are aware of the reports regarding a ‘security flaw. Unfortunately, these reports have not painted an accurate picture and are overstated.”
“Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk.”
As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies.”
So what does one make out of it—while Facebook has been supplying user information to intelligence services; the WhatsApp data can be easily caught in the agencies’ dragnet with so many security flaws.
Share your views with us. Will you still use a platform that doesn’t care about your privacy and actually uses it to earn money?
