WhatsApp to Encrypt All Messages by Default

This week, the makers of the Facebook-owned messaging application WhatsApp announced they would be switching on a new system which will encrypt the content of their customers communications automatically from here on out.


Photo: Twin Design/ Shutterstock

Affecting a wide swath of its 600 million users, the move will be one of the greatest leaps towards mobile communication security since the introduction of the new encryption standards we saw installed in iMessage back in 2011.

There are limitations so far, as for the time being the app can only handle raw text messages from one user to another (no group chats or picture messages are supported), and until further notice, only Android users will be able to benefit while the company works to get some kinks ironed out in iOS and the Windows Phone architecture.

The task of encrypting the gigabytes of a data that WhatsApp users send to each other each day was contracted out to the company Open WhisperSystems, who used their TextSecure protocol to implement the encryption that the messaging service relies on to protect customers behind a 256-bit AES wall of safety.

They went into detail about the exact specifications of the work on their blog yesterday morning:

“We have a ways to go until all mobile platforms are fully supported, but we are moving quickly towards a world where all WhatsApp users will get end-to-end encryption by default,” it said.

Though the company acknowledges they’ve hit some stumbling blocks on their way towards a universal encryption standard, they also sounded optimistic about what the TextSecure platform was capable of, and how it could be applied to a bevvy of other secure solutions as the tech behind it continues to evolve and adapt.

“We’re continuing to develop the TextSecure app, and our roadmap for our own products remains unchanged. We’ve been working with WhatsApp for the past half year, and have learned a lot through the process of deploying the TextSecure protocol at the scale of hundreds of millions of users.

We’re excited to incorporate what we’ve learned from this integration into our future design decisions, and to bring this experience to bear on integrations that we do with other companies and products in the future.”

The company admits that users are still vulnerable to standard man-in-the-middle attacks who can impersonate users and trick customers into revealing personal details about themselves, though they say they’ve also been working diligently to find a way to minimize the risk of this happening through a new tech they haven’t revealed just yet.

While 256-bit AES will be the standard method of hiding the messages, the system can adapt to a range of different options, including Curve25519, and HMAC-SHA256 if the extra oomph is determined as necessary.

The most exciting feature of the TextSecure system is that each message (not conversation) is encoded with its own individual key, so even if a hacker does somehow gain access to one side of the equation, they won’t be able to read anything else in the chat window without devoting an entirely separate crack to the channel between two devices.

Of course, all the encryption in the world won’t keep Facebook themselves from harvesting the data contained within the WhatsApp servers for marketing purposes, but in a world filled with agencies like the NSA and GCHQ, a little ad-slinging is relatively far down on the list of things we should worry about the next time Grandma texts us about her new cat.