WhatsApp security and role of metadata in preserving privacy

Abstract: WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp version 2.16.2 (released April 2016). In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp.

Keywords: WhatsApp, privacy, security, Facebook, signal protocol, curve25519

1. Introduction WhatsApp messenger was started by two ex-Yahoo employees (Business Insider 2015) and was sold to Facebook in 2014(WhatsApp Blog – Facebook 2016) but remained operationally independent. Since then, the user base has increased tremendously and over a billion users per day now use the app. As of January 2016, the average number of daily messages exchanged over WhatsApp is reported to be an astounding 34 billion (The Verge 2014). WhatsApp has been able to attract this unprecedented success because of its availability on all popular mobile operating systems, and is free of cost (or costs a nominal $0.99 per year). Free calls, unlimited messages, and media exchange, along with an easy to operate interface make it favorable for novice users as well. However, as far as security is concerned, WhatsApp has come under fire several times in the past. The negligence shown towards making the application secure made it an easy target for attackers. For example, in 2011, a problem was found in the app verification process proving that the authentication mechanism was unsecure (Schrittwieser et. al 2012). Researchers were able to exploit valid usage session by successfully hijacking several user accounts (called session hijacking). This allowed unauthorized access where an attacker could spoof the sender identification, thus receiving messages targeted to the victim. A packet sniffer could then intercept the traffic and log all communication details. All later attempts were either a half-baked attempt to encrypt messages or were broken at launch. This lax approach continued and by the time it was may 2012, WhatsApp was still sending messages in plain text, which means there was no encryption for any kind of communication.

In the wake of increasing privacy concerns and the war between Apple and FBI over encryption of phone data, WhatsApp has switched to end-to-end encryption. This has enabled the messenger app user to send all communication encrypted. It is no more easy for an unauthorized person to read text messages, videos, audios, or files by surreptitiously listening to the communication as data is no more send in plaintext.

This paper elaborates on the security architecture of WhatsApp and analyzes the various protocols used. We perform an extensive literature study from several online resources on Whatsapp and related concepts and use that to understand the working of the application and its security protocols. Also, while whatsapp is a popular app for the mobile platform, its computer version can be accessed via a web browser or by installing an app for the windows or mac OS platform. Since a phone number is required as the primary identification of a user, the QR code needs to be

…(Full text truncated)…