Evaluating Security of Messaging Apps Like WhatsApp and Signal

Introduction

Messaging apps like WhatsApp, Signal, Telegram etc have become immensely popular in recent years. Billions of users rely on these apps daily for communication. However, many questions exist regarding the privacy and security promises made by these apps. In this article, I evaluate the security of WhatsApp and Signal, two of the most popular secure messaging apps.

Encryption Schemes

WhatsApp

• WhatsApp uses the Signal Protocol for end-to-end encryption.
• The protocol provides communications secrecy through:
• Encrypted group chats
• Encrypted calls
• Encrypted media transfers
• Key aspects of Signal Protocol:
• Uses Curve25519 for key exchange
• Relies on AES-256 for encryption
• Uses HMAC-SHA256 for verification
• Provides forward secrecy through ephemeral keys

Signal

• Signal also uses the Signal Protocol developed by Open Whisper Systems.
• Therefore, it provides encryption schemes and security features similar to WhatsApp.
• Some additional aspects:
• Uses sealed sender for enhanced privacy
• Enables encrypted group video calls
• Open source protocol

Comparison

• Both WhatsApp and Signal use the Signal Protocol for end-to-end encryption.
• The core encryption, secrecy and authentication mechanisms are the same.
• Signal’s open source nature provides more transparency.

Key Verification

• Key verification prevents man-in-the-middle (MITM) attacks.
• WhatsApp has QR code scanning for key verification.
• Signal uses key fingerprints visible on user profiles.
• Signal’s method is more thorough but complex.
• WhatsApp’s method is easier but less secure.
• Neither app forces users to verify keys.

Group Chats

• Encrypted group chats are important for privacy.
• Both apps provide end-to-end encrypted group chats.
• However, flaws have been found in WhatsApp’s implementation.
• Researchers could infiltrate WhatsApp groups due to crypto failures.
• No such flaws reported in Signal group chats until now.

Backups

• WhatsApp backups on Google Drive are not encrypted.
• This means backed up chats are accessible to Google.
• Signal does not allow backups at all.
• Signal’s approach is more privacy preserving.

Metadata Protection

• Metadata like contacts, groups, etc. can reveal a lot.
• WhatsApp does not hide most metadata from servers.
• Signal uses sealed sender to encrypt metadata.
• Signal also has anonymous usernames hiding phone numbers.
• Signal’s metadata protection is superior.

Audits and Code Transparency

• Independent audits improve confidence in security.
• Signal is open source so code can be audited.
• WhatsApp’s code is closed source and not audited.
• Signal also undergoes regular security audits.
• WhatsApp security relies solely on Facebook’s claims.

Conclusion

• WhatsApp and Signal both provide secure encrypted messaging through Signal Protocol.
• However, Signal scores better in terms of metadata protection, code transparency and independent audits.
• WhatsApp backs up chats insecurely and has group chat vulnerabilities.
• For most users, WhatsApp may be secure enough. But for high risk users, Signal is more ideal.
• No system is perfect. But Signal appears to provide the most secure messaging currently.