With more than 450 million users and a price tag of 19 billion USD WhatsApp has become one of the largest cross-platform text messaging and multi-media apps. However as new reports have shown the security of this text messaging service may be inconsistent to what they advertise, leaving their 450 million users in jeopardy. In order to make sense of this we have run diagnostics on their website along with the App itself to see what problems we could find.
Whatsapp.com- After running a test on their site against the important aspects of SSL (Certificate Type, Protocol Support etc.) their overall score was only a “B”. The Digicert certificate they are using is one of the most trusted brands giving them an overall certificate score of 100. On the other hand Protocol support only received an overall score of 70 because SSL resumption is not configured correctly which results in asymmetric cryptography and higher CPU/bandwidth consumption. This on top of the fact that their server does not support the current TLS protocol (TLS 1.2) has given them an overall “B” rating.
WhatsApp (Application)- The most serious security risk associated with the application is that is does not enforce “certificate pinning”. Certificate pinning allows applications to specify what certificates they trust with servers. The purpose of this is to increase network security by reducing the potential of man-in-the-middle attacks that “rely on spoofing the certificate for a trusted site”. Most major web browsers support certificate pinning however in the mobile world it has been slow to adopt these new policies leaving users vulnerable to cyber criminals.
The information provided should give some of our readers and better view of the WhatsApp application and hopefully allow them to make an educated decision when it comes to transferring personal information on that platform. For more information about correctly installing SSL or for help purchasing a certificate please feel free to contact us.