Is WhatsApp secured for Group Chats?


WhatsApp is an extremely popular mobile messaging service with more than 1 billion daily users. It is really an amazing figure, and the company prides itself in the apparent security it affords for all its users. Some of your most personal moments are shared with WhatsApp, which is why WhatsApp had built an end-to-end encryption system into the latest versions of the app. Back in May 2016, WhatsApp has introduced this end-to-end encryption for all its users across its platform. With end-to-end encryption, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.


Tech giants and researchers are however questioning about the Encryption standard, as there are multi-million users database out there on WhatsApp and if whether WhatsApp server is using the ultimate solution to safeguard its users’ identity. Therefore a million dollar question arises on the end-to-end encryption. Not to forget WhatsApp has implemented Moxie Marlinspike’s code.


Ideally, WhatsApp’s end-to-end encryption ensures that only you and the person you are communicating with can read what is sent, and nobody in between will be able to read it, not even WhatsApp. Your messages should be in your hands. That’s why WhatsApp says, they doesn’t store your messages on their servers once they are delivered to the recipient. And end-to-end encryption means that WhatsApp and third parties can’t read them anyway.


While this raised the bar for privacy in the digital messaging sphere, it has become increasingly difficult for the company to keep security standards up, especially when it comes to dealing with group chats. A report says that German researchers have now reportedly found a way to breach WhatsApp’s security and sneak into group chats. This raises a severe privacy concern. The research further said, “Anyone who has access to and controls over WhatsApp’s servers could insert new people into an otherwise private group without much hassle”.


So far we know that only an administrator of a WhatsApp group can invite new members, but WhatsApp does not have a mechanism to authenticate that invitation. Its servers can hence spoof the invitation allowing the addition of a new member to a group with no interaction on the part of the administrator. The smartphones of each participant in the group then automatically share secret keys with the new member, giving the new participant full access to future messages. However, the statement by Facebook, who owns WhatsApp, went along the lines, “not governments, not even us can read your messages.”


Facebook’s Chief Security Officer Alex Stamos, responded, “Read the Wired article today WhatsApp – scary headline! But there is no [sic] a secret way into WhatsApp groups chats.” Stamos further pointed out in his tweets that everyone in the group would see a message that a new member has joined, so this wouldn’t be a stealthy strategy for government spying. He further added, “The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.”


WhatsApp uses part of a security protocol developed by Open Whisper Systems, a company that has its own fully secure messaging app Signal (for iOS and Android). However, it’s also good to be aware that not everyone trusts the company’s word, in part because of privacy issues surrounding its parent company Facebook and also its implementation of encryption.


WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.


If WhatsApp covertly changed security keys of a user, the company could, according to Tobias Boelter, a cryptography and security researcher at the University of California, ‘disclose its messaging records, and can effectively grant access due to the change in keys’ at the request of government agencies.


WhatsApp claims this loophole exists so that if someone changes their phone, their automatic security key, messages will still be sent so as not to disrupt service. This is, to be fair, a valid point, as not doing so would disrupt the service of 1 billion people relatively frequently. WhatsApp has recently released a feature which would enable its users to delete any message sent accidentally to another user or in a group provided the message is deleted within seven minutes of being sent. However, a new report has surfaced on the internet which claims that these deleted messages can be easily accessed. It seems that the deleted message is actually present in the notification log of the device.


Launch of WhatsApp Payments App…

After building a huge user base and features for individual consumers, the social media giant Facebook is now targeting small business in India to monetize its services further. Facebook which owns WhatsApp and Instagram has in the last one year started various initiatives that offer small business a host of services from targeted advertising, to marketplace, as well as communication services. Considering that India has more than 51 million small-scale business they are a client base for Facebook and the sheer number indicates an increased revenues.


The messaging app, WhatsApp has also announced the launch of its business app for small businesses. This is a part of the WhatsApp-for-Business initiative that was launched in September last year. The app was tested with MakeMyTrip and BookMyShow in India since September. While you book your ticket through Makmytrip.com, you will get the alert through WhatsApp message. The app aims to make it easier for small companies to connect with their customers and for individual WhatsApp users to connect to business.


To sell, the business can take a photo of the item, give it a product name, description and price and post it. However, the final transaction happens offline. WhatsApp Payments has been in works since last year and now, it’s finally available for users on both Android and iOS. WhatsApp promises that the Payments will enable normal users of the application to transfer money with the same ease as sending a text message. After the completion of the setup the user will be able to send other individuals using WhatsApp and Facebook. WhatsApp is also looking to venture into the digital payments space in India. The transactions in WhatsApp Payments will be made through bank accounts linked to Unified Payments Interface (UPI), allowing users transact between accounts of different banks.


WhatsApp commands a strong user base of 250 million across India. Introducing a person-to-person payment feature for all of them gives the messaging application an advantage from the get-go over other digital transaction applications. To put things in context, Paytm has 180 million users in the country, MobiKwik 25 million users across the country for a cashless, hassle-free experience while shopping, dining, travelling, whereas Google Tez another UPI-based payment application, crossed 12 million users in India last year, four months after its launch.


While not in India, there is also Facebook payments through which users can link their Messenger account to a debit card, and pay friends with a quick message, or make an e-commerce purchase via Messenger and Marketplace on Facebook.


WhatsApp has taken a few hits and been in the news recently and the somewhat limited understanding of encryption means it can be a bit confusing.