Reported “backdoor” in WhatsApp is in fact a feature, defenders say

Enlarge

The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook’s WhatsApp messaging service allows attackers to intercept and read encrypted messages. It’s not a backdoor—at least as that term is defined by most security experts. Most would probably agree it’s not even a vulnerability. Rather, it’s a limitation in what cryptography can do in an app that caters to more than 1 billion users.

At issue is the way WhatsApp behaves when an end user’s encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

Critics of Friday’s Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.