WhatsApp: Sitting On A Security Time Bomb

Is WhatsApp, undoubtedly one of the most widely used third party cross platform messaging apps, turning out to be one of the biggest security mess in the making? According to a recently published report in Android Police, WhatsApp chats from other devices on the same WiFi network can now be easily snooped into by ‘WhatsAppSniffer’ app.

Simply put, what this means is that anyone can easily pull out entire WhatsApp conversation - including pictures and videos - straight out of thin air, from any device on the same Wi-Fi network using WhatsApp Sniffer’. Considering WhatsApp sends all chats in plaintext, it makes the sniffing all the more easy. “It's basically just a packet sniffer, but it makes the process of pulling WhatsApp chats out of the sky stupid-easy, and that's never a good thing,” says the report.

The popularity of WhatsApp and the extent of its coverage just makes the situation scarier. Considering the fact that there are around 5,00,000 users giving it 5 stars on the Play Store, forget about the number of downloads from across platform, this security lapse on WhatsApp is nothing less than a time bomb waiting to explode.

We probably never bother about how WhatsApp is communicating our messages because as far as third-party chat apps go, WhatsApp has today become one of the obvious choices offering free cross-platform messaging service to those running iOS, Android, Blackberry and more. Added of this, with free public Wi-Fi access increasingly available across hotels, restaurants, airports, etc, the woes are just multiplied.

For CIOs and CISOs this might be another addition to the growing security nightmares. On the enterprise front, with BYOD momentum catching fire and with a lot of users coming under the Gen-Y category who are hooked on to WhatsApp, this could turn out to be a much bigger security threat. News of a serious security lapse such as this could just give CIOs reason enough to re-evaluate their BYOD strategies.

“Considering the given context and as security is the utmost concern for us, we have decided to be very restrictive in adoption of BYOD concept in our organisation,” says Daya Prakash, CIO, LG Electronics.

“There is a need for robust antivirus for mobile platforms also as there are not many reliable solutions for malicious codes in terms of mobile devices,” suggests Manish Dave, CISO, ESSAR Group.

According to the report, presently this affects Android, iOS and Symbian, and there is no word out yet on whether it works on Windows Phone or not. It further cites that since BlackBerry uses its own servers instead of WhatsApp's, it's actually secure on that end. This may also lead the organisations to rely on only Blackberry, and may further coin something called restrictive use of BYOD.

The WhatsApp team has reportedly been aware of this issue for nearly a year but hasn’t still fixed it. In fact, word around this first popped on YourDailyMac way back in May of 2011 and then again on Packet Storm in December 2011, and was ignored by WhatsApp each time.

The practice which should be followed is either to use apps which have a 256-bit AES encryption key or some SSL secured apps. But, if you still want to go with your favourite WhatsApp, use it on either your 2G or 3G network or on your private WiFi.