WhatsApp, the popular communication app which sells it end-to-end encryption as it prime feature, has denied that it has deliberately left the backdoor open for government to snoop on its users' communication.
The question was raised due to the recent report that claimed WhatsApp was vulnerable and could be exploited by government.
Brian Acton, WhatsApp co-founder, posted a comment on social networking platform Reddit, “WhatsApp does not give governments a “backdoor” into its systems. WhatsApp would fight any government request to create a backdoor. Since April 2016, WhatsApp messages and calls are end-to-end encrypted by default. WhatsApp also offers people a security notifications feature that alerts them when people change keys so that they can verify who they are communicating with,”
According to report, The Guardian newspaper said that WhatsApp messages could be read without its billion-plus users knowing due to a security backdoor in the way the company has implemented its end-to-end encryption protocol.
Tobias Boelter, a cryptography researcher at the University of California told the Guardian, “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.
Boelter said he had reported the backdoor vulnerability to Facebook in April 2016 and was told that Facebook was already aware of the issue but that it was not actively being worked on.
The company said in a statement that it provided a “simple, fast, reliable and secure” service.
It said there was a way of notifying users when a contact’s security code had changed.
“We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp... In these situations, we want to make sure people’s messages are delivered, not lost in transit,” it said in a statement.
But the Guardian said it had verified that the security backdoor still exists.
This report was also denied by Moxie Marlinspike, founder of Open Whisper Systems, the group that built the encryption system for WhatsApp and open source message application called Signal.
He explained, “WhatsApp gives users the option to be notified when those changes occur,” he said in a blogpost on Open Whisper Systems’ website.
He further said “under no circumstances is it reasonable to call this a as key changes are immediately detected by the sender and can be verified”.
What you can do is go to WhatsApp Settings->Account->Security and turn the “show security notifications” on.
This would ensure that a user gets a notification every time a contact’s security code changes when they change a device or re-install WhatsApp.
“Your calls and the messages you send are encrypted regardless of this setting, when possible,” the setting claims.
Some security experts advice switching to open source apps such as Signal.