Sophos Cloud Optix
A group of budding security researchers at the University of New Haven (UNH) in Connecticut, USA, recently taught themselves a handy lesson about the difference between liking something and trusting it.
The starting point of this story is a public admission, by students in the UNH Cyber Forensics Research & Education Group, that they “think WhatsApp is a great application.”
WhatsApp, in case you aren’t a fan yourself, is an online instant messaging service for phones and tablets that has the primary selling point that it allows you to exchange messages without having to pay for SMSes.
If you’re hooked on SMSing, and you send 1000 messages a month at 10 cents each, that is, indeed, quite a selling point.
So you’d imagine that an app of that sort might end up being fairly popular, but WhatsApp went way past that point, and was acquired recently by Facebook for an astonishing $19,000,000,000.
That sort of popularity and financial power means that WhatsApp handles a lot – an awful lot! – of personally identifiable information (PII) from and about its users, who in turn have to trust that the company does the right thing when it comes to guarding their privacy.
History suggests, however, that such trust is misplaced.
WhatsApp’s chequered security history
WhatsApp, indeed, has made various worrying privacy blunders in its brief history.
One blunder involved using non-secret information to construct secret encryption keys, which is a bit like using your pet’s name as a login password.
Another blunder involved the two-time use of a one-time pad – a cryptographic technique requiring, as its name suggests, that you never re-use its key material.
And Jan Koum, CEO of WhatsApp, went public recently to assert that “[r]espect for your privacy is coded into our DNA,” even though little more than a year had passed since the company was censured by Canadian and Dutch privacy authorities for violating privacy rules in both countries.
So it’s not surprising that our New Haven researchers decided to put WhatsApp’s latest smartphone software to the test.
Does the WhatsApp app really care about your privacy as much as you’d hope by now?
More trouble at t’mill
Sadly, the students found yet another badly-implemented aspect of WhatsApp's code.
Simply put, they noticed that when they shared their location, the WhatsApp software “called out” to Google Maps …
…without using Secure HTTP, better known as HTTPS.
What that means is that attackers who can sniff network traffic between your phone and Google’s servers can pinpoint you as soon as you share your location with other WhatsApp users.
The attackers don’t even have to be WhatsApp users themselves.
The New Haven students demonstrated this in fine style in a video in which they used the network sniffing tool NetworkMiner, running on Windows, to capture WhatsApp traffic to and from an Android phone.
NetworkMiner didn’t just intercept the geolocation co-ordinates on their way to Google, but also sniffed, recorded and handily popped up on screen the Google Maps image that came back.
In other words, the flaw didn’t just tell the researchers where their phone was located, it handily showed them on a map, pinpointed with one of those little red “golf tees” which with Google denotes locations.
What to do?
We’ve written before on Naked Security about one group of “attackers” who happily make hay while mobile apps shine forth their data, namely the intelligence services.
And we’ve written about how hard it is to judge whether special-purpose mobile apps – such as those for banking – should be considered safe to use at all.
WhatsApp, sadly, yet again joins the list of mobile apps that simply didn’t get it right.
The good news is that WhatsApp responded positively to the New Haveners’ report, and has claimed that the flaw will be fixed in the next release of the software.
Until then, our researchers warn, don’t share your location with your friends on WhatsApp.
hoping they get it right only just made decision to download app.
I don’t share my location with whatsapp because I don’t want whatsapp to monitor my location. I’m not under surveillance by GCHQ/NSA, but I am monitored 24/7 by private corporations. I need to have a realistic threat model for me personally.
I guess it would be different under a real repressive regime – e.g. one where the threat is arrest, torture and a shallow grave.
But surely if you live in a place like that, it would not be a good idea to attach your location when you post your latest beheading video to your chums. Even if whatsapp reaches an impossible total security, the security forces could get your location when they arrest a chum and search their phone/computer ?
“I’m not under surveillance by GCHQ/NSA”
How do you know you’re not?
That’s easy. NSA/GCHQ could certainly track me. There’s just no reason for them to want to. They don’t have the resources to track all the people the should be interested in, let alone waste resources on millions of ordinary people. For information corporations tracking ordinary people is not a waste, it is their business.
The sent him a letter in the mail congratulating him on his new job promotion, sending condolences for his Great Aunt Sally passing, and letting him know his worries were for nothing with reassurance that they were definitely not watching him.
How can you not share your location with Whatsapp? I tried to install it on my phone, but I had to stop because it said it would need access to my location. Can you teach me how to install Whatsapp without giving the application access to your location? How did you do ti?
In lollipop at least you can turn on app permissions under settings > security and the first time whatsapp needs your location the OS will confirm it with you before giving whatsapp that data.
I’m not sure that this one is as big an issue as the other WhatsApp one.
While it’s still a security misstep to be sending customer PII over a cleartext channel, everyone on a local network (wifi hotspot, LAN, etc) already knows where the person is located, and anyone sniffing the packets further upstream, if looking for a specific whatsapp user/user’s IP, already has their IP geolocation info. Google obviously knows where they’re located, as does What’sApp, and any government metadata collector can already get enough information off of this to locate them as well.
So while by default, the level of security is definitely sub-par, the specific leak is really not such a big deal in my opinion.
This definitely points to a longer-running issue with WhatsApp in that what their marketing and management departments claim about their security is a far cry from the implementation, which points to possible further internal issues regarding corporate communication and software engineering.
So in my opinion, sharing your location with friends on WhatsApp isn’t a big deal in itself — but possibly using WhatsApp instead of one of the more secure-by-design alternatives is, if you are concerned about privacy.
Though IP geolocation data is often much less precise than the data you may be in the process of sharing (e.g. a 3G network IP number versus GPS co-ordinates).
The government is definitely not monitoring our communications at all times, and if they were, it would only be to catch terrorists and other national threats. Because it is illegal to lie on the internet, you can completely trust me in saying this.
When you people write this stuff do you ever stop to think telling people what apps to use to be able to do this might not be a smart ideal! Maby you get some kick backs for the free advertising for mentioning their products i don’t know.
so what? If someone is sniffing your network then it means he’s next to you anyways (at least the same facility). They already know your location. duh.
Next to you. Or near you. Or somewhere else on the same network. Or somewhere on the network your traffic passes through downstream on the way to Google, or looking the logs of a proxy server somewhere between you and Google, etc.
The data should have been encrypted, no ifs or buts.