WhatsApp’s bad week just got worse
Perception fast becomes reality when it comes to the privacy and security of our phones. This is the halo that Apple’s iPhone trades on and Google’s Android battles to attain. It’s the reason millions think Telegram is fully secure when it isn’t, and it’s why Signal hit back so hard when Elon Musk questioned its security a few weeks ago.
Musk doesn’t especially care about Signal—he famously advocated for the platform in the past. But he does care about WhatsApp, its Meta ownership and especially its CEO Mark Zuckerberg, with whom he has an ongoing spat.
So there was little surprise when Musk picked up on an X post that suggested a chat on WhatsApp prompted targeted ads on Instagram. “If WhatsApp messages are end-to-end encrypted,” the post asked, “why am I seeing ads for a bag out of the blue?”
“Because it’s spyware,” Musk replied.
Perception versus reality. This is awkwardly timed for WhatsApp. Musk’s post came just 48-hours after a new security warning suggested WhatsApp’s desktop app was so insecure that “malware could theoretically monitor [incoming WhatsApp messages] and send them live to a remote server, rendering end-to-end encryption useless.”
That report from researcher Tommy Mysk suggested this kind of backdoor was opened by WhatsApp’s poor desktop architecture, with its failure to sandbox data from other apps and processes—unlike, for example, iMessage. The warning covered both WhatsApp and Signal and was serious enough to prompt some security experts to either confirm they don’t use desktop apps or say they’re now stopping their use.
As Mysk told me “both the macOS apps of Signal and WhatsApp store their local data in a location accessible to any app or process run by the user. This local data includes the chat history, the very thing such apps are marketed to protect with end-to-end encryption. There wouldn't be an issue if the data were encrypted, as one would expect from the leading secure chat apps. Sadly, both apps let their users down here.”
In response to that research, a WhatsApp spokesperson told me that “WhatsApp builds our apps to the specifications provided by the operating system. We do use a sandbox provided by MacOS, which comes with some end-point protections. We’re looking forward to the security upgrades coming with macOS Sequoia, which will make it harder for other apps to access content stored on device.”
Perception versus reality. There’s a phone versus laptop point at play here, and a question as to whether all security considerations have been applied even within the restrictions of a more open laptop OS. The vulnerability remains, though.
And that’s not the only security/privacy issue that has been raised recently. Just a month before this latest twist, the same characters were at play again. Musk warning that WhatsApp exports his data each night, WhatsApp denying the claim, and then Mysk pointing out the difference between encrypted data and metadata.
The issue for WhatsApp is that these stories delve into the little discussed or understood world of end-to-end encryption, what it is and—critically—what it isn’t. That encryption protects your data from when it leaves your device until it is received and decrypted by those you message. It is a transmission security layer. And while that encryption can be extended to backups and data at rest on your device, the recent desktop app warning clearly shows that this isn’t a prerequisite or a default.
Some security commentators have been quick to point out that unencrypted data at rest on an endpoint—a Mac, for example—is not a security vulnerability per se. After all, if an attacker controls a device they control your data. But Mysk’s point is that malware could open up remote access to that data, which could easily be protected.
“WhatsApp doesn't encrypt the local database that stores chat histories,” Mysk says of its desktop app. “It doesn't encrypt media attachments sent through the chat either.”
For now, the latest security warning relates to desktop and not iOS or Android apps, and the metadata analysis claims that continue to lurk in the background have little new substance. I still recommend WhatsApp as a daily messenger, but would suggest you consider unlinking your desktop apps if you have any reason to be concerned.
But let’s play a different game and look at the other implications if we link these various stories together. If end-to-end encryption is limited to transmission security, it supports the argument being made in Europe for device-side scanning of links and attachments before they’re sent, which would add similar device-side vulnerabilities to Mysk’s desktop warning. It also raises a dark new question.
Hypothetically, of course, what would stop a company with multiple apps on a device analyzing user messages before they’re encrypted and sent or after they’re received and decrypted; all device-side, all automated, no data egressed; with the data shared device-side between apps to target ads without compromising end-to-end encryption.
Perception versus reality…
