Lately, Apple has been getting a lot of heat regarding their encryption and security strategies. Everything from how data on the devices is locked down, to the lack of encryption keys for iMessage and FaceTime needed to secure communications. On top of that, WhatsApp has announced today that its security encryption will be end-to-end which makes it quite a viable competitor.
Recently bought by Facebook (in 2014), WhatsApp a play on the phrase “What’s up?” is an app used for interaction via text, voice and video and it is used internationally both by the users of the latest generation of phones and by users of the old generation smartphones that can be found all around the planet, even in developing countries.
The EEF – Eletronic Frontier Foundation, instituted in 2014 as an organism that has an evaluation scheme for how secure messaging apps can be has evaluated both of these communication apps. It has seven criteria that deems an app either trustworthy or not.
Some of the systems that scored badly on their evaluation is Skype, although it wouldn’t really seem like it, right? Those that scored good were Apple – 4 marks out of 7 for outside audits performed recently, effective documentation on the system, encryption in transit and messages that the provider can’t decrypt. It scored low however, on the fact that there’s no way for the two parties in a conversation to determine if a third party is “eavesdropping”, that it doesn’t show the encryption code for outside review and that the messages caught in encrypted form can be decrypted later – the so called forward secrecy.
WhatsApp on the other hand is better than Apple on at least two counts. Firstly, it’s based on an open source code, but it doesn’t let others evaluate it just yet. What is known is that it creates a key for every individual message.
This could also be done by Apple but it would require the reshaping of the system’s architecture.
What the EFF doesn’t evaluate however is how and where transcripts of messages are stored. Apple has an archiving system on the iCloud that cannot be turned off, while WhatsApp’s archiving is an option as you can delete all conversations within the app or store it on other platforms.
Also, it’s easy for for the two parties in a conversation to determine if a third party is “snooping” via a certain protocol that forces the unwanted listener to be revealed. What happens is that the app asks through an optional verification each user to confirm that they have the same information session. The app notes that the conversation is encrypted and each encryption key is unique to each user and that code can be verified by both parties. If the codes don’t match, then it’s very possible that someone is listening on the conversation among other issues.
Finally, for all its high points, WhatsApp does not go under regular auditing so it’s very hard to keep a real track on how their system changes.