WhatsApp is improving security on its web app - but is it doing enough?
WhatsApp is improving security on its web app – but is it doing enough?
WhatsApp came under fire this month for asking users to consent to data being shared with Facebook by February 8 in order to continue using the app.
The app recently extended that timeline to bring the policy into effect on May 15, giving the app more time to convince users that their data is in good hands despite Facebook’s more than questionable track record.
This week, WhatsApp revealed on Twitter that it will be increasing the security of its desktop and web apps.
Going forward, desktop users with compatible phones will be asked to confirm their identity with their face or fingerprint before scanning the QR code as usual to link a WhatsApp account on the web.
According to the app, this will limit the possibility that someone else in your home or workplace could link devices to your WhatsApp account without your knowledge. WhatsApp has also reassured users that the face and fingerprint authentication process takes place on the device and that the app cannot access the biometric data stored on its users’ phones itself.
We reached out to security experts from Kaspersky and F-Secure to find out whether WhatsApp is doing enough to keep our data safe. Here’s what they said.
“The aim of Whatsapp’s latest privacy tool is to secure access to the desktop and web versions of the messaging platform”, said Kaspersky’s Principal Security Researcher David Emm.
“Now, in order to log in, people must unlock their phone and scan the QR code, thereby providing a second factor of authentication. Since WhatsApp requires you to use Touch or Face ID to do this, it will prevent unauthorised actors from accessing WhatsApp Desktop or WhatsApp Web, even if they have obtained access to your mobile. This in turn makes the platform more secure as in theory only the device owner will be able to log in on the web. However, it’s worth noting that if somebody else has access your phone, they can still access WhatsApp on the device itself, since there is no two-factor authentication (2FA) process for the app.
“It’s great to see 2FA processes beginning to be used in communication platforms to keep personal details and conversations secure, but far more is needed for consumers to be able to trust that their data is fully secure”.
F-Secure’s Tactical Defence Principal Researcher Jarno Niemela pointed out other issues with face and fingerprint unlock. Namely, that the safety of these features depend heavily on the device they run on and the location of the user.
“Given that WhatsApp can only use the biometric capabilities provided by a phone operating system, the technical security level depends on the user’s phone”, explained Niemela.
“For example, in iPhones, the facial recognition uses Apple FaceID, which is as secure as facial recognition can be. But even with the highest quality devices, the use of biometric is a matter of operational security, so whether it is safe enough to use depends on who you are and who is targeting you.
“There are also cultural differences at play here, users that are based in a country where officials can be trusted and there is no danger of coercion, can use biometric rather safely, whereas someone in an authoritarian country may find biometric identification is a liability.
“For fingerprint biometrics, consumers need to be aware that they leave fingerprints everywhere, so using a finger that seldomly leaves prints such as the little finger might be a good idea.
“Biometrics should be used for ease of use however it is important to understand that once your biometric data is compromised it cannot be changed so using additional security controls would be ideal”.
In the meantime, rival messaging apps have been taking advantage of WhatsApp’s lapse in user trust by making it easier than ever to migrate to their services. Signal has seen a surge in new users joining its platform in January, while Telegram has made it possible to transfer existing WhatsApp chats over to its encrypted service.