Instant messaging service Whatsapp has come under fire after it was revealed that some features of the app’s latest update are not protected by end-to-end encryption.
Messages sent via the app are protected by automatic end-to-end encryption. This means that any message sent is encrypted on the sender’s device and only the recipient can decrypt it, meaning no one else can read the message including WhatsApp itself.
However, the Facebook-owned company’s latest updates include the option of a free backup service, whereby messages can be stored on Google Drive following a deal between the two companies to allow users to store messages without it counting towards their free Google Drive storage allowance.
Although messages will be secure when they are on the device, as soon as they are stored elsewhere they are no longer encrypted, leaving them vulnerable to being intercepted.
CEO of encrypted instant messaging provider Wire Morten Brogger has called WhatsApp’s security practices into question, and warns businesses against using messaging services without end-to-end encryption:
“This latest news raises further questions about how good WhatsApp’s security practices are. It follows findings from Check Point Software, which discovered critical vulnerabilities in WhatsApp’s software architecture. Given how much sensitive data employees share over WhatsApp it’s very simple – it should not be used by businesses full stop.”
Last month, security company Check Point Software reported that security flaws in the app leave it vulnerable to hackers.
Morten also believes that this puts organisations at risk of breaching General Data Protection Regulation (GDPR) as, without end-to-end encryption, sensitive data can fall into the wrong hands.
“Sensitive information backed up without the protection of end-to-end encryption is clearly not just privy to WhatsApp and it’s owner Facebook, and to Google, it is also available for governmental entities, hackers and anyone with sufficient skills and time. Any company using WhatsApp for business use is jeopardising compliance with GDPR. This is part of the reason companies like Continental, the NASDAQ listed car industry supplier, banned all internal communications on WhatsApp.
However, Morten offers advice on how organisations can ensure data sent via messenger services is kept secure:
“The good news is that companies have a choice to become secure and compliant. Integrating end-to-end encrypted, open sourced and independently audited tools into their business models can provide the assurance that enterprises and their customers need to ensure their sensitive information is kept safe and sound. This should be the case across all platforms used in the workplace.”