There was an awkward twist to last week’s news that WhatsApp users are being targeted with “text bomb” messages—crafted character strings that crash the app. An awkward twist for WhatsApp, that is, quite apart from the pain for impacted users. The Facebook-owned messaging platform has assured that the vulnerability is being fixed, that updates will be rolled out to users worldwide.
But it’s not that simple—there are two serious issues with WhatsApp, both of which make this text bomb attack more serious than it need be, both of which are reportedly being fixed, both of which will be a radical update for 2 billion WhatsApp users.
The warning about this latest spate of dangerous messages has been widely covered in the media. The coded messages throw WhatsApp into an infinite crash cycle that requires a user to delete and reinstall the app. The text strings cannot be rendered by the app—it crashes each time it tries. So, as soon as you receive and open the message, it’s game over. The only get-out is to use something other than your smartphone to delete the message and block the sender. And here we find problem number one.
WhatsApp doesn’t have an independent desktop app—it’s just a scrape of your smartphone app. That’s why you need to keep your smartphone app connected. If your smartphone app cannot open, then the desktop app is useless. All of which means you need to realize you’ve been attacked with a text bomb message, and turn to your desktop app to delete it and block the sender, without using your smartphone app until that’s done. That’s both inconvenient and impractical—but it’s the only way.
WhatsApp now has linked devices in late-stage development. This is critical for WhatsApp as it plays catch up with the features already offered by competitors such as Signal, iMessage and even Facebook Messenger. Once released, this will mean you should be able to delete the message and block the sender and then reopen the app—pushing it into the background, which should be able to sync its database without trying to render the dangerous message. Linked devices are not yet available, which means that if you throw your smartphone app into an infinite crash you have no option but to delete and reinstall the app. And that leads to problem number two.
If you want to restore your chat history and media when you reinstall WhatsApp, you need to use the cloud backup available from within the app itself. WhatsApp gives iPhone and Android users the option to send a daily, weekly, or monthly backup to Apple or Google’s respective cloud services. The problem is that those backups undermine the entire basis for WhatsApp’s trademark security.
We’re talking about end-to-end encryption, of course. This means that the key to decrypt your messages is held only by you and the person or people you’re messaging. As WhatsApp itself says, “some of your most personal moments are shared with WhatsApp, which is why we built end-to-end encryption into our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.”
According to WhatsApp’s owner, Facebook, such encryption not only mitigates the risk of messages being intercepted in transit, but also “the compromise of server and networking infrastructure,” their own included. That’s somewhat ironic, given that Facebook Messenger is not currently end-to-end encrypted, except where users elect to send “secret messages,” albeit it plans to rectify this at some point.
All of which leads to that problem—WhatsApp is end-to-end encrypted, but those cloud backups are not. “Media and messages you back up,” it warns iPhone users, “are not protected by WhatsApp end-to-end encryption while in iCloud.” The same issue impacts Android users backing up to Google’s cloud. Your device hosts a decrypted messaging database, that is then backed up from your device to the cloud service, wrapped by standard (not end-to-end) encryption, nothing more than that.
Signal, the best alternative to WhatsApp, does not offer a cloud backup of any sort. Letting the data out of a user’s control, it says, is a material security risk and one it does not enable. Whereas a WhatsApp user transitioning to a new phone does so by way of the cloud backup, restoring to the new device, Signal offers a direct, wireless device to device transfer or a specially encrypted backup file, one that can be copied onto the new device and then used to restore the messaging history.
U.S. lawmakers are currently pushing for warranted access to encrypted messaging platforms, to enable investigators to access user content, something that is blocked when only the sender and recipient have those decryption keys. Clearly, when the data is on a cloud backup service, without that end-to-end encryption, then law enforcement and security agencies can access that data through the cloud provider—Apple or Google—when a jurisdictional warrant allows them to do so.
Just as with linked devices, WhatsApp appears to be developing an extension to its end-to-end encryption, enabling this protection to extend to these cloud backups. Until then, though—and there’s no confirmed timing on any release, users will have to make a choice between protecting their apps, in case they lose their phone or fall victim to a text bomb type attack, or to protect their data from the risk that it becomes exposed without the encryption it enjoyed when transmitted.
If the thought of exposing years of messages to potential scrutiny by others, stripping it of the encryption it enjoys in WhatsApp worries you, then perhaps you should trust that this latest text bomb issue will be patched by WhatsApp. That’s what we’re being told. But there was a similar issue raised by the cyber research team at Check Point last year, one that manipulated message metadata to send the app into an infinite crash in the same way, one that was apparently fixed, and yet here we are again.
As now, part of the advice to mitigate such threats is to prevent your number being added to groups by those you do not know. You can make that change within the app’s privacy settings. You should limit all privacy settings to your contacts.
I’ve commented before that of all the new functionality reportedly coming from WhatsApp, it is linked devices and encrypted backups that trump all others for their importance. Hardly a coincidence then, that this latest issue with the so-called “travazap” crash code messages that originated from Brazil would highlight both those issues. WhatsApp’s 2 billion users need to be given these updates. And fast.