WhatsApp completes end-to-end encryption rollout

It’s a security project that’s taken around a year and a half to complete, but messaging giant WhatsApp has now fully implemented strong end-to-end encryption on its platform and across all mobile platforms for which it offers apps.

This means users of the latest versions of the messaging app will have their comms and media end-to-end encrypted by default. And there are a lot of WhatsApp users; earlier this year the Facebook owned company announced it had passed a billion active users.

Securing cross-platform video comms was the last piece of the puzzle, according to a WhatsApp spokesman.

End-to-end encryption means the content of communications are not stored in plaintext on WhatsApp’s servers. Nor is the company able to decrypt users’ messages to access them since it does not hold the encryption keys. So WhatsApp will be unable to be compelled to hand over messaging data — even if served with a warrant by authorities demanding access.

While the WhatsApp news may seem timely in light of the recent high-profile battle between Apple and the FBI over an encrypted iPhone, the company has in fact been implementing encryption since 2013, the year NSA whistleblower Edward Snowden triggered a global privacy storm by revealing the extent of government mass surveillance programs.

WhatsApp then went on to partner with Open Whisper Systems the following year, and has been integrating its widely respected end-to-end encryption Signal Protocol specifically since late 2014. In a blog post today the not-for-profit hacker collective behind the latter open source tech confirmed the WhatsApp implementation is now complete.

“This includes chats, group chats, attachments, voice notes, and voice calls across Android, iPhone, Windows Phone, Nokia S40, Nokia S60, Blackberry, and BB10,” it wrote. “Users running the most recent versions of WhatsApp on any platform now get full end to end encryption for every message they send and every WhatsApp call they make when communicating with each other.”

Although the completion of default end-to-end encryption is a hugely important security milestone for the WhatsApp platform, it does not mean that from here on in every communication sent via the app is end-to-end encrypted, because that’s reliant on all users being upgraded to the latest version of the software.

But the WhatsApp client will now notify users of the encryption status of chats, including showing a notice in the messaging screen, to help bridge the transitional phase:

WhatsApp encryption

“Eventually all the pre-e2e [end-to-end] capable clients will expire, at which point new versions of the software will no longer transmit or accept plaintext messages at all,” notes Open Whisper Systems.

WhatsApp users will also be able to confirm the person they are chatting with is the person they think it is, rather than an imposter performing a man-in-the-middle attack, by verifying the authenticity of the encryption session via scanning a QR code or reading aloud a number string.

For its part, Open Whisper Systems says it is looking ahead to additional rollouts of its tech, saying it will “continue to work with additional messengers” over the next year.

The group also has its own encrypted messaging app, Signal, which launched in March last year. Albeit, the question now is whether Edward Snowden will be switching to WhatsApp…