-
That's really interesting - thanks for typing that up.
I assume when you send a group message you're actually sending a decryption key (encrypted for each participant) and the encrypted message? Otherwise sending images would get pretty unwieldy in large groups. I think that's how PGP encrypts messages for multiple recipients anyway.
I like to think WhatsApp would be reluctant to put a back door in the app because they know that every version of the app that they publish will be downloaded stored and dissected for eternity, and any back door will eventually be found.
I'm sure they are capable of deploying backdoored versions to specific clients though.
-
I assume when you send a group message you're actually sending a decryption key (encrypted for each participant) and the encrypted message? Otherwise sending images would get pretty unwieldy in large groups. I think that's how PGP encrypts messages for multiple recipients anyway.
For simple bits of text I would think individual messages are sent encrypted per person (but flagged as being part of a group obviously).
But, yes, for images/movies I'd expect they encrypt it once with a unique symmetric key, the encrypted blob gets uploaded to WhatsApp servers (along with an encrypted preview/thumbnail), and then send each person is sent a copy of the symmetric key over the usual encrypted comms plus the details of what to download if they want it.
As for a backdoor, the trick is to reuse existing functionality, such as the resending of messages (with no notification on the client) like is used in the web client. Yes you have to trigger this with the QR code normally but there may be a way to silently do this remotely, and that's what they could use.
Or they just have something like the Apple's classic "goto fail;" bug that goes down as some kind of plausible deniability.
[EDIT] When the Whatsapp client is installed and run for the first time it creates a public key and a private key. Anything encrypted with the public key can only be decrypted with the private key. The public key is sent to Whatsapp's servers (and anyone that wants to communicate with you). The private key is not sent anywhere and should only remain on the phone. The private key is unrecoverable so if you lose your phone you either need a backup of your phone (e.g. using iTunes/cloud for Apple) or the private key is gone forever.
[EDIT] WhatsApp web interface is still secure. I'll give an outline of how that works without WhatsApp being able to read any messages a bit later if anyone is interested.
The communications are encrypted end-to-end, that is, each message you send to an individual is encrypted in such a way that only that end user should be able to decrypt it. (The messages are encrypted with a public key but can only be decrypted with the corresponding private key.)
If you send a message to a group then actually you're sending messages to each person individually using their unique key.
So, in either case above, Whatsapp (servers) should not be able to see the unencrypted contents of any message. But they do know the metadata, e.g. you sent a message to person B, or that you have persons C, D and E in your contacts, or that you're in a group with persons F, G and H. They have to know this so they can deliver your messages appropriately. This metadata is still valuable even if they can't read the content of the messages.
However, and here's the first but (there are three), Whatsapp also controls the client which obviously has access to the private key that is required to decrypt messages, otherwise it wouldn't be able to display the decrypted messages to you.
It also controls which keys a message is encrypted with when you send a message. If it is only encrypted messages you send with the public key of the recipients then Whatsapp cannot know the contents of your message as Whatsapp should not know any of the private keys.
You are relying on Whatsapp to play nicely. They could:
a) Encrypt each message you send with an extra key that Whatsapp has the private key for, and also send this each time, and so they'd be able to decrypt every message sent by anyone.
b) Act as a Person-In-The-Middle and tell you that Person B's public key is X (when it is actually Y) and when you send a message to B you encrypt it with X, but Whatsapp intercepts this, decrypts it (as they have the corresponding private key for X), stores the message and re-encrypts it with public key Y and then sends it on to B, which then decrypts it without any idea that it has been messed about with.
c) The WhatsApp client could take your private key (which should remain only on your client) and send it to WhatsApp. They could exfiltrate it bit by bit inside other WhatsApp communications and you'd never know and people would be very unlikely to notice.
d) The WhatsApp client could purposely generate 'weak' or easily attackable keys, so that someone with a bit of computing grunt could determine the private key from just the public key.
e) ...lots of other possibilities...
The source code for the client is not public, and even if it was, there's no way to verify that the app you are running on your phone was built from that source code. There's a lot of trust there (and being a FB company there's no much trust going around).
The second 'but' relates to backups of your chats. If you enable this then Whatsapp stores a backup of your chats on Google Drive and they are encrypted with a key that is derived from your phone number. This means that if you lose your phone then you can retrieve all of your old messages as Whatsapp can restore this backup onto your phone as it can work out the key again.
If Whatsapp can do this onto a new phone they can, theoretically, retrieve any chat backup from Google Drive, derive the key from the corresponding phone number, and then pore through the messages at their leisure. They can also hand over the key derivation function to a nation state (such as a three letter agency in the US) which will also have access to arbitrary google drive information, and so they can look through anyone's Whatsapp data.
The final 'but' is the leaking of information due to link previews. That doesn't leak the specific content of messages but it does leak valuable information.
Signal is better in many respects, but nothing can be perfect. Signal doesn't offer the same backup with obvious security flaws. Signal has open source code (and people do perform verifiable builds). etc.