“Users shouldn’t trust on WhatsApp’s end-to-end encryption”

Posted 01 May 2015 17:05 CEST by Jan Willem Aldershoff

WhatsApp end-to-end encryption is incomplete can’t be fully trusted, according to the German Heise Security after analysis of the popular chat client. WhatsApp for iPhone has no support for end-to-end encryption and the entire encryption process is insufficiently transparent.


WhatsApp has activated end-to-end encryption in the Android versions of its popular chat client since November last year. Unfortunately the user has hardly any guarantee that the sent messages are really encrypted, according to Heise Security. They’ve investigated the internet traffic WhatsApp generates with tools like Wireshark and Yowsup

While testing a classic man-in-the-middle setup it was discovered that the messages between two Android clients are actually end-to-end encrypted using the socalled TextSecure protocol. As soon as a message was sent to an iOS client, TextSecure was no longer used. This is because WhatsApp for the iPhone doesn’t support this form of encryption. It was therefore pretty easy to intercept messages and to decrypt them.

When no end-to-end encryption between clients is not possible WhatsApp uses a basic form of encryption called RC4. This algorithm has been known to be unsafe for some time, but the attacker still has to make a considerable effort to decrypt the message. Therefore RC4 offers some security against large scale decryption of data, e.g. when eavesdropping on a backbone. Another weak point is that for each message a key is generated that is based on the user’s password.

And because WhatsApp has never been open how its servers deal with the less powerful encryption this also remains a weak point, according to Heise.

According to Heise there are even more issues with the current implementation of end-to-end encryption in WhatsApp. It’s unclear whether this form of encryption is always used, even when  technically possible. There is the possibility that encryption can be disabled in some cases, e.g. on request of secret services. It’s for sure that WhatsApp has  a mechanism that allows them to disable end-to-end encryption, as this also happens when a message is sent to an iPhone.

Due to the proprietary code of the WhatsApp client it’s unsure whether the used encryption key can’t be obtained by a third party which is another weak point. Finally, the testers point out that the WhatsApp client does not let the user know if end-to-end encryption is used, so the user could think he’s safe, while not.

The inventor of the end-to-end protocol, Open Whisper System, has responded on Reddit on the article of Heise. They argue that development of the end-to-end encryption is an ongoing process  and that it will be gradually improved.


MyCE Resident
Posted on: 02 May 15 01:27
I guess we can wait for the "gradual" process. It's not like we have anything to lose, except for our privacy, security, and freedom. Take your time, you've only got several million users depending on you.
4 Agree

New Member
Posted on: 05 May 15 08:34
IMHO OTR is the most secure encryption protocol.
I use it in Pidjin for PC and IM+ for android or https://otr.to in browser
-1 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post.

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies


Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here


Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page