WhatsApp prioritizes privacy, simplicity, and security. End-to-end encryption protects user messages from even WhatsApp. This prevents messages from interception, but attackers are increasingly targeting mobile devices, so we’re improving security to protect user accounts.
Malware that infects mobile phones as viruses worry us. Malware sends unsolicited communications in account takeover (ATO) attacks.
We’re adding Device Verification to WhatsApp to prevent ATO attacks. Device Verification stops the attacker while letting the victim use WhatsApp.
Device Verification—why?
WhatsApp encrypts messages with multiple cryptographic keys. The authentication key lets a WhatsApp client reconnect to the WhatsApp server. This authentication key lets users use WhatsApp without a password, PIN, SMS code, or another credential.
The authentication key is secure since WhatsApp cannot intercept it. Malware can steal the authentication key.
Unofficial WhatsApp clients with malware are our main concern. We recommend using the official WhatsApp app because these unofficial apps compromise user security.
Malware on user devices can grab the authentication key and impersonate the victim to send spam, frauds, phishing attempts, etc.
Device Verification will let WhatsApp recognize these instances and protect the user’s account without interruption.
Device Verification.
WhatsApp created Device Verification to take advantage of how people read and respond to device communications. The WhatsApp client comes up and grabs the offline message from WhatsApp. Malware that takes the authentication key cannot impersonate this process.
Device Verification adds three parameters:
- On-device security token.
- A nonce used to identify WhatsApp clients connecting to retrieve messages.
- Asynchronous authentication challenge.
These three parameters prevent malware from gaining the authentication key and connecting to WhatsApp outside the user’s device.
Security-token bootstrapping
The security-token is changed when someone retrieves an offline message for seamless reconnection attempts. The security-token is bootstrapped.
Validating new client connections
WhatsApp clients must submit us their device’s security token while connecting to the WhatsApp server. We can detect unusual WhatsApp server connections from malware outside the user’s device.
Authentication challenge?
WhatsApp sends a silent ping to a user’s device to authenticate. We only challenge suspicious connections. Challenge responses are three:
- Success: Client meets connecting device challenge.
- Failure: Client uses a different device. The connection will be blocked because it’s likely an attacker’s.
- The client ignores the challenge. Rarely, this implies a suspicious link. Retrying the challenge. Block the connection if the client doesn’t answer.
Then what?
Malware increasingly compromises privacy and security. Device Verification is available to all WhatsApp Android users and is being rolled out to iOS users. It boosts user security without disrupting service or adding steps. Device Verification will help WhatsApp combat uncommon key-theft issues. We’ll keep testing new security features to protect user privacy.