53

WhatsApp has "recently" deployed end-to-end encryption using the Signal protocol, which is of course also being used by Signal itself. The related white paper (PDF).

Now this raises the question:
Is there still any security benefit to use Signal over the much more widely deployed WhatsApp, now that both have good end-to-end encryption?

The threat model in this case includes basically anyone not having access to the phones at the ends. It especially includes the service provider and law enforcement.

Anders
  • 64,406
  • 24
  • 178
  • 215
SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • They share the same E2E protocol and the same implementation flaw, i.e. not asking the user to verify keys. WA even allows the user to change keys without any security warning for other users, which did not change the defaults. – allo May 24 '18 at 11:58

3 Answers3

66

There are still a couple of security functions, which may matter to you, which Signal does better than WhatsApp.

Client-Side Fanout

When you use a group chat in WhatsApp, you send your message to the server who in turn distributes it to all the group members. This way WhatsApp learns all the social structures and can in theory perform traffic analysis to deduce quite a bit of information from the message volume exchanged.
In Signal on the other hand, group chats are actually normal peer-to-peer chats1 with a special flag, which is set inside the end-to-end encrypted frame. So this way OpenWhisperSystems (the makers of Signal) doesn't learn your social group structures. However they can still see that three messages are going to three different people at once and can guess that this is due to a group chat.
The blog post for Signal. The server-side fan-out is stated in the white paper (PDF).

Private Group Metadata

Because the previously mentioned approach of everyone just directly sending the group messages to each other is messy with regards to privileges - as achieving consensus in an asynchronous distributed system is hard - Signal has deployed a new system to enforce access control and privileges in groups without learning anything about the group structure - only about the existence of a group and a guesstimate of its size based on the size of the server-stored ciphertext. See this blog post for details and this post for the deployment announcement and this post for how group links factor into this.
I was unable to find documentation on how WhatsApp handles this data. Though given they know the group membership to distribute messages, they may just store this in the clear.

In-App Encryption

Signal offers to encrypt the past communication at app level requiring a password to read past messages, which WhatsApp lacks completely. Obviously this can protect your messages in case of theft however you probably won't gain that much security because most people will probably not choose good passwords here for usability reasons.

Use of the OS keystore

Modern mobile operating systems provide a place for you to store your keys so they aren't unencrypted in the filesystem. The OS will usually either encrypt them with some hardware backed mechanisms, like iOS's secure enclave or Android will use things like ARM TrustZone for increased difficulty of key extraction. Additionally Apple is famously known for doing a really good job at the security of the iOS keychain backups. Signal uses these security features (iOS, Android), whereas WhatsApp (likely) does not.

Optional Read and Typing notifications

WhatsApp notifies you when somebody is typing and it notifies you when somebody read your message - and you can't turn it off for group chats. This however allows WhatsApp to deduce app usage behavior and your habits. Like "Do you check your WhatsApp messages at 1am?", combine that with the other meta data WhatsApp is harvesting and you can make some useful guesses about people's lifes. Additionally the "typing" notifications can be used to deduce potential contents based on context and default keyboard suggestions and other factors.
Signal doesn't enforce this. Here's the original discussion on it on GitHub. As a more recent development, Signal adopted read notifications, but they're default-off (for pre-existing installations) and aren't forced-on in Group conversations. For groups I think they work indidually with each member, that is if a member and the sender have them both enabled, the sender will get the notification, which is much more privacy-focused than WhatsApp's solution.

Backup Security

WhatsApp offers you to backup your messages so you can recover them when your phone is inacessible or destroyed. However due to the very nature of this, the backup (which must (also) be hosted on Google Drive) cannot be encrypted / secured other than with your username / password for that account (which WhatsApp doesn't know). So as soon as that Google Drive account is breached or some government demands access, all the end-to-end security is gone if either party of the communication had backups enabled. As for iCloud (as opposed to Google Drive) a similar argument applies - especially as the kind of data WhatsApp is saving is not sensitive enough for Apple to use their stronger security mechanisms as they would e.g. for passwords.
Even though the backup feature of Signal isn't as convenient as the one of WhatsApp it doesn't automatically store (plaintext?) copies of messages on Google servers, but rather allows you to (automatically) create a local (encrypted) file and push this one manually around. It is unclear though of WhatsApp's backup feature profits from the recent security enhancements in Google's backup infrastructure (on android at least), so they might actually be secure.

Auto-deleting Messages

Automatically deleting your own old messages is good from a security standpoint. It means that if an attacker manages to break into your phone / backup that (s)he can't access all messages but only the recent ones. Auto-deletion is especially nice if you consider that you won't read all the really old messages anyways and that it will save you some storage. As of now, WhatsApp does not implement this.
Signal on the other hand does.

No meta-data storage

Signal was recently hit by a Subpoena. They complied (of course) but could only contribute very little, which confirms that they're holding true to their privacy policy.
At the same time WhatsApp is sitting on a large(r) amount of meta data and would be much more useful if hit (and if it's being disclosed). This is especially obvious if you compare what WhatsApp logs and what Signal logs.

Private Contact Discovery

WhatsApp uploades your entire adress book to their servers to compare which of the listed users have WhatsApp accounts. Obviously during that process WhatsApp learns your social graph, that is who you know, including people who don't use WhatsApp.
Signal now on the other hand, has somewhat recently deployed a much smarter solution, using fancy modern cryptographic techniques paired with Intel's SGX technology so that OpenWhisperSystems actually doesn't learn your adress book (only the SGX enclave does and that doesn't leak it), but only needs to keep on-record who their users are and thus they also don't learn anything about which users you may know but don't chat with using Signal and which people you know but don't use Signal (yet). The details of this can be read in their blog post.

Registration Locking

While both Signal and WhatsApp support registration locking which forces you to enter a pre-determined PIN whenever a new device is added to an account, it is unclear how security is enforced. That is, how many tries one gets for the PIN before hitting the lock-out and whether this lock-out can be overriden by the service operator. Signal is currently beta-testing using SGX to have a verifieable upper limit on the tries you get for this.

Private Link Preview

Signal goes out of its way to hide which URL you're accessing from Signal when generating link previews and hiding your IP from the server.
WhatsApp on the other hand has a less stringent stance on the topic though it is only "worse" than Signal in that regard by leaking the sender's IP to the service.

Sender Hiding

Signal has a feature that allows you to hide your identity from the server when sending a message. That is, the app can send a message to the server that will be delivered without revealing from who it is exactly. So what the Signal servers see is that somebody with a given IP sent a message to a well specified user.
From what I know WhatsApp doesn't implement anything similar and instead relies on user authentication for sending to prevent impersonation and similar issues.

Encrypted Profiles

In Signal your profile picture and chosen name are only ever transmitted using end-to-end encryption. Also see the introducing blog post. This means that the server doesn't learn how your picture looks or what string you use to identify yourself to others.
In WhatsApp however the picture is less clear. It seems highly likely that if you set these information to public they are indeed stored in the clear on the servers. However if you set it to contacts-only, it is much less clear whether WhatsApp uses its end-to-end encryption for the transport of the image or whether it's just an access-controlled API functionality on the server. At least this (unofficial) blog post claims that the end-to-end encryption is not used for profiles.

Receipt Confirmations via the Secure Channel

Signals sends the notification that a message has been received using the same secure channel as the message itself. Due to the design of the signal protocol, this implies a fresh update of the key material. In WhatsApp on the other hand, the receipt notifications are transported outside of this end-to-end protocol. Concretly this means that if only one party in a conversation (or group) talks a state compromise of that party will allow all subsequent messages of that party to be passively decrypted in WhatsApp and whereas only the messages until the next receipt notification are leakable for Signal.

Ephemeral Messages?

They're a feature supported both in WhatsApp and Signal - messages that are deleted on the receivers end after some condition is satisfied. However there's no real security impact for their implementation as the rule "if you can see it, you can photograph it with a different device" applies.

So TL;DR:
The remaining security differences (after the protocol update) are mainly that WhatsApp generates a lot of meta data to be convenient while Signal tries to avoid meta data.

1: They don't actually use peer-to-peer communication in the sense of directly connecting to their peers. Rather they use the secure two-way channels to everyone else.

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • If a whatsapp message to a group is "fanned out" at the Whatsapp server level, how does the end-to-end encryption work? Does the client include an encrypted copy of the payload for each receiver? – Johan Oct 12 '16 at 14:36
  • 3
    @Johan for the details you'd have to consult the whitepaper, but in a nutshell you encrypt a key for the encrypted message such that every targeted recipient can decrypt said key and in turn the message. [Also see this Q.](https://security.stackexchange.com/a/119656/71460) – SEJPM Oct 12 '16 at 14:40
  • @SEJPM What about the security of names of people who download secure apps, such as Signal? Is there some master list that Signal keeps of every subscriber, that they could be forced to share, or could be hacked? – Dr. Beeblebrox Nov 11 '16 at 15:35
  • The Google Drive backups mentioned in this answer are probably only related to Android while WhatsApp uses iCloud on iOS. Could you extend the answer to cover this? – Melebius Nov 02 '20 at 12:37
  • @Dr.Beeblebrox yes, Signal has to keep some sort of list of users - if only to be able to tell somebody whether their contact (and which of them) also use Signal. Of course that information isn't too hard to get given that the (main) appstores also know which account installed what apps at least once. – SEJPM Nov 02 '20 at 13:03
  • @Melebius I have just added a sentence about this, the TL;DR is that it's about as bad for iCloud as for GDrive. – SEJPM Dec 19 '20 at 15:34
  • "In Signal on the other hand, group chats are actually normal peer-to-peer chats": I don't see how that can be for the mobile app. For one, I don't know a way two mobile apps can P2P. Also, that would seem to mean the sender's data volume is proportional to the number of recipients. – fgrieu Jun 11 '21 at 14:19
  • @fgrieu clarified with a footnote. It meant to say that it uses the bilateral channels as opposed to some other protocol. – SEJPM Jun 12 '21 at 09:44
21

Disclaimer: this is a non-technical contribution (addition to already given answer). Some content may be subjective, possibly speculative.

I believe that when evaluating/comparing information security solutions one needs to go beyond the purely technical //current state// of the solution and consider what trajectory a given product will likely take in the future given the known or assumed-likely motivation of the controlling organization.

In 2014 Facebook bought WhatsApp

As argued by Marc Goodman in his book "Future Crimes", to Facebook users are its product while the advertisers are its customers, and to be viable Facebook monetizes its products and it does so by maximizing the volume and quality of the product it offers to its customers. Simplifying, volume translates to the time users spend looking at Facebook content (time available to show advertisement), and quality translates to how accurately Facebook can target adds at users based on what it knows about them. In other words Facebook want to know as much as possible about users (which can't be done when keeping data truly secure), and to use that to:

  1. maximize eye-ball time (get users to spend more time looking at Facebook)
  2. maximize accuracy and effectiveness of targeted advertisement

Since WhatsApp has been offering end-to-end-encryption with no access to user data, why would Facebook pay over US$19 billion in 2014 to buy it (See https://en.wikipedia.org/wiki/WhatsApp citation 13, 14) given how Facebook monetizes its products? That is unless Facebook can find a way to harvest WhatsApp data about users. Recent change to WhatsApp's privacy policy allowing for WhatsApp users' contacts' phone numbers to be shared with Facebook is, I believe, indicative of the answer.

Future Speculation

It is speculative to consider what future trajectory Facebook will take with WhatsApp. However, when considering information security solutions I think it is prudent to evaluate organization's track record and what direction their business model points to. Consider:

  • Given above and "Future Crime"'s argument, maximizing WhatsApp's information security is counter-productive to Facebook's business model
  • Facebook has a history of documented questionable privacy practises, for example: resetting of user's privacy settings upon policy update, or experimenting in controlling user moods by filtering their feeds - google for more examples.

When comparing information security solutions, especially with similar technical capabilities, I suggest choosing a solution that is more likely to keep its primary focus on privacy in future development. Here, Signal, seems a better choice.

tripleee
  • 222
  • 3
  • 10
Marcin K
  • 331
  • 1
  • 3
  • 1
    In 2014 many users started to search for alternate solutions. Just like they did with skype when that one got assimilated. – Overmind Jan 28 '20 at 09:47
0

One other consideration to add here:

Signal is open-source, and on many platforms is implemented in a managed, memory-safe language (Java or JavaScript). It's also written/maintained by a well-known security researcher, the sort of person who excels at finding and fixing security vulnerabilities (hopefully even in their own code). WhatsApp is proprietary software, and contains components written in unmanaged, native programming languages (almost certainly C/C++). Even if you trust Facebook not to introduce malicious content into your WA binary (and you do have to trust them, unless you want to reverse engineer it yourself), they are as subject to mistakes (when working with native code) as anybody else, and that is highly.

WhatsApp has been found to have multiple buffer overflow vulnerabilities, including at least one that was exploited in the wild. Buffer overflows can be used to gain complete control over the vulnerable app, which of course means the attacker can read everything the app can (your private keys, your conversation history, your current chats or calls, your contacts/photos/microphone/camera/anything else you've given the app access to) and can also be used as a platform from which to launch additional attacks (compromising other mobile apps, your mobile OS, and other devices on a local network with your phone, potentially including your home and/or work computers). This is a huge deal.

While open-source software is not inherently secure against such attacks, it has a better chance to not be vulnerable. More people will look at the source code (including lots of security-minded people, which are one of Signal's core user groups) than at a company like Facebook. Most people are not actually out to do a bunch of harm, and indeed are often hoping to make a reputation and/or earn a bounty by finding and responsibly disclosing security bugs, so there's a better chance that vulnerabilities will be spotted and fixed. Then there's the thing where buffer overflow-level vulnerabilities are just way, way less likely in memory-safe languages; even if there was a bug in Signal that let a remote attacker do something nasty to the app by sending you a message, that thing would probably be way less severe than "completely take over the app and access everything it can see". Meanwhile, WhatsApp has had multiple vulnerabilities of that class in a single year at least one of which was weaponized for some time before it got patched; this is not a hypothetical vulnerability. Maybe (hopefully) FB has stepped up their game since, but it's a concerning history for any "secure" app to have.

CBHacking
  • 40,303
  • 3
  • 74
  • 98