The Facebook acquisition of mobile messaging service WhatsApp has captivated the tech world this week. Much of that has to do with the massive $19 billion price tag and, to a lesser extent, the incredibly fast rise of the company. But while analysts and customers have been examining the deal, some security researchers decided to look at the security of WhatsApp itself.
WhatsApp is a text and multimedia messaging service that uses the Internet, rather than a cellular data network, as its base. The app grew slowly at first but exploded in the last couple of years and today claims 450 million active users. Security researchers at Praetorian, who have been running a project known as Project Neptune to assess the security of mobile apps, did a limited assessment of the iOS and Android versions of WhatsApp and discovered a number of issues around the way the app uses SSL.
The most serious problem they found was that WhatsApp does not enforce certificate pinning. The use of certificate pinning allows apps to specify a specific certificate that they trust for a given server. This helps defeat a number of attacks, specifically man-in-the-middle attacks that rely on spoofing the certificate for a trusted site. Many of the major Web browsers support certificate pinning now, but its adoption in the mobile world has been somewhat slower. Praetorian found that WhatsApp doesn’t enforce SSL pinning, potentially opening users up to MITM attacks.
“Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk,” Paul Jauregui of Praetorian wrote in an explanation of their test.
“WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information.”
Jauregui said in an email interview that it is unfortunately quite common to find mobile apps that don’t perform certificate pinning.
“Surprisingly, it’s extremely common to see mobile apps without certificate pinning. This security control is used to counter the ability of an attacker to view and modify all traffic passing between the mobile device and backend server. It can also help protect against certificate authority trust failures during client and server negotiation, which coupled with the support of weak and null (plain text) ciphers—as found to be the case in WhatsApp—is an even bigger red flag,” he said.
The researchers also found a few other less-serious issues, including support for null ciphers, meaning that some data isn’t encrypted at all.
“With Null Ciphers supported, if the client mobile application attempts to communicate to the server using SSL and both parties do not support any common cipher suites—as a result of a malicious intercept—then it would fall back to sending the data in clear, plain text. Supporting Null Ciphers is not something we come across often—it’s quite rare,” Jauregui said.
Mobile app security has lagged behind the security of desktop and Web apps in many respects, as developers have moved to the new platforms and run into many of the same security issues that they encountered years before on the Web. This isn’t the first time that researchers have discovered security problems with WhatsApp. Several years ago it was reported that the app sent data in plaintext, and other researchers found that they could use an API to hijack any user’s account.
Fixing the certificate pinning issue can be done in a variety of ways, and Jauregui said it all depends on what the developers want to do.
“Level of effort can vary depending on how developers choose to implement certificate pinning. Pinning the certificate itself is the simpler way to do it, but it requires more maintenance overtime because developers will have to make changes to the application whenever the cert changes. Another way to do it is by pinning the public key, which can be more difficult. Choosing the best way to go often depends on the frequency in which the certificate itself may change,” he said.