How Secure Is WhatsApp?

Things are looking up for WhatsApp. Yesterday (Feb. 19), Facebook announced that it planned to buy the popular multi-platform instant-messaging app for a stunning $19 billion. 

But WhatsApp has had a number of security and privacy issues through its 5 years of existence, not all of which have been entirely resolved. The company's secrecy about its own security raises doubts about whether the app is safe to use.

MORE: 7 Ways to Lock Down Your Online Privacy

For starters, WhatsApp collects all contact information from phones on which it's installed and uploads that information to the company's servers. This is hugely valuable data that Facebook has apparently been after for some time: In August, Facebook changed its policies to let its own mobile app collect the dialing numbers of phones on which it was installed.

That's why some experts are saying that Facebook's $19 billion for WhatsApp is really $42 per contact list from WhatsApp's 450 million users.

WhatsApp has had security issues as well as privacy ones. Until August 2012, WhatsApp messages were transmitted unencrypted, which meant anyone on the same Wi-Fi network as a user could capture all his or her messages.

In October 2013, researchers exposed a serious vulnerability in the way WhatsApp encrypts messages, which the app's developers have yet to officially address. (WhatsApp founder Jan Koum dismissed the flaw as "sensationalized and overblown" and stated that he "had a company to run.")

The problem, as shown by Dutch computer science graduate student Thijs Alkemade of Utrecht University, is that WhatsApp uses the same randomly generated encryption key to encrypt every single message in a given conversation. 

This means that if snoops could capture all or part of a WhatsApp conversation, and guess just some part of one of the encrypted messages, they could use that to identify the mathematical similarities — i.e. the encryption key — between the two messages and cancel out the encryption, thus reading the messages in plaintext.  

We've reached out to WhatsApp about this vulnerability, but have yet to hear back.

MORE: What's Up with WhatsApp? A Gaping Security Hole

These aren't WhatsApp's only security slip-ups. In July 2013, the German company Curesec found that the app didn't protect its connections to payment services such as Google Wallet and Paypal. An attacker could intercept that communication, create a fake landing page for a payment service and collect users' sign-in information. 

Admittedly, this attack required some patience, as the first year of WhatsApp is free for regular users, and 99 cents per year after that. However, it does show seriously bad form on the WhatsApp developers' side.

In the same month, WhatsApp users were hit with the much less serious, but still annoying Priyanka Worm, which renamed everyone in an infected device's WhatsApp contacts list "Priyanka."

Many mobile apps gather, and leak, large amounts of personal data from the phones on which they're downloaded. As far as instant-messaging apps go, Wickr and SilentCircle's Silent Text app are considered among the most secure.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.