More alarming headlines for WhatsApp this week, as its latest security threat prompted a warning for its 2 billion users to “stay away from WhatsApp,” claiming that the world’s most popular messenger “has now been a surveillance tool for 13 years.”
The warning came from Pavel Durov, the founder of rival platform Telegram, who used this latest critical security alert to claim that “if you have WhatsApp installed on your phone, all your data from every app on your device is accessible… That’s why I deleted WhatsApp from my devices years ago.”
So, is Durov right? Is WhatsApp more dangerous than Telegram or the others? Does it really “create a door to get into your phone?” Or, despite his assuring “I’m not pushing people to switch to Telegram here,” is this just the latest in the ongoing battle between the two messaging giants?
First things first. WhatsApp patched the latest vulnerability, claiming the flaw was discovered internally and fixed before there was any evidence of exploitation. And, more importantly, exploiting this type of flaw requires the kind of sophisticated exploit that almost nobody reading this need worry about—not unless you’re likely the target for political or financial offensive cyber activity.
WhatsApp has seen regular vulnerabilities, with some of those exploited by the same kind of attacks that more recently hit Apple’s iMessage. But, again, the numbers of victims were proportionately tiny. And let’s not forget that Telegram has itself been hit by cyber attackers compromising user security.
The reason iMessage and WhatsApp and other hyper-scale platforms come under attack is ubiquity. If I want to target politicians or journalists or activists or dissidents, then I want to find an exploit that will almost certainly be installed on their phone. WhatsApp hits the mark—especially as it runs cross-platform and so is used by iPhone and Android users alike.
What you, as a regular WhatsApp user, do need to worry about is common scams that will trick you into giving up access to your account, enabling attackers to target your friends and family for financial gain. Thousands of times as many users are hit by this kind of attack as backdoor malware. And that’s why you must NEVER send any verification code texted to your device to any of your friends, regardless of how convincing a sob story they might tell.
You also need to worry about end-to-end encryption, especially where WhatsApp is concerned, given that it’s owned by Meta, the world’s largest and most successful data harvester—for now.
Simply put, end-to-end encryption secures your content from even the messenger itself. Only you and the person or group you are messaging have the decryption keys to decode your content. The only times this content becomes vulnerable is when it’s decrypted on one of the devices at the ends of those chats, or should you back-up the chat history outside the encryption.
This is why attacks on fully encrypted messaging content rely on client-side compromises, which is where malware finds itself onto your device and spies on your activity. The latest WhatsApp security update was to close a vulnerability that would have enabled a client-side attack. As for back-ups, WhatsApp now allows you to encrypt back-ups to Apple’s and Google’s cloud—a huge improvement.
The irony in this story, is that despite Telegram attacking WhatsApp on security grounds, it’s actually Telegram that is significantly less secure by default. Outside of its limited “secret chats,” Telegram only encrypts content between users and its servers, not between users themselves. This is why WhatsApp came down hard on Telegram the last time the two platforms came to blows over security and privacy.
In reality, this is a much bigger issue for a much larger number of users than a patched WhatsApp flaw. We saw this prompt warnings to Russians using Telegram to chat about the Ukraine war. And while Telegram has the policies and procedures in place to protect content and to prevent its staff spying on user messages, the lack of end-to-end encryption means there’s no technical impediment as such.
Should you worry about using Telegram? Probably not—it’s seen as a favoured comms tool for elements of the underworld, after all. But even so, if you’re in a high-risk group or in a high-risk location, then use Signal instead and definitely use a fully encrypted platform and turn off any unencrypted backups from your device. You certainly don’t need to delete WhatsApp.
Despite the Meta issue, WhatsApp deserves real credit for democratizing end-to-end encryption and making it readily available cross platform and across the world. No-one has done more to secure regular communications between billions of people—not even Apple, which has still not enabled any form of end-to-end iMessage encryption outside the Apple walled garden.
My advice remains the same as always. Use Signal with any of your contacts who have the app installed, and for everything else use WhatsApp. It’s end-to-end encrypted, installed on most phones, and works exceptionally well for calls as well as content.