There was a headline that made its rounds recently regarding another personal communication platform, WhatsApp, claiming that a “backdoor” in their end-to-end encryption weakened privacy and security for their users.
Here at SnatchApp, we don’t really see other platforms as competitors; we’re all in this together, and some of the innovations made by us and others have been very exciting for the industry as a whole. However, due to the popularity of the report, we thought it prudent to address the concerns and ensure our users that SnatchApp has no such “backdoor.”
Before we go into all that, though: What is a backdoor?
Basically, a backdoor in a program is a vulnerability in the way that security protocol—in this case, WhatsApp’s end-to-end encryption—is carried out. According to the report, research showed that some companies, such as Facebook, could intercept and read messages from users. (And if they can, others might be able to as well.)
Now let’s get a little more technical so we can explore this issue in further detail: The app in question uses something called “signal protocol,” which means that each client is identified by a pair of keys—one private, and one public. The public key is broadcast over the server, while the private key is exactly how it sounds: private, on an individual user’s device.
When two parties exchange messages, this key pair is bound into the encrypted channel between them and revealed as a security code that the parties can use to verify that their communication is indeed private.
A lot of platforms that utilize end-to-end encryption use a method that is similar to this key-pair verification, often called “public key cryptography.” If not for that, an intruder could attempt to lie to a user about the public key, as long as they obtain a corresponding private key.
The issue that comes into play with this sort of encryption is that the private keys will change under specific circumstances—for example, if someone has to reinstall the app, or gets a new device. Their key pair that identifies them will change, and when that happens, messages to the user will go undelivered until the sender re-encrypts the message with the recipient's new key pair. The sender must then display the security notification, re-encrypt the message, and resend it.
In the case of WhatsApp and the particular security issue in questions, users might not be aware of the change in encryption—either because they have opted out of notification settings or they’re simply offline. Ultimately, the rebroadcasting of previously undelivered messages can allow WhatsApp, or others, the ability to intercept and read users’ messages.
Of course there are two sides to every story; on the one hand, the original report that detailed the alleged vulnerability in January 2017 undoubtedly did so over the concern for privacy of users. WhatsApp responded in kind with a thorough report of their own, saying that “WhatsApp remains a great choice for users concerned with the privacy of their message content.”
Here at SnatchApp, we assure each and every one of our users that our end-to-end encryption is as secure as possible. We have no such “backdoor,” and make efforts daily to improve privacy and safety wherever we can. It is paramount for any platform that sees an exchange of information—regardless of the importance—to continuously evaluate the strength of protection they offer and the choices they make, which is why our primary principle of helping people stay in touch with those they care about equally means ensuring that communication is personal, private, and secure.