- WhatsApp introduced a new security feature that further prevents attackers from using vectors like malware on the device.
- This security feature, called device verification, requires no action or additional steps from users and helps protect your account.
- This feature is part of our broader work to keep our users safe from the growing threat of malware.
WhatsApp’s top priority is to ensure users can communicate privately, easily, and securely. One of the strongest tools at our disposal is end-to-end encryption – which means that nobody, not even WhatsApp, can read personal messages sent between users. However, this protects messages from eavesdropping, as we have increasingly seen Attackers are targeting the endpoints of communication—mobile devices themselves—and we’re increasing our security mechanisms to keep user accounts secure.
In particular, we are concerned about malware that infects a cell phone in much the same way that a virus infects a computer. Malware is used to propel ATO (Account Takeover) attacks, where messages are sent without the user’s knowledge or permission.
In our ongoing effort to protect people’s accounts and information on WhatsApp, we’re introducing a new security measure – called device verification – to help prevent ATO attacks. Device verification blocks the attacker’s connection while allowing the victim to use their WhatsApp account without interruption.
Why do we need device verification?
WhatsApp uses multiple cryptographic keys to ensure that communication through the app is end-to-end encrypted. One of them is the authentication key, which allows a WhatsApp client to connect to the WhatsApp server to re-establish a trusted connection. This authentication key allows users to use WhatsApp without having to enter a password, PIN, SMS code, or other credentials every time they turn on the app.
This mechanism is secure as the authentication key cannot be intercepted by third parties including WhatsApp. However, if a device is infected with malware, the authentication key can be stolen.
We are primarily concerned about the popularity of unofficials WhatsApp clients contain malware designed for this purpose. These unofficial apps endanger users’ security – and that’s why we encourage anyone who uses WhatsApp to use them official WhatsApp app.
Once malware is present on user devices, attackers can use the malware to capture the authentication key and use it to impersonate the victim to send spam, scams, phishing attempts, etc. to other potential victims.
Device verification helps WhatsApp identify these scenarios and protect the user’s account without interruption.
How device verification works
WhatsApp developed device verification to capitalize on how people typically read and respond to messages sent to their device. When someone receives a message, their WhatsApp client wakes up and retrieves the offline message from the WhatsApp server. This process cannot be imitated by malware that steals the authentication key and attempts to send messages from outside the user’s device.
Device verification introduces three new parameters:
- A security token that is stored on the user’s device.
- A nonce used to identify whether a client is connecting to retrieve a message from the WhatsApp server.
- An authentication challenge used to asynchronously ping the user’s device.
These three parameters prevent malware from stealing the authentication key and connecting to the WhatsApp server from outside the user’s device
How a security token is bootstrapped
Every time someone checks an offline message, the security token is updated to allow for seamless reconnection attempts in the future. This process is called bootstrapping the security token.
How a new client connection is validated
Every time a WhatsApp client connects to the WhatsApp server, we require the client to send us the security token that is on their device. This allows us to detect suspicious connections from malware trying to connect to the WhatsApp server from outside the user’s device.
What is an authentication challenge?
An authentication challenge is an invisible ping from the WhatsApp server to a user’s device. We only send these challenges for suspicious connections. There are three possible answers to the challenge:
- Success: The client responds to the connecting device’s prompt.
- Error: The client is responding to the query from another device. This means that the attacked connection is very likely to be from an attacker and the connection will be blocked.
- No Response: The client does not respond to the prompt. This situation is rare and indicates that the contested connection is suspicious. We’ll try sending the challenge a few more times. If the client still doesn’t respond, the connection is blocked.
What’s next
Malware is a problem that increasingly threatens everyone’s security and privacy. Device verification rolled out to 100% of WhatsApp users on Android and is currently rolling out to iOS users. It allows us to increase the security of our users without disrupting their service or adding an extra step they need to take. Device verification will serve as an important and additional tool available to WhatsApp to address rare key theft security challenges. We will continue to evaluate new security features to protect our users’ privacy.
Comments are closed.