While Facebook might be acquiring WhatsApp for a hefty $16 billion, it looks like the messaging application company might not be too good with encrypting its messages. With over 450 million active users, this becomes quite the user base for government spies, hackers, and more.
WhatsApp's use of secure sockets layer (SSL) encryption is meant to support version 2 of the protocol, which is capable of being hacked into, and monitored by a third-party. The messages being flown back and forth between WhatsApp users can even be manipulated. WhatsApp has failed to use a technique known as certificate pinning, which is designed to block attacks using forged certificates to bypass Web encryption.
Pinning allows an app to work only when communicating with a server using a specific certificate, and because this certificate is hardwired into the app, it will simply reject connections with any other attempts of a false certificate. Security consultancy firm Praetorian, has chimed in, with Paul Jauregui writing: "This is the kind of stuff the NSA would love. It basically allows them-or an attacker-to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk".