On the occasion of the recent publication of the report on the principal risks of using WhatsApp, carried out by the CCN-CERT (Information Security Incident Response Capacity of the National Cryptologic Center, CCN), we wanted to highlight the main security measures in place record with this WhatsApp.

1. Avoid having our account stolen by spoofing our phone number.

Due to a severe vulnerability in GSM networks, particularly in the SS7 protocol used, among other things, for making and ending calls, it would be possible to hack a cell phone simply by knowing the phone number, causing the phone network to believe that’s the number.

Since it is a GSM network failure and not the application (it affects WhatsApp and most applications that have an SMS or a call as an identity verification method), it is not possible to explain it directly. Alternatively, CCN-CERT recommends enabling the “Show security notifications” option.

  • We open the WhatsApp application and go to the settings.
  • In Settings, click Account > Security.
  • We activate the tab to show us security notifications.

Each chat started has a unique security code that secures that chat’s communication and encrypts calls and messages from end to end.

This security code can change because a contact reinstalls the application, changes their phone, or has been the victim of an attack.

2. Prevent them from seeing our messages even if we delete them.

If we delete a message, conversation, or group. It doesn’t disappear but is marked as free and can be overwritten by another discussion in the future, but in the meantime, it’s still on our phone.

The only solution to securely delete a message or conversation that we have deleted is to uninstall and reinstall the application. We must keep in mind that any existing backup copies will not be deleted during this operation.

3. Avoid the use of public Wi-Fi networks.

When connecting to the WhatsApp application servers, sensitive information about the user is exchanged in plain text, e.g., e.g.:

  • phone operating system.
  • WhatsApp version.
  • Phone number.

Therefore, to use the application as much as possible, we must avoid using public Wi-Fi networks. If we are force to use them, it is advisable to use a VPN connection.

4. Prevent account theft through physical access.

If an attacker has physical contact with the phone, they can emulate a terminal and steal our account through SMS verification or call verification.

  • In the case of SMS verification: if an attacker gets into our phone and the SMS preview is active on the lock screen, they can read the activation message and transfer the account to another terminal.
  • When verifying by call: It’s more complicated because we can’t set a pattern to unblock calls. The only thing we tin do is assemble the numbers use by the application to make confirmation calls and block them from the terminal.

WhatsApp stores the application’s database locally on the phone, so depending on the version, if a user can access it, some tools allow decryption of the data and, therefore, access to all the information.

Impersonation using WhatsApp Web

WhatsApp Web allows us to use the messaging application from any computer through the browser. You must enter this link and scan the QR code that appears on the screen with our terminal to activate it.

Attackers use fake promotions or discounts on products to trick the victim into scanning a QR code and directly trick them into taking advantage. What this attacker is doing is stealing credentials.

Facebook like WhatsApp

When Facebook acquired WhatsApp in 2014, the creators of the application pledge that they would continue to operate independently from Facebook, stating in an official blog post that “respect for your privacy is encoding in our DNA and we built WhatsApp around that goal, so.” learn as little as possible about you.

This policy was follow until August 2016. With a new update of the application, if the user gives their consent. Their data will be transfer to Facebook and Mark Zuckerberg’s other companies for “various activities.”

Finally, we leave you some security recommendations for mobile terminals.

  • Always keep the phone locked: to prevent access to our information if the phone falls into someone else’s hands. Also, remove preview of messages.
  • Be careful with the permissions applications ask for. For example, a camera app doesn’t need permission to use the phone.
  • Know the risks of “rooting” or “jailbreaking” the terminal, as this can seriously compromise your security.
  • Disable the connections when we are not using—WiFi, Bluetooth, etc.