The discussion over WhatsApp’s security started when the Guardian reported on a security loophole that seemingly made it possible for WhatsApp and Facebook to read encrypted messages. However, other security experts quickly weighed in, including the company that has developed the encryption technology that WhatsApp uses, defending the app’s implementation of encryption.
The WhatsApp “backdoor”, according to the Guardian’s reporting, was made possible by the recreation of unique security keys that encrypt message: WhatsApp has the ability to force the generation of new encryption keys, without notifying the user, and make the sender send unreceived messages again, re-encrypted with new keys. This, allegedly, makes it possible for WhatsApp to access its users’ messages.
However, Open Whisper Systems, the creator of Signal Protocol, which WhatsApp’s encryption uses, quickly responded defending WhatsApp's encryption implementation. The main issue is how it handles “in-flight” messages, which have been sent but not received yet. In WhatsApp’s case, a new key is generated and the message resent, with the user receiving a notification.
Many privacy and encryption experts called key change handling a normal part of cryptography, and defended WhatsApp’s execution. For instance EFF acknowledged that it indeed included a “vulnerability”, but didn’t constitute a “backdoor” but rather a security trade-off, and a defensible one in EFF’s view.
For anyone interested in encryption in “private” messaging apps, this comparison is a useful resource. The most secure service seems to be Signal, which was designed as a secure messaging service first and foremost.
WhatsApp, one of the most used mobile messaging services, is undoubtedly used by countless journalists around the world who may presume the app is a secure way of communicating with their sources.
More generally, some commentators pointed out that it seems the discussion over messaging security has moved on from whether encryption should be used to how it is done.