Facebook advised to give WhatsApp a security review

WhatsApp, the mobile messaging service Facebook bought for $19 billion, has several security weaknesses that experts say are worth addressing.

[WhatsApp could face prosecution on poor privacy]

None of the flaws found this week by app security vendor Praetorian are critical. Instead, they represent lapses in best practices for securing mobile apps.

“For the most part, these are not high-risk flaws,” Andrew Hoog, chief executive of mobile security vendor viaForensics, said.

The weaknesses, which are common in many mobile apps, include not enforcing SSL (Secure Sockets Layer) pinning when WhatsApp establishes the connection between the mobile phone and the company’s backend server. SSL pinning involves having the client check the server’s certificate against trusted validation data.

The process adds an extra step to the normal SSL protocol, which is not difficult to implement, but could affect users in an environment like WhatsApp’s, which comprises 450 million people sending messages across many different mobile devices, experts say.

Like most security decisions the impact on users has to be weighed against the threat, which in this case is not severe, because of the difficulties an attacker would face in trying to intercept traffic.

To exploit the lack of SSL pinning, an attacker would have to make an independent connection capable of eavesdropping on the message traffic, then figure out a way to force the client to downgrade its built-in security for Internet connections and get a rogue certificate to replace the one used by WhatsApp.

Nevertheless, SSL pinning is a precaution more developers are taking.

“Very few apps did certificate pinning a year ago. We’re seeing more of them do it today,” Hoog said. “It’s definitely a best practice.”

Another best practice no-no found with WhatsApp is allowing its backend servers to use weak 40-bit and 56-bit encryption schemes. In a man-in-the-middle attack, a hacker could downgrade communications to the lower schemes, which would make a brute-force attack against the encryption possible.

“We would encourage them to get rid of the 40-bit and 56-bit ciphers, but those are just changes they could do server-side,” Hoog said. “It would help improve security, but it might lose a few folks (users).”

Whether Facebook will make significant changes in WhatsApp security remains to be seen. The social network has lots of options, given how security is a work in progress in mobile app development, which is relatively new.

[Privacy suit against Facebook a warning for businesses]

“Mobile is still a new frontier for many developers,” Paul Jauregui, vice president of marketing for Praetorian, said.

In general, missing a best practice or two won’t pose a significant risk, but the more mistakes make, the more vulnerable an app becomes, experts say.