Despite its acclaimed encryption protocol, the popular messaging app has come under fire a few times in recent years (and, er, yesterday) for numerous vulnerabilities, raising questions about its security. Experts caution there also could be tradeoffs when connecting multiple devices to any encrypted communication app. “[The question] is not just adding more devices, but are they always secure?” Steven M. Bellovin, a computer science professor at Columbia University, told Lifewire in a phone interview. “The security phrase is ‘attack surface’—in how many places can you be attacked, and in how many different ways?”
Technically Secure
According to Bellovin, one of the more challenging issues to address about securing multiple devices under one account starts with the basic foundations of encryption. “All encryption depends on a secret key,” Bellovin said, comparing encryption keys to car keys that can only start the car they belong to. “Every person has to have their own. That’s why you can read it and nobody else can.” Because every app that relies on end-to-end encryption (E2EE) uses a specific protocol based on the underlying principles of key handling and namespace (the latter is usually the user’s phone number), Bellovin said the challenge is finding a way to securely move keys and authenticate owners on multiple devices—something he said is “not an easy question.”
Keys to the Kingdom
Like its competitors, WhatsApp already allows users to log in on a computer so long as they’re also logged into the smartphone associated with their key (the company says it then mirrors the account). Under the beta system, though, each synced device will have its own key—allowing users to log into four additional devices without a phone. “E2EE normally uses a single encryption key per user, who needs to copy the key to every device they want to use… That’s why WhatsApp, until now, has only supported one device—because it’s hard to keep that encryption key safe and secure while moving it to multiple devices,” John S. Koh, a security researcher whose work has focused on a multi-device E2EE approach called per-device keys (PDK), told Lifewire in an email. “With PDK, instead of users having only a single encryption key, each of a user’s devices has its own encryption key. WhatsApp seems to take this concept and refers to the device keys as ‘identity keys,’” Koh said. “One of the benefits of E2EE on multiple devices using my, and presumably WhatApp’s, approach relying on one key per device, is that the usage model is much easier to understand for users. The tradeoff is the edge case of users losing their devices and needing to remove its access, which could sometimes be a laborious process.”
More Devices, Same Solutions
“The answer to whether something is secure always begins with another question, which is, ‘What are your needs?’” Maritza Johnson, a security and privacy expert and center director at the University of San Diego, told Lifewire in a phone interview. To address individual security needs, Facebook said in a blog post that WhatsApp plans to offer the ability to view all devices linked to an account, see when they were last used, and log out remotely—something Johnson said is important, especially for victims of partner abuse who are sometimes targets of cyberstalking. “You don’t want your ex-boyfriend’s phone to be getting a copy of everything and you don’t know, or you don’t know how to shut it off,” Johnson said. “It’s a personal decision, if you want to sign into your WhatsApp account on a shared device, and think through what the implications of that would be.” Johnson also stressed the importance of making sure every linked device is password-protected to avoid someone else physically accessing it—something the strongest encryption can’t protect against. “Any laptop, tablet, or other device that you’re using with the same account, you’ll want to be sure that you have the same base level of security on all of those…so that somebody can’t just swipe to open,” Johnson said.