Is it safe to message other apps from WhatsApp? | Kaspersky official blog

Credit to Author: Stan Kaminsky| Date: Fri, 19 Apr 2024 10:38:15 +0000

The EU’s Digital Markets Act (DMA) requires major tech companies to make their products more open and interoperable in order to increase competition. Thanks to the DMA, iOS will soon permit third-party app stores to be installed on it, and major messaging platforms will need to allow communication with other similar apps — creating cross-platform compatibility. Meta (Facebook) engineers recently detailed how this compatibility will be implemented in its WhatsApp and Messenger. The benefits of interoperability are clear to anyone who’s ever texted or emailed. You’ll be able to send or receive messages without worrying about what phone, computer, or app the other person is using, or what country they’re in. However, there are downsides: first third parties (from intelligence agencies to hackers) often have access to your correspondence; second, such messages are prime targets for spam and phishing. So, will the DMA be able to ensure provision of interoperability and its benefits, while eliminating its drawbacks?

It’s important to note that while the DMA’s impact on the iOS App Store will only affect EU users, cross-platform messaging will likely impact everyone — even if it will be only EU partners that connect to the WhatsApp infrastructure.

Can you chat on WhatsApp with users of other platforms?

Theoretically, yes, but not yet in practice. Meta has published specifications and technical requirements for partners who want their apps to be interoperable with WhatsApp or Messenger. It’s now up to these partners to climb aboard and develop a working bridge between their service and WhatsApp. To date, no such partnerships have been announced.

Owners and developers of other messaging services may be reluctant to implement such functionality. Some consider it insecure; others are unwilling to invest resources into rather complex integration. Meta requires potential partners to implement end-to-end encryption (E2EE) no weaker than in WhatsApp, which is a significant challenge for many platforms

Even when (or if) third-party services show up, only those WhatsApp users who explicitly opt-in will be able to message across platforms. It won’t be enabled by default.

What will such messaging look like?

Based on WhatsApp beta versions, messages with users on other platforms will be housed in a separate section of the app to distinguish them from chats with WhatsApp users.

Initially, only one-on-one messaging and file/image/video sharing will be supported. Calls and group chats won’t be available for at least a year.

User identification remains an open question. In WhatsApp, users find each other by phone number, while on Facebook, they do it by name, workplace, school, friends of friends, or other similar identifiers (and ultimately by a unique ID). Other platforms might use incompatible identifiers, like short usernames in Discord, or alphanumeric IDs in Threema. This is likely to impede automatic search and user matching, and at the same time facilitate impersonation attacks by scammers.

Encryption challenges

One of the key challenges with integrating different messaging platforms is implementing reliable encryption. Even if two platforms use the same encryption protocol, technical issues arise regarding storage and agreement of keys, user authentication, and more.

If the encryption method differs significantly, a bridge — an intermediary server that decrypts messages from one protocol and re-encrypts them into another — will likely be needed. If it seems to you that this is a man-in-the-middle (MITM) attack waiting to happen, where hacking this server would allow eavesdropping, you’re misgiving would be on the money. The failed Nothing Chats app, which used a similar scheme to enable iMessage on Android, recently demonstrated this vulnerability. Even Meta’s own efforts are illustrative: encrypted messaging between Messenger and Instagram was announced over five years ago, but full-scale encryption in Messenger only arrived last December, and seamless E2EE in Instagram remains not fully functional to this day. As this in-depth article explains, it’s not a matter of laziness or lack of time, but rather the significant technical complexity of the project.

Cryptographers are generally highly skeptical about the idea of cross-platform E2EE. Some experts believe the problem can be solved — for example, by placing the bridge directly on the user’s computer or by having all platforms adopt a single, decentralized messaging protocol. However, the big fish in the messaging market aren’t swimming in that direction at all. It’s hard to accuse them of idleness or inertia — all practical experience demonstrates that reliable and user-friendly message encryption within open ecosystems is difficult to implement. Just look at the saga of PGP encryption in email, and the confessions of top cryptography experts.

We’ve compiled information on the WhatsApp/Messenger integration plans of major communication platforms, and assessed the technical feasibility of cross-platform functionality:

ServiceStatement on WhatsApp compatibilityEncryption compatibility
DiscordNoneNo E2EE support, integration unlikely
iMessageNoneUses own encryption —comparable in strength to WhatsApp
MatrixInterested in technical integration with WhatsApp, and supports the DMA in generalUses own encryption —comparable in strength to WhatsApp
SignalNoneUses the Signal protocol, as does WhatsApp
SkypeNoneUses the Signal protocol, as does WhatsApp, but for private conversations only
TelegramNoneMost chats are unencrypted, and private conversations are encrypted with an unreliable algorithm
ThreemaConcerned about privacy risks associated with WhatsApp integration. Integration unlikelyUses own encryption —comparable in strength to WhatsApp
ViberNoneUses own encryption —comparable in strength to WhatsApp

Security concerns

Beyond encryption issues, integrating various services introduces additional challenges in protecting against spam, phishing, and other cyberthreats. Should you receive spam on WhatsApp, you can block the offender there and then. After being blocked by several users, the spammer will have limited ability to message strangers. To what extent such anti-spam techniques will work with third-party services remains to be seen.

Another issue is the moderation of unwanted content — from pornography to fake giveaways. When algorithms and experts from not one but two companies are involved, response speed and quality are bound to suffer.

Privacy concerns will also become more complex. Say you install the Skype app — in doing so, you share data with Microsoft, which will store it. However, as soon as you message someone on WhatsApp from Skype, certain information about you and your activity will land on Meta’s servers. Incidentally, WhatsApp already has a so-called guest agreement in place for this case. It’s this issue that the Swiss team behind Threema finds unsettling, for fear that messaging with WhatsApp users could lead to the de-anonymization of Threema users.

And let’s not forget that the news of cross-platform support is music to the ears of malware authors — it will be much easier to lure victims with “WhatsApp mods for messaging with Telegram” or other fictitious offerings. Of all the issues, however, this one is the easiest to solve: just install apps only from official stores and use reliable protection on your smartphones and computers.

What to do?

If you use WhatsApp and want to message users of other services

Count up roughly how many non-WhatsAppers there are in your circle who use other platforms that have announced interoperability with WhatsApp. If there aren’t many, it’s better not to enable support for any and all third-party messengers: the risks of spam and unwanted messages outweigh the potential benefits.

If there are many such people, consider whether you discuss confidential topics. Even with Meta’s encryption requirements, cross-platform messaging through a bridge should be considered vulnerable to interception and unauthorized modification. Therefore, it’s best to use the same secure messenger (such as Signal) for confidential communication.

If you decide that WhatsApp + third-party messenger is the winning formula, be sure to max out the privacy settings in WhatsApp, and be wary of odd messages, especially from strangers, but also from friends on unusual topics. Try to double-check it’s who they claim to be, and not some scammer messaging you through a third-party service.

If you use another messenger that has announced interoperability with WhatsApp

While gaining access to all WhatsApp users within your favorite messenger is appealing, if you use a different messenger for increased privacy, connecting to WhatsApp will likely diminish it. Meta services will collect certain metadata during conversations, potentially leading to account de-anonymization, and the encryption bridge may be vulnerable to eavesdropping. In general, we don’t recommend activating this feature in secure messengers, should it ever become available.

Tips for everyone

Beware of “mods” and little-known apps that promise cross-platform messaging and other wonders. Lurking behind the seductive interface is probably malware. Be sure to install protection on your computer and smartphone to prevent attackers from stealing your correspondence right inside legitimate messengers.


https://blog.kaspersky.com/feed/