Last spring, Whatsapp announced that every message on its service is delivered with end-to-end encryption, meaning no one, not even Whatsapp, can tell what's inside. Now, a report by The Guardian cites a security researcher claiming that its implementation is open to being backdoored or hijacked by government agencies. Whatsapp, and the people who helped design the implementation for its secure messaging, state this isn't the case, and instead, reflects a user experience design decision that isn't putting users at risk.
Whatsapp's secure messaging was implemented with help from Open Whisper Systems -- makers of the secure messaging app Signal -- and on its blog, the company explains how things work. Based on its Signal Protocol (also used for encrypted messaging in Google's Allo), each client is identified by a public key that's shared with other people, and a private key on the device. Because people change phones, or uninstall and reinstall apps, the pair of keys can change. Users can ensure their communication is secure by checking the security code displayed on each end, if it matches, then they can be sure their messages aren't subject to a man-in-the-middle (MITM) attack by a third party.