Your WhatsApp conversations may not be as safe as you think

One of the most popular cross-platform mobile application used as a replacement for messaging and sharing multimedia is under scrutiny of being insecure. Yes, we are talking about none other than WhatsApp. Now we have seen previous instances of idiocy here but the victims there are mostly financial institutions and their reputation, which not a lot of people really care about.

It has been reported by Sam Granger that WhatsApp on Android uses your phone IMEI to generate its passwords:

md5(strrev(‘your-imei-goes-here’))

Then a little later it seems WhatsApp did something about it! By reading the comments section of Sam Granger’s blog it seems it no longer works. Yeah… WhatsApp actually did something about it! Great… but hold your excitement it seems that everything is not what it seems.

Recently reported by Ezio Amodio that WhatsApp on iOS is back up to their old password trickery again. This time they are using the iPhone’s MAC address to generate the password like so:

md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)

Our dear friends at H-Online have verified the blog post and well just being on H-Online is something important.

So what sucks about WhatsApp? Their security, privacy and their shyness.

The EFF its newest Who Has Your Back report based on five basic criteria that included:

Industry follows Accepted Best Practices
Tells Users About Government Data Requirements
Unveils Policy on Data Retention
Government Unveils Content Removal Requests
Pro user Public Policy: opposes backdoors
The prominent privacy advocacy group analyzed 24 companies in total, and AT & T among them Verizon and WhatsApp came outside to protect the worst on data of its users.

Where Verizon met two criteria of the EFF criteria, WhatsApp and AT & T just met.

AT & T, Verizon and WhatsApp have some worst policy when it comes to apply for the protection of personal data of its users of the government.
Here is some advice from the EFF to WhatsApp “WhatsApp must publicly before an order over the content require user to publish a guide law enforcement and transparency have to inform users of the government for a stronger policy and publish the data retention policy.
Also, Google and Microsoft both earned only three stars each, that’s not really up to the mark for such two companies claiming some level of respect and trust when it comes to the protection of personal data.

However, the EVF report also says that has made Microsoft improvement business practices and will be in a position to raise a fourth star in September.

Screen Shot 2015-06-21 at 13.24.42

 

Companies that earned the full five out of five stars on the EFF’s privacy scoreboard are Adobe, Apple, Yahoo, Dropbox, WordPress, Wickr, Credo Mobile, Sonic and Wikimedia.

 

Screen Shot 2015-06-21 at 13.26.25

You can see the results of every single company in the EFF’s chart above, and if you want the more detailed explanation, you can access the full detailed EFF report here.