Privacy is essential to our online activities, and especially so in private conversations. WhatsApp is one of themost popular encrypted messaging appsavailable on Android, and Meta developers regularly reiterate the app’s focus on privacy. The company uses open-source encryption methods and is rather transparent about the implementations, too. However, all these aspects mean little to WhatsApp users if they cannot see the encryption in action. For this, the developers incorporated a utility allowing you to verify the encryption status of a chat manually. Now, the latest beta update is automating this encryption verification process, so it doesn’t need your intervention.
WhatsApp usesend-to-end encryption(E2EE) for all its messages, media, and features, since the feature’s rollout in 2016. WhatsApp white papers reveal individual messages are encrypted on theSignal Protocol(not to be confused with a messaging app by the same name), which is an open source protocol you can audit on GitHub. Despite the transparency this brings, your chats with an individual cannot be compromised because the message is encrypted on your device, and only the intended recipient would have the correct cryptographic key to decrypt it. The system ensures nobody else can decode the message — not even WhatsApp itself.
Options currently available for security verification in the stable version
Although these cryptographic keys are complicated strings, WhatsApp uses concatenation and mathematical operations to reduce them to 60-digit codes, split into chunks of five for readability. This code is unique for every conversation and also varies by device. That’s probably because linked devices now communicate directly with WhatsApp servers instead of routing messages through the primary phone. In group chats, every pair of participants shares a unique key. Although every WhatsApp message has a unique cryptographic key, thesupport documentationalso reveals the 60-digit code won’t change every time you send a message.
To see this concatenated code for manual verification, you can open any chat, then tap thecontact name→Encryption. The section also has a QR code which your contact can scan using their device to verify encryption. If the 60-digit code doesn’t match, or the QR code scan fails, it could be indicative of a man-in-the-middle attack, or you may be checking the code for the incorrect chat. This is a tedious manual process, despite the use of a QR code. Back in April, WhatsApp promised to automate this feature while announcingtwo other important security-related changeswhich were supposed to go live in subsequent months.
Automated security code verification in progress on the latest WhatsApp beta
The messaging app is finally fulfilling this promise with beta version 2.23.19.15 of the app available on the Play Store,WABetaInforeports. Two older versions, 19.13 and 19.14, are also marked compatible. With this, WhatsApp removes the need for human involvement in the verification process. In atechnical white paperdedicated to the automation of the process, thecompany’s engineers explainthat it uses an open-source, Rust-based auditable key directory (AKD) of the publicly listed keys linked to user accounts where anyone can track the changes to the keys. While this might seem counterintuitive to E2EE, these public keys are only used to encrypt messages, while the decryption keys remain limited to users’ devices to ensure privacy.
WhatsApp explains that conventional keys for participant pairs in group chats need to be regenerated every time even a single participant changes their device, enrolls a new device, joins the chat, or leaves it. That’s 4,950 pairs of security verifications for a 100-member chat. Multiply that by the millions of people using WhatsApp every day, and it is evident the security verification system strains the company’s processing resources considerably. This new key transparency system doesn’t replace the manual checks, but supplements them by allowing any one user in a pair to auto-verify their encryption status against the public AKD, significantly reducing the number of checks required between pairs of users. You can always fall back on the QR scan or the 60-digit code if you prefer manual verification.
Most importantly, WhatsApp already hosts an AKD for all its users, irrespective of the app version and operating system they are using. So, it’s a matter of time before automatic verification rolls out in the stable channel, significantly reducing the strain of security verifications on WhatsApp servers, and automating them with an auditable public directory for all its users.
