A “surprising” new warning for WhatsApp users has suddenly hit this week, with some security experts advising users to delete their apps. The same issue also impacts Signal—but with its vast user base, WhatsApp is the real problem.
The risk affects Apple users taking advantage of the multi-device functionality offered by both messaging platforms. And while the primary WhatsApp and Signal iOS apps are deemed secure, the apps for MacOS have been exposed as a major security risk.
The warning comes from researcher Tommy Mysk, who has generated a stellar reputation in recent years exposing such vulnerabilities. When you install WhatsApp and Signal on your Mac, he told me, the apps “store their local data in a location accessible to any app or process run by the user. This includes the chat history, the very thing such apps are marketed to protect with end-to-end encryption.”
In itself that’s not an issue. Apple does the same with iMessage. But whereas Apple sandboxes this iMessage data to prevent apps gaining access, the other messengers do not. The exact issue differs by platform, Mysk warns, but the end result is the same. “Surprisingly, both the macOS apps of Signal and WhatsApp store their local data in a location accessible to any app or process run by the user.”
Endpoint compromise has always been the threat where these fully encrypted platforms are concerned. The transmission is deemed secure enough that law enforcement and security agencies lobby for formal backdoors to be introduced, most recently via Europe’s dangerous “chat control” proposal.
Clearly if you have physical access to an unlocked device, then you can see everything. Physical access is a major hurdle—remote access is the real prize.“WhatsApp doesn’t encrypt the local database that stores chat histories,” Mysk told me. “It doesn’t encrypt media attachments sent through the chat either. A simple malware could theoretically monitor this data and send it live to a remote server, rendering end-to-end encryption useless.” This is the issue here—does this desktop vulnerability open an exposure to some form of remote or planted, ongoing attack.
Signal’s issues are different. While it does encrypt the local chat history, “it doesn’t encrypt media attachments.” But that security is undermined, Mysk says, because the encryption key for the local chat history “is stored in plain text—in the same folder and also accessible to all apps… Signal’s false sense of security extends to their back-end servers. When copying the entire folder containing the app’s local data and moving the copy to a different Mac, an attacker can restore the session. Signal servers let the ‘cloned’ session co-exist with the other legit sessions.”
Again, the question is the extent to which this opens a remote vulnerability outside persistent physical access. That risk of a secretive, unauthorized endpoint into an ongoing conversation is very serious. It opens the possibility of a backdoor. Mysk says that he experimented with this vulnerability to prove it out, and found that “Signal didn’t show a warning about the existence of this ‘cloned’ session.”
Mysk believes this “backdoor” risk reopens a debate from some weeks ago that was shutdown by Signal. “As it is easy to clone a Signal session from Signal’s desktop app,” he says, “it seems to be the reason why some Signal critics believe it has a ‘backdoor’.” He is referring to the spat between Signal and Elon Musk, over his claims that “there are known vulnerabilities with Signal that are not being addressed.”
So, should you delete or unlink your desktop apps? That depends on your level of threat. Anyone in a high-risk position or profession or location should not be using desktop apps given these findings. And while physical compromise of messaging data from physical access to a device is a given, the remote vulnerability risk exposed here—with a malicious app theoretically able to access and exfiltrate user data, or even to set up a cloned access point into ongoing communications—is huge.
Mysk’s advice is clear. “Apps on iOS are strictly isolated and no app can access data of another app, “ he says. “Android has a similar app isolation technology in place. Even if mobile apps store their secrets in plain text inside their sandbox, malicious apps are very unlikely to be able to access them. However, exploiting the local data of a Signal or WhatsApp desktop app makes the entire account vulnerable, including the companion mobile app. To be on the safe side, unlink any desktop app.”
Desktop companion apps for both messaging platforms exist as an access point into your account, with your smartphone app retaining primary status. Unlinking the desktop apps should remove their access and data. It is tantamount to deleting the app. You can unlink desktop apps from within the settings on your phone’s app.
I have approached WhatsApp and Signal for comment. In the meantime, many security-minded users will likely stop using desktop apps until we know more. As ever with vulnerabilities, publicity widens awareness but also the risk of exploitation.
