WhatsApp is about to launch its biggest upgrade in years—but there’s a surprise catch; the messaging giant has just warned users about a serious new problem, and you need to be very careful…
The devil is always in the details—and no more so than with the new WhatsApp upgrade that has generated countless headlines in recent weeks. Meta’s messaging giant has confirmed its plans to comply with Europe’s DMA and open its platform to third-party chats.
Meta has just released technical details as to how this will actually work. Unfortunately, it doesn’t—at least not the way it is presented. The new guidance delivers a stark warning about the fatal flaw in the update—a nasty surprise for users expecting an exciting new world of unified, secure messaging.
As everyone likely knows by now, under Europe’s DMA, WhatsApp and other so-called gateway technologies need to open up to rival services—the same regulations that have dragged Apple into the scary new world of third-party app stores. WhatsApp stole a march on others by sharing early details on how it would comply, while suggesting this would work globally, not just in Europe.
Now the platform has gone a step further, sharing more of the technical detail underpinning its approach. There’s no real new technical news here—we knew most of it. But it does shine a light on some of the ways in which different apps will interface and ensure integrity between them. That said, it’s quiet on operational details, such as how users will actually find one another in the real world.
But the guidance does confirm a serious risk for the platform’s 2 billion users.
“We’re sharing how we enabled third-party interoperability (interop) while maintaining end-to-end encryption (E2EE) and other privacy guarantees in our services,” the new advisory explains, “as far as possible.” Those last four words matter more than all the rest.
Let’s start with some basics. End-to-end encryption means that when you message another person or a group, the content of the message is locked and only you and the people you’re messaging have the key. You can even ask the platform to confirm the integrity of the devices that are part of the chat and the safety of shared keys. This means that Signal or Meta (in the case of WhatsApp) or Google (for Messages) or Apple (for iMessage) cannot unlock user content—it’s just not possible.
This differs from part-encrypted messaging—like Telegram (or Google Messages or Facebook Messenger, before their recent switch to end-to-end), where content is encrypted between your device/app and the server, and then again from the server to the receiving device/app. With part-encryption, the host platform has the key and can unlock content.
Europe’s DMA mandates that interoperability should not weaken security and privacy: “The level of security—including end-to-end encryption where applicable—that the gatekeeper provides to its own end-users shall be preserved across the interoperable services.”
This was always going to be a near impossibility. End-to-end encryption only works where the two “ends” can be assured, which means—realistically—they are the same. Two WhatsApp or iMessage or Signal apps. DMA envisages a world where Signal messages might be sent to WhatApp users. And that so-called interoperability, by its very nature, breaks that model.
As EFF warned back in 2022, “requiring interoperability without unacceptable tradeoffs in security or privacy is a very high hurdle, one that might turn out to be insurmountable.”
Meta is strongly suggesting—if not quite mandating—that any third-party platforms wanting to access WhatApp should use the same Signal protocol it uses across its own services. “We use the Signal Protocol as the foundation for E2EE communications, as it represents the current gold standard for E2EE chats. In order to maximize user security, we would prefer third-party providers to use the Signal Protocol.” Meta will make exceptions to allow alternative encryption protocols, but only “if they are able to demonstrate it offers the same security guarantees as Signal.”
That part of Meta’s update prompted headlines around the use of Signal to apparently maintain end-to-end encryption—unfortunately that’s misleading. Yes, using Signal’s encryption protocol will assure content security while in transmission, it does nothing to assure what happens at those ends.
As ESET’s Jake Moore explains, “it’s just not possible to send a message from one encrypted app to another without a serious downgrade of the cryptographic techniques in order to accommodate this interoperable feature. While end-to-end encryption is seamless for most users, no two apps implement encryption identically and this is where the security problems lie. A comprise is inevitable but the real problem is that technology companies know that a large majority of users still do not fully understand or worry about the privacy and security risks.”
Which leads us to WhatsApp’s new warning—which is extremely serious. “The E2EE promise Meta provides to users requires us to control both the sending and receiving clients… While we have built a secure solution for interop that uses the Signal Protocol encryption to protect messages in transit, without ownership of both clients (endpoints) we cannot guarantee what a third-party provider does with sent or received messages, and we therefore cannot make the same promise.”
As I have said multiple times—end-to-end encryption is a binary, not a spectrum. Without control of both endpoints, or some form of shared and mutually assurable endpoint security, it simply does not exist. And so there is no genuine end-to-end encryption.
Again, Meta is being open with its warning about those risks. “We believe it is essential that we give users transparent information about how interop works and how it differs from their chats with other WhatsApp or Messenger users… Users need to know that our security and privacy promise, as well as the feature set, won’t exactly match what we offer in WhatsApp chats.”
Endpoint compromise is the real vulnerability with end-to-end encrypted messaging, even where both endpoints are the same. If you can take over a device or trick a user into installing a dangerous app, then you can access the content on that device or endpoint.
Just as with any chain, the security of end-to-end encryption is only as good as its weakest link. Interoperability means that a threat actor doesn’t need to compromise a hyper-scale app, but could target the smaller, less protected alternatives as and when they start to show up in WhatsApp.
The only possible answer to this conundrum is trust. Theoretically, if you could absolutely attest to the integrity of an endpoint then you could share keys and run some form of proxy sealed platform. That might be possible with major apps—Signal, iMessage, Telegram even—but none of those are likely to play. The apps that do play will be smaller and won’t have those same assurances.
But, as Moore points out, “you can choose whether or not you participate in exchanging messages with third party apps,” adding that “it might be advisable to activate it only if necessary.”
Between these security risks and the lack of engagement—with the other major messengers not jumping onboard with WhatsApp, this update isn’t quite as exciting as billed. My recommendation is to stick to separate end-to-end encrypted messengers and don’t play games of mix and match.
