WhatsApp vs. Signal: A lesson for all app vendors

The post WhatsApp vs. Signal: A lesson for all app vendors appeared first on Intertrust Technologies.

What’s happening with WhatsApp?

At the beginning of January, WhatsApp updated its terms of service and privacy policy to indicate that, starting February 8, it would be sharing more information with its parent company, Facebook. This shared data would help Facebook “provide, improve, understand, customize, support, and market their offerings.”

While WhatsApp—which was founded and popularized because of its commitment to keeping customer data and messages safe— will still not share the contents of messages with Facebook, it will provide them with data such as your phone number, to whom and how often you send messages, and how long you spend on the app. 

Industry experts have expected the changes ever since Facebook bought WhatsApp in 2014. Unbeknownst to many, it has been engaged in inter-platform data sharing with its parent company since 2016. However, what seems to be different about this change is not that a tech giant is seeking to utilize and monetize its data, but that huge numbers of its customers are angry about it.

WhatsApp vs. Signal: Two different approaches to privacy

Many users have expressed their disappointment and discomfort with the changes to their data privacy and have vowed to abandon the app and move to communication apps that are more privacy-focused. Alternative apps, such as Signal, provide the same functionality for messaging, voice, and video calls as WhatsApp but with enhanced security features, including:

  • End-to-end encryption as standard
  • Encrypting messages based on open-source code so original developers cannot hide any back-doors that could be used to bypass encryption
  • Blank notification pop-ups
  • Messages can be set to self-delete from both users after a certain time

Tech entrepreneur Elon Musk even waded into the WhatsApp vs. Signal battle on social media by tweeting a succinct “Use Signal” to his 42 million followers after WhatsApp’s announcement, a message later retweeted by Jack Dorsey. After his tweet, messaging apps Telegram and Signal jumped to the top of download charts and registered millions of new installs, with the Signal app seeing 1.3 million downloads (compared to a usual 50,000/day) on the day of WhatsApp’s announcement.

The message from consumers seems clear: they care about their data being protected and are not afraid to shun the most successful product in the marketplace to get it.

The lesson for app developers

The WhatsApp vs. Signal furor has shown that data privacy is a major concern for many users, and rightly so, considering the billions of people affected by app-related data breaches alone. This means that app developers and distributors need to ensure they’re approaching development from a “security-first” perspective that always aims to keep data safe. 

The challenges to this are significant, however, as the information held and received by applications is a valuable target for hackers, and increasingly so as apps play a larger role in people’s lives. Below are some of the major threats to data safety on applications. 

Threats to data safety

  • Stealing encryption keys: As data that’s held and transmitted is often encrypted (and should always be), hackers search for the encryption keys that will allow them to decrypt stolen data and masquerade as a trusted user for digital signing and access to servers. 
  • Man-in-the-middle attacks: Hackers attack the data transfer process between the server and the client device and read or extract the data in transit.
  • Side-channel attacks: This strategy utilizes the physical effects created by a device to steal encryption keys and crack algorithms.
  • Phishing attacks: Stealing passwords and user credentials is still one of the most common means hackers use to circumvent security systems. There are many phishing attack methods for applications, such as introducing fake overlay screens or reverse-engineering an app’s code and creating a spoof version of it that sends all data entered back to the criminal’s server.

Application shielding to ensure data protection

Users abandonment of WhatsApp to Signal, which forced WhatsApp to delay the imposition of the new terms of service, shows that customers are willing to take action if they feel that their data is not being protected. The huge rise in home working and group video calls during the COVID-19 pandemic, which often resulted in overt invasions of privacy, has led consumers to become more aware of their interactions and demand better protection. 

For applications, data protection requires concerted and multi-pronged defenses that harden an app’s many attack surfaces. These application shielding strategies include:

  • Obfuscation: Transforming code by making strategic modifications so that it is difficult to decipher and analyze, but remains fully functional.
  • Integrity checking: Hardens applications by inserting thousands of small, overlapping checksums. During runtime, each of these checksums tests whether a particular segment of the executable has been tampered with.
  • Rooting and jailbreak detection: Identifies if the device security has been breached and reports it to the application, enabling it to take the appropriate response.
  • Debugger protection: Mechanisms that detect debugging atte,ps, and take action to block them.
  • White-box cryptography: A software-based method to secure cryptographic keys that combines obfuscation, encryption, and mathematical transformation techniques.

For app vendors, poor security and data breaches don’t just cost money in terms of regulatory fines and compensation. The major factor is lost revenue through broken customer trust. If we can take one thing away from the WhatsApp vs. Signal messenger debate, it’s that consumers are more vocal than ever about their demands for data security. 

At Intertrust, we work with clients worldwide to improve their revenue security through cybersecurity. Our suite of application shielding solutions hardens app defenses to frustrate and negate hacking attempts from multiple angles and keep data safe. To find out more about how we can help you secure your applications and cryptographic keys, you can read more here or get in touch with our team.

*** This is a Security Bloggers Network syndicated blog from Intertrust Technologies - Security Blogs authored by Jake VanAdrighem. Read the original post at: