Verifying WhatsApp’s End-To-End Encryption

A few days ago, WhatsApp announced that with the latest update, all their conversations would be end-to-end encrypted. I very briefly examined a conversation which WhatsApp was showing me was encrypted.

I asked the other party to send me a message, but I closed (force quit) WhatsApp first. As I’m running iOS, where apps cannot create daemons, it served the following purposes:

  • The app would be unable to maintain any open TCP connections.
  • The app would be unable to schedule local notifications.
  • The app would be unable to do client-side decryption in the background
  • The WhatsApp server would be forced to send me a push notification in order for me to get any notification at all.
  • The app would be unable to process that notification, because due to force quitting, application:didReceiveRemoteNotification:fetchCompletionHandler: does not get called.

That means that any notification would have to be a push notification, sent by WhatsApp’s servers to Apple, who would then send it to me.

The push notification contained the message in plain text. Therefore, WhatsApp, and then later Apple, had access to the message in its decrypted form. I don’t know if an encrypted version of the message exists, but as long as any server has access to a decrypted copy, the encryption is worthless.

UPDATE: As multiple people have pointed out, WhatsApp could be using PushKit, which can wake up a VoIP-enabled app even if it has previously been force-quit by the user. Testing it would require access to a device with iOS 7, which I didn’t. But there is another way of testing it. When restarting an iPhone, its file system is encrypted until it’s first unlocked. That means that regular push notifications would still be shown, but if a notification were to require a local decryption first, the system wouldn’t work due to the inaccessibility of the private key.

I restarted my iPhone, and it automatically connected to the cellular network. It couldn’t connect to the WiFi because the password was encrypted until I unlocked it. When a friend sent me a message using Facebook’s Messenger, it instantly appeared. I did not, however, receive any push notifications from WhatsApp, even though he was sending messages.

When I unlocked the phone, WhatsApp notifications still weren’t arriving. It wasn’t until I first opened the application after the restart and then quit it again that notifications started working.

Thus, it appears that not only does WhatsApp end-to-end encrypt messages, but it does a better job at usability than any other end-to-end-encrypted messenger I know.

Big thanks to Harshil Shah, Frederik Riedel, and Mert Dümenci for pointing out PushKit for VoIP apps and helping me test.