I previously wrote about my strong disliking of Facebook but revealed the “best” way round it. However times have changed and with the audio and broadcast industry defaulting to WhatsApp for communication so must I and this time... I'm almost on board.

UPDATE: Now I must preface by saying I do still have a work Facebook account but I rarely use it. When I do use it, I use the NEW official Tor browser app (Available on: Playstore/F-Droid (Preferred)) or the good ol' desktop Tor browser using Facebook's hidden site facebookcorewwwi.onion. I still recommend using my previous post if you NEED Facebook on your phone!

Also WhatsApp is created by Facebook, so not great but it does have some tasty features...

Features

• End-To-End Encryption (e2e) WhatsApp uses Signal's end-to-end encryption algorithm [1]. We can't technically trust Facebook has implemented it correctly but if it has... that's a major Hell Yes!!

• Web-view One thing that WhatsApp does that I wished other private messengers did is have a web app. It always asks for permission before accessing the WhatsApp account and allows you to move files from your PC through WhatsApp with ease. It also enables us Linux users to not worry about compatibility issues.You could suggest that this broadens the attack range for malicious actors using WhatsApp.

• Doesn't connect to any other accounts WhatApp has been sold as a private messenger and so does not ask for annoying permissions and doesn't connect to other accounts. Nice!

HOWEVER

You can be as secure as you want your end but the issue then becomes the OTHER people in your chat. WhatsApp by default saves a copy of your encrypted messages to Google/Apple/Microsoft's backup service. Ughh! This can be kinda circumvented by...

• Disabling backups NOT WhatsApp backups but whatever main backup service you use (presuming it's not a personal server or syncthing or you are using a custom ROM without Google services). This solves the issue for you but NOT for others. You can try (mostly in vain) to get others to do the same but even if you can't it's a step in the right direction.

• Deleting your messages Again a pretty bad solution but hey it does work. Simply delete your messages after they've been seen BUT before WhatsApp does a backup. You will be notified that to delete for everyone NOT just you. Just Agree!

• Encrypting This doesn't solve the problem with regular messages but for sending files it does. You can use a service like Firefox Send to send files up to 1 GB (2.5 GB if you have a Firefox account) or Tresorit Send with up to 5 GB or even OnionShare with an unlimited file size limit (works over Tor). These services all use end-to-end encryption (unlocked with a password), links expire after a chosen amount of time and much more. Of course you can use regular forms of file encryption like PGP or AES256. [2] But if you are, you probably have better solutions anyway and aren't using WhatsApp. ;)

Overall

WhatsApp is one of the 'best' commonly used messaging apps out there and if you can't use an alternative like Signal or Keybase. It's just a good idea in general to treat whatever you send or post like an open letter. DON'T post anything sensitive on it. It's probably overly paranoid to suggest that Facebook reads all your WhatsApp messages but hey! Also with the recent WhatsApp hacks and exploits [3], it never hurts to be safe!

Liam

[1] https://scontent.whatsapp.net/v/t61/68135620_760356657751682_6212997528851833559_n.pdf/WhatsApp-Security-Whitepaper.pdf?_nc_sid=41cc27&_nc_ohc=NBTA-txayNsAX-xbRaX&_nc_ht=scontent.whatsapp.net&oh=3cd37dbd496d40f6dadd0dd475454681&oe=5E62B5A5 [2] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf [3] https://www.theguardian.com/technology/2019/may/14/whatsapp-hack-have-i-been-affected-and-what-should-i-do

#Facebook #WhatsApp #Privacy #encryption #OnionShare #Tresorit #Firefox #Signal #e2e #Syncthing #PGP #AES256 #TorBrowser #Tor #LineageOS

---