WhatsApp lack enforcing certificate pinning, users exposed to MITM

Experts at Praetorian have been conducting the Project Neptune to assess the security for designing and maintenance of mobile apps, including WhatsApp.

This week the IT was shocked by the acquisition of WhatsApp by Facebook, the popular mobile messaging service was sold for $19 billion, probably this is the value assigned to the information managed by the company that the social network desired to acquire.

But as usual security community started to ascertain the actual level of security offered by WhatsApp to understand if, and how, the application could be used as a massive surveillance tool.

Security experts at Praetorian, who have been conducting the Project Neptune to assess the security for designing and maintenance of mobile apps, evaluated also the security offered by WhatsApp to its users.

The researchers  discovered different security issues in the way WhatApp implements SSL, the principal one is the lack of enforcing the “certificate pinning“.

The technique known as Certificate Pinning (Hard-code in the client the certificate known to be used by the server) is implemented to automatically reject a connection from sites that offer bogus SSL certificates, this means that if a user accesses Google.com from his browser, it will trust the certificate if it’s signed by a trusted Certification Authority, but connecting to a Google via an app on mobile, it will only trust the certificates signed by Google itself.

Mobile is considered the ideal platform to implement certificate pinning because a mobile Application, usually needs to connect to a small set of servers and its developer is responsible to write the client-side code.
A small list of trusted CA certificates can be included in the App itself completely ignoring the device’s trust store. Popular apps, including Google, Facebook and Twitter implements Certificate Pinning, it must be highlighted that the technique makes traffic interception more difficult, but it can be anyway bypassed in numerous ways.

Don’t implementing certificate pinning WhatsApp exposes its users to the risk of MITM attacks, an ideal scenario for cyber espionage activity.

“Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk,”  “WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services. This would allow the attacker to sniff user credentials, session identifiers, or other sensitive information.”wrote the Praetorian researcher Paul Jauregui .

As pointed out in the past, it is very common to find mobile apps that do not implement the technique of pinning certified with serious consequences.

The experts discovered also minor security issues, not all the data managed by WhatsApp is encrypted because it doesn’t provide the support for null ciphers.

“With Null Ciphers supported, if the client mobile application attempts to communicate to the server using SSL and both parties do not support any common cipher suites—as a result of a malicious intercept—then it would fall back to sending the data in clear, plain text. Supporting Null Ciphers is not something we come across often—it’s quite rare,” Jauregui said.

The WhatsApp team replied to the Pretorian company that they are actively working on adding SSL pinning to their clients:

“we no longer find evidence of export ciphers, null ciphers, or SSLv2 support. Credit should be given to the WhatsApp team for implementing these fixes so quickly!

Pierluigi Paganini

(Security Affairs –  Mobile App security, WhatsApp)