The National Cryptological Center published on October 6 its report on the main risks in the use of WhatsApp, where it tries to focus our attention on the risk situation that the sharing of personal information that users of this service do daily. This sharing of sensitive personal information together with our low perception of danger when we use mobile devices is, in the opinion of the CCN-CERT, dependent on the National Intelligence Center, which has made WhatsApp an attractive environment for intruders and cyber attackers. Therefore, through their report, they offer us a series of recommendations so that the information on our mobile phones is safe from possible attackers or harmful programs.
Within its system for characterizing cybersecurity threats, the CCN-CERT classifies this possible use by cybercriminals of WhatsApp as Very High level. In other words, it qualifies it as a threat whose probability of affecting and damaging information systems is high, and which requires taking additional precautions. It is not necessary to present Whatsapp, an application that since 2009 has become ubiquitous on all our mobile devices. This application, purchased by Facebook in early 2014, currently exceeds one billion users worldwide and which, according to CIS data from the first quarter of 2016, is used by more than 70% of Spaniards.
Despite being a messaging application in principle, it has a behavior very similar to that of a social network since it directly incorporates the contacts that we have defined on our mobile device, which makes its expansion very fast. This expansion and general use is what according to the CCN-CERT would place WhatsApp in the crosshairs of cybercriminals. Whatsapp thus becomes a possible source of obtaining data and information from users.
Throughout the report, the various security threats are shown, simply explained, and a series of usage recommendations are outlined.
Activate the option “Show security notifications”
Open WhatsApp and press on Settings. Tap on Account and select Security. On the security screen is where we can activate security notifications. In the following graphic we show the steps to follow:
Unsafe deletion of conversations
Another of the flaws detected by the experts of the CCN-CERT is that in recent versions of WhatsApp the deletion of the conversations stored on the phone is not safe.
This situation makes it advisable that in case of replacing a phone or other mobile device, before removing the old equipment, proceed to uninstall the WhatsApp application , as well as any possible backups that may have been generated.
Dissemination of sensitive information during initial connection
During the connection to the application’s servers, WhatsApp exchanges information in an unencrypted form about the technical characteristics of the phone and the phone number. Given that this information may be exposed to a possible attacker, the CCN’s recommendation is not to use public Wi-Fi networks or networks of dubious origin to connect to WhatsApp , and if necessary, they understand that the solution to the problem of information dissemination by this reason would be the use of a VPN connection.
A VPN is an Internet connection system where a private network is created. All the traffic that is produced from the mobile phone to the VPN server will be encrypted, therefore, even if we are using a public network, anyone who can intercept this traffic could not read it.
Dangers of downloading to unofficial sites
Any successful application immediately attracts cybercriminals, since it is relatively easy to use them as a hook to attract users. It is normal to see applications proliferate with an image similar to the original, or others promising improvements or new functions. It is also common to find applications that promise the possibility of spying on other users. All these applications are scams and many of them carry malicious code that seeks to steal information or point the user to services and thus obtain an economic benefit.
The basic recommendations to avoid the dangers associated with false applications are simple:
- Never download applications from unofficial sites .
- Do not install unnecessary applications simply because they are free.
- Do not install any application on our mobile device without having verified the manufacturer and carefully read the permissions it intends to acquire on our mobile device .
- Increase our vigilant attitude as much as possible if our device is Android .
Exchange of personal data with Facebook
This exchange of data between Whatsapp and Facebook, which currently does not include messages, photos or profile information, may pose a privacy risk. The Spanish Data Protection Agency communicated on October 5, 2016 that it begins investigative actions for data communication between WhatsApp and Facebook.
Final report recommendations
The report ends with a series of recommendations. We invite you, for the security of your mobile devices, to adopt them:
Keep the phone locked with a password and, if it is possible to eliminate the previews of the messages and take extreme measures when the phone is not within reach, since a simple phone call could compromise the security of any session or application that is are using.
Be very careful with the access and permission requests of the applications that we install on our phone, especially when it comes to Android devices. Do not install unnecessary applications simply because they are free.
Do not try to remove the restrictions of the manufacturer of the operating system from accessing the phone in administrator mode, which is known as ” jailbreaking ” in Apple or ” rooting”On Android. Although it may seem useful to access certain applications or services, the security risk is too high and the computer’s exposure to threats is much higher.
Disabling Wi-Fi and Bluetooth if it is not going to be used , not only will we considerably reduce battery consumption, but it closes doors to possible attacks.