On Thursday, the popular instant messaging service WhatsApp unveiled a new account verification feature that will prevent malware from affecting users’ accounts while it is active on their mobile devices.
“Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages,” the Meta-owned company said in an announcement.
Device Verification is a security solution that aims to avoid account takeover (ATO) attacks by cutting off the connection to the threat actor while preserving uninterrupted app use for the targets of the malware infection. In other words, the objective is to prevent attackers from using malware to take over victim accounts and steal WhatsApp authentication credentials to spread spam and phishing links to other contacts while posing as the victim.
A cryptographic nonce to determine whether a WhatsApp client is contacting the server to retrieve incoming messages, an authentication challenge that serves as an “invisible ping” from the server to a user’s device, and a security token that is locally stored on the device are all introduced to achieve this. The security token must be sent every time the client connects to the server. The security token updates each time an offline message is fetched from the server.
When a client answers to an authentication challenge from a different device, suggesting an unusual connection coming from an attacker, the authentication challenge is deemed to have failed. The connection is subsequently blocked as a result. If the client doesn’t react, the procedure is repeated “a few more times.” The connection will be cut off if the customer still doesn’t respond. Device Verification has been made available to all Android users, according to WhatsApp, and it is now available to iOS users.
The feature is part of a larger package of updated features aimed at authenticating and confirming users’ identities, such as alarms that appear when a WhatsApp account is attempted to be moved from one device to another. A Key Transparency tool was also introduced by WhatsApp to automatically verify if discussions are end-to-end encrypted without the user’s intervention. In order to do this, it is introducing a new Auditable Key Directory (AKD) based on established protocols like CONIKS and SEEMless to assist users in confirming the security of their discussion.
“The AKD will enable WhatsApp clients to automatically validate that a user’s encryption key is genuine and enables anyone to verify audit-proofs of the directory’s correctness,” said the company.
The security code, available as a QR code and a 60-digit number, must now be manually compared by users in a conversation by sending it to the other participant through SMS or email or scanning the QR code if the parties are physically close to each other. In order to enable end-to-end encrypted messaging, a public/private key pair is established, and this key pair is what makes up the security code. When users transfer devices or reinstall WhatsApp, it can alter.
By using an automated procedure to keep track of public key changes in a directory and enable clients to cross-reference them, Key Transparency speeds up the verification process. WhatsApp already hosts and manages an Auditable Key Directory of all its users, but it plans to make this service live in the upcoming months. “This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly,” added the company.