Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account.
"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," the Meta-owned company said in an announcement.
Called Device Verification, the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor's connection and allowing targets of the malware infection to use the app without any interruption.
In other words, the goal is to deter attackers' use of malware to steal WhatsApp authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links to other contacts.
This, in turn, is achieved by introducing a security-token that's stored locally on the device, a cryptographic nonce to identify if a WhatsApp client is contacting the server to retrieve incoming messages, and an authentication-challenge that acts as an "invisible ping" from the server to a user's device.
The client is required to send the security-token every time it connects to the server so as to detect potentially suspicious connections. The security-token, for its part, is updated every time it fetches an offline message from the server.
An authentication-challenge is considered a failure when the client responds to the challenge from a different device, indicating an anomalous connection originating from an attacker. This causes the connection to be blocked.
Should there be no response from the client, the process is retried a "few more times," after which the connection will be blocked if the client still doesn't respond.
"These three parameters help prevent malware from stealing the authentication key and connecting to WhatsApp server from outside the users' device," Meta's Attaullah Baig and Archis Apte explained.
WhatsApp said Device Verification has been rolled out to all Android users and that it's in the process of being rolled out to iOS users.
The feature is part of a broader set of new enhancements that are designed to authenticate and verify users' identities, including displaying alerts when there is an attempt to migrate a WhatsApp account from one device to another.
Also launched by WhatsApp is a Key Transparency feature to automatically confirm whether chats are end-to-end encrypted without requiring any additional actions from the user.
To do so, it's implementing a new Auditable Key Directory (AKD) that's based on existing protocols like CONIKS and SEEMless to help users verify their conversation security.
"The AKD will enable WhatsApp clients to automatically validate that a user's encryption key is genuine and enables anyone to verify audit-proofs of the directory's correctness," the company said.
Verification currently requires users in a chat to manually compare the security code (which exists as a QR code and a 60-digit number) by sending it to the participant on the other end via SMS or email, or alternatively by scanning the QR code if the parties are physically next to each other.
The security code is nothing but a unique hash of both the public/private key pair that's generated to facilitate end-to-end encrypted messaging. Complicating matters further, it can change when users switch devices or reinstall WhatsApp.
Key Transparency streamlines the verification process by making use of an automated flow that obviates the need for the long code, instead maintaining a record of public key changes in a directory and allowing a client to check against it.
"Key transparency describes a protocol in which the [WhatsApp] server maintains an append-only record of the mapping between a user's account and their public identity key," Meta explained. "This allows the generation of inclusion proofs to assert that a given mapping exists in the directory at the time of the most recent update."
WhatsApp intends to make this feature live in the coming months, although it's already hosting and operating an Auditable Key Directory of all its users. "This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly," the company added.
(The story has been updated after publication to include more information about how Device Verification and Key Transparency features work.)
