WhatsApp, one of the world's most popular messaging apps, has announced a new security measure called "Device Verification" to protect its users from account takeover (ATO) attacks.
As the app relies heavily on end-to-end encryption, attackers have started targeting the end points of communication - mobile devices themselves - to advance their malicious activities. Malware is used to steal the authentication key, which allows people to use WhatsApp without entering a password or other credentials every time they turn on the app.
The authentication key cannot be intercepted by any third party, including WhatsApp, but can be stolen by malware if a device is infected. The company is particularly concerned about unofficial WhatsApp clients that contain malware designed for this purpose.
To prevent this, Device Verification introduces three new parameters - a security-token, a nonce, and an authentication-challenge - which help to identify suspicious connections from malware that is trying to connect to the WhatsApp server from outside the user's device.
The security-token is updated every time someone retrieves an offline message, allowing seamless reconnection attempts in the future. When a WhatsApp client connects to the server, the client is required to send the security-token that's on their device to validate the connection. An authentication-challenge is then sent to the device to detect suspicious connections. George McGregor, VP, Approov, shared support of the security move by WhatsApp: "The announcement of integration of device verification into WhatsApp provides a clear message to the industry about the dangers of stolen authentication keys being used by cloned and copied mobile apps. All mobile app developers should take steps to prevent keys being stolen and exploited and there are solutions which can make it easy to manage keys properly and implement device and app attestation at runtime.”
Device Verification has been rolled out to 100% of WhatsApp users on Android and is in the process of being rolled out to iOS users. The company hopes this new security measure will protect users' privacy and security without interrupting their service or adding an additional step they need to take.
As malware increasingly threatens everyone's security and privacy, WhatsApp will continue to evaluate new security features to ensure the protection of its users.