Why WhatsApp is a no-go on Business Phones

WhatsApp has a long history of being the most popular messaging service for most people while on the other hand it also has been one of the most insecure if not the most insecure messaging apps out there.

The question is, is it still the same or did it change over the past years and finally should WhatsApp be banned from all phones the user uses for business.

When we come to the point of talking about risks it comes down to two factors main factors:

main factors:

• the app
• the user

The App

Even though WhatsApp nowadays offers end-to-end encryption which is based on the open source project by Whisper Systems, security concerns are still common and hit the service from time to time.

The latest concern was brought up by Maikel Zweerink from the Netherlands who discovered that profile pictures an statuses can be monitored even if the user has declined sharing these infos via his privacy settings.

But the biggest concerns nowadays come from three sides

• Facebook INC.
• the permissions the App requires
• meta data

Facebook INC.

Since Facebook INC (FB) is the parent company of WhatsApp (WA) all decisions are made at Menlo Park and there's not much Jan Koum and Brian Acton can do.
While the two founders might care about security and try to ensure that nothing will change even after WA got acquired, FB approach is completely different to their believes.

Facebook wants, since it is a publicly registered and traded company, to make as much money as possible for its shareholders and what is it that generates money? User data.

So from this and the history of what FB tried to get access to the data of their users we can infer that FB will try the same with WA in the coming years. So even if changes in the Terms and Conditions are not permanently it is enough to analyse all user data at the time they are active.

App permissions

Currently WA is considered as one of the most insecure apps because it requests access to nearly every API that is available for developers. Meaning they want as much information out of your phone as possible.

What is currently known is, that WA transfers the entire phonebook to their servers to find friends who use the service as well.
According to WA they only use the phone number and delete everything else. If that is true time will tell.

And lastly its on WA what they do with the permissions they got - as soon as they have them it's easy to change the code an do other stuff like transferring whole picture libraries over to their servers without the user noticing.
Just last week FB said that the latest spying incident happened do to a bug in the code and they never wanted to gather data of users who are not registered on FB but it happened and probably it was no bug. Bottomline FB got away with this by saying sorry but not saying a word about deleting these data.

Meta Data

Nowadays even more important than plain data. Meta data reveal a lot more than people think and are mostly excluded from the privacy rights a user has over his text's and pictures.
And as far as it is known those data are stored by WA and FB. They even say that they analyse those data to enhance the user experience but beside that there is a lot more they tell about the user.

The User

While talking about security we always have to take the human part of the equation into account and this is probably the weakest part of all.

Assuming that your company does not allow WA for business conversation you can not avoid that a user accidentally communicates confidential information via WA with someone else if it is installed on the phone.

The problem here is that humans always tend to use the simplest and most convenient way. WA unfortunately offers the most convenient way of communicating with other individuals since the user has not to add contacts and most people use the app.

So even if policies and regulations of a company do not allow the use of WA for business the potential risk that a user communicates confidential information via it is extremely high.

Update
(29th April)

Just after WA introduced the ability to make phone calls via their app German researchers discovered that the current version of WA saves all calls in two different .wav files, one with the voice of the caller and one with the voice of the recipient.
Not only that saving audio files of conversations without the permission of the reciepient is against the law in many countries including many of the European Union we also do not know what is the intention of WA of doing so.
Currently researchers are investigating if WA transferred only the log files to their servers for analyses or if they also transferred or analysed the stored .wav files.
But in any case users using the call feature of WA can be held responsible for saving the call without permission.

Conclusion

If a company has confidential information and wants to avoid that it gets analysed by any chance they should ban WA from all device that are used for work. The risk that a user accidentally communicates via WA with colleagues or customers is far to high.
As soon as this happened it is not yet known how Facebook might use these information against your company or individuals. Just keep in mind that meta data are as powerful as the original data transferred even if they are encrypted and lastly meta data are normally not encrypted and accessible by WA or FB.

Finally the biggest issue to keep in mind is that FB's whole business model is based on making money by analysing their user and selling their data.

So do you want your data analysed and sold?