{"id":702,"date":"2023-04-13T12:58:22","date_gmt":"2023-04-13T12:58:22","guid":{"rendered":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/"},"modified":"2023-04-13T12:58:22","modified_gmt":"2023-04-13T12:58:22","slug":"how-device-verification-protects-your-whatsapp-account","status":"publish","type":"post","link":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/","title":{"rendered":"How Device Verification protects your WhatsApp account"},"content":{"rendered":"<p><span>WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device <a href=\"https:\/\/engineering.fb.com\/2022\/07\/20\/security\/how-meta-and-the-security-industry-collaborate-to-secure-the-internet\/\" target=\"_blank\" rel=\"noopener\">malware<\/a>.<\/span><br \/>\n<span>This security feature, called Device Verification, requires no action or additional steps from users and helps protect your account.<\/span><br \/>\n<span>This feature is part of our broader work to increase security for our users from the growing threat of malware.<\/span><\/p>\n<p><span>WhatsApp\u2019s top priority is ensuring that users can communicate privately, simply, and securely. One of the strongest tools at our disposal is<a href=\"https:\/\/engineering.fb.com\/2021\/09\/10\/security\/whatsapp-e2ee-backups\/\"> end-to-end encryption<\/a> \u2013 meaning that nobody, not even WhatsApp, can read personal messages sent between users. This protects messages from interception, however, we\u2019ve increasingly seen <\/span><span>attackers are targeting the end points of communication \u2013 mobile devices themselves \u2013 and we are increasing<\/span><span> our security mechanisms to keep user accounts safe.<\/span><\/p>\n<p><span>In particular, we are concerned about malware that infects a mobile phone in much the same way a virus infects a computer. Malware is used to advance account takeover (ATO) attacks that send messages without the user\u2019s knowledge or permission.<\/span><\/p>\n<p><span>In our ongoing effort to safeguard peoples\u2019 accounts and information on WhatsApp, we\u2019re introducing a new security measure \u2013 called Device Verification \u2013 to help prevent ATO attacks. Device Verification blocks the attacker\u2019s connection, while allowing the victim to use their WhatsApp account uninterrupted.<\/span><\/p>\n<h2><span>Why do we need Device Verification?<\/span><\/h2>\n<p><span>WhatsApp uses several cryptographic keys to ensure that communications across the app are end-to-end encrypted. One of these is the authentication key, which allows a WhatsApp client to connect to the WhatsApp server to re-establish a trusted connection. This authentication key allows people to use WhatsApp without having to enter a password, PIN, SMS code, or other credential every time they turn on the app.<\/span><\/p>\n<p><span>This mechanism is secure because the authentication key cannot be intercepted by any third party including WhatsApp. If a device is infected with malware, however, the authentication key can be stolen.<\/span><\/p>\n<p><span>We are primarily concerned about the popularity of unofficial <\/span><a href=\"https:\/\/faq.whatsapp.com\/1217634902127718\/?helpref=hc_fnav\" target=\"_blank\" rel=\"noopener\"><span>WhatsApp clients<\/span><\/a><span> that contain malware designed for this purpose. These unofficial apps put users\u2019 security at risk \u2013 and it is why we encourage everyone using WhatsApp to use the <\/span><a href=\"https:\/\/twitter.com\/wcathcart\/status\/1546567955671961600?lang=en\" target=\"_blank\" rel=\"noopener\"><span>official WhatsApp app<\/span><\/a><span>.<\/span><\/p>\n<p><span>Once malware is present on user devices, attackers can use the malware to capture the authentication key and use it to impersonate the victim to send spam, scams, phishing attempts, etc. to other potential victims.\u00a0<\/span><\/p>\n<p><span>Device Verification will help WhatsApp identify these scenarios and protect the user\u2019s account without interruption.<\/span><\/p>\n<h2><span>How Device Verification works<\/span><\/h2>\n<p><span>WhatsApp has built Device Verification to benefit from how people typically read and react to messages sent to their device. When someone receives a message their WhatsApp client wakes up and retrieves the offline message from WhatsApp server. This process cannot be impersonated by malware that steals the authentication key and attempts to send messages from outside the users` device.<\/span><\/p>\n<p><span>Device Verification introduces three new parameters:\u00a0<\/span><\/p>\n<p><span>A security-token that\u2019s stored on the users` device.<\/span><br \/>\n<span>A nonce that is used to identify if a client is connecting to retrieve a message from WhatsApp server.<\/span><br \/>\n<span>An authentication-challenge that is used to asynchronously ping the users` device.\u00a0<\/span><\/p>\n<p><span>These three parameters help prevent malware from stealing the authentication key and connecting to WhatsApp server from outside the users` device<\/span><\/p>\n<h3><span>How a security-token gets bootstrapped<\/span><\/h3>\n<p><span>Every time someone retrieves an offline message, the security-token is updated to allow seamless reconnection attempts in future. This process is called bootstrapping the security-token.<\/span><\/p>\n<h3><span>How a new client connection is validated\u00a0<\/span><\/h3>\n<p><span>Every time a WhatsApp client connects to the WhatsApp server, we require the client to send us the security-token that\u2019s on their device. This allows us to detect suspicious connections from malware that is trying to connect to the WhatsApp server from outside the users` device.\u00a0\u00a0<\/span><\/p>\n<h3><span>What is an authentication-challenge?<\/span><\/h3>\n<p><span>An authentication-challenge is an invisible ping from the WhatsApp server to a user\u2019s device. We only send these challenges on suspicious connections. There are three possible responses to the challenge:<\/span><\/p>\n<p><span>Success: The client responds to the challenge from the connecting device.<\/span><br \/>\n<span>Failure: The client responds to the challenge from a different device. This means the connection being challenged is very likely from an attacker and the connection will be blocked.<\/span><br \/>\n<span>No Response: The client doesn\u2019t respond to the challenge. This situation is rare and indicates that the connection being challenged is suspicious. We retry sending the challenge a few more times. If the client still doesn\u2019t respond, the connection will be blocked.<\/span><\/p>\n<h2><span>What\u2019s next<\/span><\/h2>\n<p><span>Malware is an issue that increasingly threatens everyone\u2019s security and privacy.\u00a0 Device Verification has been rolled out to 100% of WhatsApp users on Android and is in the process of being rolled out to iOS users. It enables us to increase our users\u2019 security without interrupting their service or adding an additional step they need to take. Device Verification will serve as an important and additional tool at WhatsApp\u2019s disposal to address rare key-theft security challenges. We will continue to evaluate new security features to protect the privacy of our users.<\/span><\/p>\n<p>The post <a href=\"https:\/\/engineering.fb.com\/2023\/04\/13\/security\/whatsapp-device-verification-protects-your-account\/\">How Device Verification protects your WhatsApp account<\/a> appeared first on <a href=\"https:\/\/engineering.fb.com\/\">Engineering at Meta<\/a>.<\/p>\n<p>Engineering at Meta<\/p>","protected":false},"excerpt":{"rendered":"<p>WhatsApp has launched a new security feature that further helps prevent attackers from using vectors like on-device malware. This security feature, called Device Verification, requires no action or additional steps from users and helps protect your account. This feature is part of our broader work to increase security for our users from the growing threat&hellip; <a class=\"more-link\" href=\"https:\/\/fde.cat\/index.php\/2023\/04\/13\/how-device-verification-protects-your-whatsapp-account\/\">Continue reading <span class=\"screen-reader-text\">How Device Verification protects your WhatsApp account<\/span><\/a><\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-702","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":784,"url":"https:\/\/fde.cat\/index.php\/2023\/11\/08\/enhancing-the-security-of-whatsapp-calls\/","url_meta":{"origin":702,"position":0},"title":"Enhancing the security of WhatsApp calls","date":"November 8, 2023","format":false,"excerpt":"New optional features in WhatsApp have helped make calling on WhatsApp more secure. \u201cSilence Unknown Callers\u201d is a new setting on WhatsApp that not only quiets annoying calls but also blocks sophisticated cyber attacks. \u201cProtect IP Address in Calls\u201d is a new setting on WhatsApp that helps hide your location\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":701,"url":"https:\/\/fde.cat\/index.php\/2023\/04\/13\/deploying-key-transparency-at-whatsapp\/","url_meta":{"origin":702,"position":1},"title":"Deploying key transparency at WhatsApp","date":"April 13, 2023","format":false,"excerpt":"WhatsApp has launched a new cryptographic security feature to automatically verify a secured connection based on key transparency.\u00a0 The feature requires no additional actions or steps from users and helps ensure that a conversation is secure.\u00a0 Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":551,"url":"https:\/\/fde.cat\/index.php\/2022\/03\/10\/code-verify-an-open-source-browser-extension-for-verifying-code-authenticity-on-the-web\/","url_meta":{"origin":702,"position":2},"title":"Code Verify: An open source browser extension for verifying code authenticity on the web","date":"March 10, 2022","format":false,"excerpt":"Since WhatsApp introduced multi-device capability last year, we\u2019ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we\u2019ve been looking at ways to add additional layers of security to the WhatsApp Web experience. Starting today, you can now use\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":800,"url":"https:\/\/fde.cat\/index.php\/2023\/12\/07\/building-end-to-end-security-for-messenger\/","url_meta":{"origin":702,"position":3},"title":"Building end-to-end security for Messenger","date":"December 7, 2023","format":false,"excerpt":"We are beginning to upgrade people\u2019s personal conversations on Messenger to use end-to-end encryption (E2EE) by default Meta is publishing two technical white papers on end-to-end encryption: Our Messenger end-to-end encryption whitepaper describes the core cryptographic protocol for transmitting messages between clients. The Labyrinth encrypted storage protocol whitepaper explains our\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":331,"url":"https:\/\/fde.cat\/index.php\/2021\/08\/31\/how-whatsapp-enables-multi-device-capability\/","url_meta":{"origin":702,"position":4},"title":"How WhatsApp enables multi-device capability","date":"August 31, 2021","format":false,"excerpt":"For years, people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection. Today, we\u2019re announcing the rollout of a limited public beta test for WhatsApp\u2019s updated multi-device capability.\u00a0 With this new capability, you can now\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":222,"url":"https:\/\/fde.cat\/index.php\/2021\/02\/02\/how-salesforce-helps-protect-you-from-session-hijacking-threats\/","url_meta":{"origin":702,"position":5},"title":"How Salesforce Helps Protect You From Session Hijacking Threats","date":"February 2, 2021","format":false,"excerpt":"Co-authors: Ping Yan and Yuly\u00a0TenorioBackground on Session HijackingAll communication on the internet happens over a set of standards called TCP\/IP (Transmission Control Protocol\/Internet Protocol). They are the World Wide Web\u2019s core communication system that enables Internet-connected devices to communicate simultaneously with each other. This system lays the groundwork over which\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/comments?post=702"}],"version-history":[{"count":0,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/posts\/702\/revisions"}],"wp:attachment":[{"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/media?parent=702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/categories?post=702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fde.cat\/index.php\/wp-json\/wp\/v2\/tags?post=702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}