WhatsApp’s Encryption Hasn’t Kept It Safe From Stalkerware – Gizmodo

Photo: Lionel Bonaventure (Getty Images)

Among the sprawl of properties in the Facebook family, WhatsApps perhaps the only one thats preached preserving user privacy and actually followed through. But that hasnt stopped bad actors from finding new ways to spy and snoop without the platformsor any userssay-so.

As a new investigation from Business Insider details, apps promising to probe the platformand its usersfor sometimes sensitive intel have come cropping up across the Apple and Android ecosystems. And while this might not be a great look for a trio of companies that have spent the past year trying to one-up their promises to protect their users privacy, none of them appear too motivated to snuff out this new form of stalkerware.

Its worth clarifying here that these apps arent magic. WhatsApps spent the past six years staunchly setting end-to-end encryption as the default for all messages sent over its pipes. And save for the occasional oopsie, that encryption does its job, which means that no third party is going to decipher the messages or pictures being sent back and forth over the platform unless they can actually get their hands on your physical device and pump it full of malware.

Instead, these stalkerware services seem to rely on the one public-facing bit of user information that WhatsApp actually allows to be accessed: an innocuous widget that notifies users when someone is on the app or off. Its a ho-hum piece of data thats typically used to know, say, whether your uncle overseas is around for a call. But data, even tiny breadcrumbs like this, never exists in a vacuum, which is why its a disappointing inevitability that something so simple could be used for tracking something like when your ex-girlfriend is sleeping.

The way this sort of sorta-stalkerware operates is pretty simple. A person just downloads one of these apps and plugs in the phone number of the other person theyre looking to track, and then that phone is monitored round the clock for any online or offline signals. Over the next few days, weeks, or months, this builds up a pretty good picture of the targets typical schedulewhen theyre waking up, when theyre sleeping, and when theyre most likely to be hanging out in-app. Some of the apps Business Insider dug up bragged about the ability to track whether or not two contacts were likely to be talking to each other at any given time, based on how often theyre online simultaneously. Naturally, this all happens without that targets consent.

G/O Media may get a commission

The efficacy of these apps is questionable, given that this single bit of Whatsapp data is binary: either the app is open or not, theres not idle state. People who choose to leave Whatsapp open while not actively texting or calling are, in a way, foiling this script kiddie-level stalkerware by transmitting functionally incorrect data. Still, the fact that anyone would want to snoop on strangers this way and that a willing network of enablers would build the tools to let them, regardless of the validity of their findings isto use the technical termfucking gross.

Some of these apps sneak manage to slide by under the guise of being handy tools to monitor whether your kids are getting up to some funny business when theyre not supposed to be, while others are more upfront about exactly how slimy they are. One of the webpages for the programs that Gizmodo found pitches itself as a way for parents to get notifications about their kids whereabouts even if they block you, while elsewhere describing how the same could be done for your friends, lover, [or] wife. Another app found in the initial report is even more explicit about what its there to snoop on:

Something is up. Maybe your significant other keeps texting under the covers late at night or taking suspicious trips to the bathroom at all hours with their phone in their hand. Maybe one of your employees is acting strangely every time you catch them sending a Whatsapp message during work hours, and you want to know what it is theyre sending. Or perhaps its even your teenager, who has been refusing to tell you who theyve been sending messages to in the dead of night and why theyre staying out so late after school. Either way, something isnt right, and you know it.

WhatsApp reps told Business Insider that the platforms terms bar this sort of tampering outright, and that the company [requests] that app stores remove apps that abuse our brand and violate those terms in the process. They also confirmed that disabling the online notification for a given user is functionally impossiblemeaning that theyre offering little protection beyond this sort of verboten tampering beyond politely asking Apple and Google to knock it off.

Meanwhile, both app store companies are stuck in a game of whack-a-mole with these programs as they arise. Thus far, it looks like theyre each doing a fairly shitty job: while Google does take its policies prohibiting ads or promotions for spyware pretty seriously, those policies are lackluster at best, with the latest update explicitly allowing this sort of tech if it was marketed to parents, rather than jealous exes. Apples own policies touch on malware, but not spyware, which means these apps are also free to proliferate across that ecosystem.

In other words, it seems like all of these companies have regarded this gross invasion of privacy as something thats either entirely kosher, or just not their problem to solve. Were reached out to Whatsapp, Apple, and Google for comment and will update if we hear back.

Read the original here:
WhatsApp's Encryption Hasn't Kept It Safe From Stalkerware - Gizmodo