How Device Verification protects your WhatsApp account – Facebook Engineering

WhatsApp’s top priority is ensuring that users can communicate privately, simply, and securely. One of the strongest tools at our disposal is end-to-end encryption – meaning that nobody, not even WhatsApp, can read personal messages sent between users. This protects messages from interception, however, we’ve increasingly seen attackers are targeting the end points of communication – mobile devices themselves – and we are increasing our security mechanisms to keep user accounts safe.
In particular, we are concerned about malware that infects a mobile phone in much the same way a virus infects a computer. Malware is used to advance account takeover (ATO) attacks that send messages without the user’s knowledge or permission.
In our ongoing effort to safeguard peoples’ accounts and information on WhatsApp, we’re introducing a new security measure – called Device Verification – to help prevent ATO attacks. Device Verification blocks the attacker’s connection, while allowing the victim to use their WhatsApp account uninterrupted.
WhatsApp uses several cryptographic keys to ensure that communications across the app are end-to-end encrypted. One of these is the authentication key, which allows a WhatsApp client to connect to the WhatsApp server to re-establish a trusted connection. This authentication key allows people to use WhatsApp without having to enter a password, PIN, SMS code, or other credential every time they turn on the app.
This mechanism is secure because the authentication key cannot be intercepted by any third party including WhatsApp. If a device is infected with malware, however, the authentication key can be stolen.
We are primarily concerned about the popularity of unofficial WhatsApp clients that contain malware designed for this purpose. These unofficial apps put users’ security at risk – and it is why we encourage everyone using WhatsApp to use the official WhatsApp app.
Once malware is present on user devices, attackers can use the malware to capture the authentication key and use it to impersonate the victim to send spam, scams, phishing attempts, etc. to other potential victims. 
Device Verification will help WhatsApp identify these scenarios and protect the user’s account without interruption.
WhatsApp has built Device Verification to benefit from how people typically read and react to messages sent to their device. When someone receives a message their WhatsApp client wakes up and retrieves the offline message from WhatsApp server. This process cannot be impersonated by malware that steals the authentication key and attempts to send messages from outside the users` device.
Device Verification introduces three new parameters: 
These three parameters help prevent malware from stealing the authentication key and connecting to WhatsApp server from outside the users` device
Every time someone retrieves an offline message, the security-token is updated to allow seamless reconnection attempts in future. This process is called bootstrapping the security-token.
Every time a WhatsApp client connects to the WhatsApp server, we require the client to send us the security-token that’s on their device. This allows us to detect suspicious connections from malware that is trying to connect to the WhatsApp server from outside the users` device.  
An authentication-challenge is an invisible ping from the WhatsApp server to a user’s device. We only send these challenges on suspicious connections. There are three possible responses to the challenge:
Malware is an issue that increasingly threatens everyone’s security and privacy.  Device Verification has been rolled out to 100% of WhatsApp users on Android and is in the process of being rolled out to iOS users. It enables us to increase our users’ security without interrupting their service or adding an additional step they need to take. Device Verification will serve as an important and additional tool at WhatsApp’s disposal to address rare key-theft security challenges. We will continue to evaluate new security features to protect the privacy of our users.
Meta believes in building community through open source technology. Explore our latest projects in Artificial Intelligence, Data Infrastructure, Development Tools, Front End, Languages, Platforms, Security, Virtual Reality, and more.
Engineering at Meta is a technical news resource for engineers interested in how we solve large-scale technical challenges at Meta.
To help personalize content, tailor and measure ads and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy


Leave a Reply

Your email address will not be published. Required fields are marked *