A report from the Guardian Friday may cause a scare for users of the popular encrypted messaging service WhatsApp. According to a group of security researchers, a security backdoor in the service would allow third-parties to access encrypted messages—but other security experts disagree.

According to the Guardian—which cites a number of privacy advocates including Tobias Boelter, cryptography and security researcher at the University of California, Berkeley who first discovered the supposed backdoor in April 2016 —the way WhatsApp has implemented its end-to-end encryption protocol allows for third-party access to messages from parent company Facebook or government agencies.

The issue stems from WhatsApp’s treatment of encryption keys, the piece of information that translates a plaintext message into an encrypted text.

WhatsApp has the ability to force the generation of new encryption keys for offline users without alerting the sender or recipient. The app makes the message sender re-encrypt the messages with new keys and resend them for any messages that have yet to be delivered.

The message recipient isn’t made aware of the change in encryption. They are only notified if they opt in to encryption warnings in settings, and will only be made aware after the messages have been re-sent with new keys that the encryption has changed.

In Boelter’s original reporting of the supposed security flaw, he explained an attacker or a third-party actor could theoretically intercept those messages without giving the sender the ability to prevent them from being received by the interceptor with a different encryption key than the intended recipient.

“If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys,” Boelter told the Guardian.

WhatsApp disputes this assessment. A spokesperson for the messaging service told IBTimes, “This claim is false.”

The spokesperson said what was being described as a backdoor is actually “an intentional design decision in WhatsApp that prevents people from losing millions of messages.”

They explained WhatsApp “does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor,” and noted the service offers users security notifications to alert them to potential security risks.

“WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report,” the spokesperson said.

Other security experts have also questioned the characterization of the Guardian’s report. Frederic Jacobs, a highly regarded cryptology expert, said on Twitter, ”It's ridiculous that this is presented as a backdoor,” explaining, “If you don't verify keys, authenticity of keys is not guaranteed. Well known fact.”

WhatsApp makes use of the Signal protocol, developed by Open Whisper Systems and used in the popular Signal messaging app. Both services make use of a concept called “trust on first use” that trusts a user’s encrypted key once it is exchanged between users as long as it doesn’t change.

Signal automatically blocks messages if a user’s key changes until the new key is verified. WhatsApp simply notifies the user the key has changed. That difference in the treatment of messages is the origin of the reported backdoor.

While WhatsApp users—and there’s more than one billion of them around the world—should be aware of this feature, it is exactly that: a feature. The service has chosen to treat keys differently than Signal but it was a conscious choice. While it may be placing user interface ahead of security and can be criticized as potentially exploitable, identifying it as a backdoor is misleading.

Users can opt-in to being alerted if one of their contacts’ key changes by going into the WhatsApp settings. Tap account and select security, then choose to enable security notifications by selecting the “show security notifications” option.

RELATED STORIES
WhatsApp Software Facebook