With WhatsApp confirming that its software was used to install spyware on phones, many are considering deleting the popular messaging app. However, experts say this is not the answer.
There has been considerable outrage and worry in many countries including India, after WhatsApp confirmed that some of its users were targeted with spyware.
Some in the country have pointed fingers at the government, accusing them of being behind the hack, given that the group accused of creating the software, NSO Group, reportedly sells only to governments.
WhatsApp has sued the company over the allegations, which it has strongly rejected. The Indian government has also denied involvement.
Some users have been looking at options other than WhatsApp, including messaging apps like Signal or Telegram, believing that they are more secure.
But experts say that WhatsApp, an app used by approximately 1.5 billion people in 180 countries and 400 million in India, is bearing the brunt of a hack that is not completely its fault.
While a vulnerability in the app’s video-calling feature allowed the spyware to go through without user intervention, it ultimately took over the phone because of gaps in the phone’s operating systems.
“The vulnerabilities the spyware exploited were at the level of the operating system, be it Android or Apple,” Vinay Kesari, a technology lawyer specialising in privacy, said.
“If there’s spyware in your handset, everything that is readable or even whatever that comes through your camera or mic is at risk,” technology writer Prasanto K Roy said.
WhatsApp promotes itself as a “secure” communications app because messages are encrypted end-to-end. This means they should only be displayed in a legible form on the sender or recipient’s device.
“In this case, it doesn’t matter if the app is end-to-end encrypted or not – once spyware is on your handset, hackers are able to see whatever is on your phone as you see it – this is already decrypted and in a readable form at this stage,” Mr Kesari said.
“You may as well have unlocked your phone and handed it over,” he added. “But importantly, this breach shows just how vulnerable operating systems are.”
Much of the chatter has focused on switching to other messaging apps, particularly Signal, which is known for its open source code – but does that mean your phone would be better protected against spyware?
Not necessarily, they say.
“With Signal, there is an added layer of transparency because they release their code to the public – so if you are a sophisticated coder, and the company says they have fixed a bug, you can access the code and see for yourself,” Mr Kesari said.
“But that doesn’t mean the app has an added layer of protection against such attacks.”
Mr Roy told the BBC that the attack went beyond the app.