WhatsApp, the mobile messaging app developer that Facebook is acquiring for $19 billion, may be an attractive addition to the social network, thanks to WhatsApp's 450 million active users and en vogue status. It may also be attractive to government spies and criminal hackers, thanks to several weaknesses in the encryption WhatsApp uses to protect messages from eavesdropping, researchers say.

Among the most serious problems with WhatsApp's implementation of secure sockets layer (SSL) encryption is its support of version 2 of the protocol, according to a blog post published Thursday by a researcher from security consultancy Praetorian. That version is susceptible to several well-known attacks that allow people monitoring a connection between the two end points to decipher and in some cases manipulate the traffic as it passes through.

Put a pin in it

WhatsApp has also failed to implement a technique known as certificate pinning that's designed to block attacks using forged certificates to bypass Web encryption. Pinning allows an app to work only when communicating with a server using a specific certificate. Because the certificate fingerprint is hardcoded into the app, it will reject connections with any impostor certificates—even if they're signed by one of the 500 or so authorities trusted by major browsers and operating systems.

Over the past few years, pinning has become increasingly common in apps developed by companies like Twitter, Facebook and Google. Certificate pinning in Chrome was the canary that revealed a fraudulent certificate (signed by then-trusted authority DigiNotar) being used to bypass the encryption protecting some Gmail users. Given the more than $19 million WhatsApp has received to date from venture capitalists, it's surprising developers didn't plunk some of that money into adding this useful feature.

Praetorian also notes two other WhatsApp SSL deficiencies: the use of SSL null ciphers and the enabling of SSL export ciphers. Both weaknesses make it easier for attackers to bypass encryption as traffic passes between a mobile phone and back-end servers.

"This is the kind of stuff the NSA would love," Praetorian's Paul Jauregui wrote. "It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk."

This is not the first time WhatsApp has been called out for security weaknesses. In October, a computer science student at Utrecht University in the Netherlands documented a critical encryption flaw that made it possible for adversaries to decrypt communications sent with WhatsApp. Given Facebook's track record in locking down apps and servers, the first thing company developers will do before assimilating WhatsApp into the mothership is to audit every line of code to fix these kinds of vulnerabilities.

Listing image by Sybren A. Stüvel