WhatsApp, which is to be acquired for USD 19 billion by Facebook (Mark Zuckerberg's co to pay WhatsApp $2 bn if deal falls through), says on its website that "communication between your phone and our server is fully encrypted."
WhatsApp warns users need to be aware that when they send messages, the recipient's device may not be secure. But it says it does not store any chat history and that messages are wiped off its system after delivery.
Yet security researchers and others point out that there may be vulnerabilities in the system used by some 450 million people globally.
Paul Jauregui at the security firm Praetorian said in a blog post yesterday that WhatsApp security and encryption are not ideal, citing vulnerabilities in the way it handles SSL, the secure socket layer protocol for communications.
The group's mobile security test "picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers," Jauregui said.
"This is the kind of stuff the NSA (National Security Agency) would love. It basically allows them -- or an attacker -- to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk."
Jauregui noted that Praetorian would need authorisation from Facebook and WhatsApp for a more thorough security evaluation. He added that it would be "not very difficult" to patch the security flaws.
Meanwhile in Germany, the data commissioner in the state of Schleswig-Holstein, said in a statement this week the deal raises serious privacy concerns and that WhatsApp does not comply with European data protection rules.
The official, Thilo Weichert, said in a statement that people should opt out of WhatsApp for more "trusted services."
Last October, Dutch security researcher Thijs Alkemade posted a blog saying that the encryption can be circumvented, making it feasible "that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort."
WhatsApp did not respond to an AFP query on the security claims. But some rival services say the Facebook-WhatsApp tie-up is likely to hurt confidence in the messaging app.
Nico Sell, co-founder of the security-focused app Wickr said it has seen "thousands more people than normal" downloading its app since Facebook's announcement.
"I think people will swap quickly out of WhatsApp now that it's part of Facebook," she said.
Sell said Facebook's core business is monetizing data, while Wickr aims at protecting user anonymity and privacy, by using top-grade encryption and paying bounties to hackers who discover any security flaws.