Like WhatsApp, most messaging apps have vulnerabilities: Expert

It’s not just WhatsApp, almost everything connected to the internet is at risk of cyberattacks. That’s what experts are emphasizing following news that the messaging platform had been targeted by spyware.

The vulnerability in the world’s most popular messaging platform, which was first reported by the Financial Times, allegedly allowed an Israel-based company to install malware onto both iPhone and Android phones. The security weakness reportedly could have been used to tap calls made with the app.

A spokeswoman said Facebook-owned WhatsApp encouraged users to update the application in order to protect against “potential targeted exploits designed to compromise information stored on mobile devices.”

But even after the patch, users should keep in mind that there will always be vulnerabilities on mobile applications.

“It’s definitely possible or even likely that at least some other apps will have similar vulnerabilities,” said Tom Uren, a senior analyst in the Australian Strategic Policy Institute’s International Cyber Policy Centre. “Pretty much the entire suite of apps that ‘talk’ over the internet could be vulnerable.”

That’s because the apps are “constantly updated” to introduce new features, said Ori Sasson, founder of cyber-intelligence firm S2T.

“While updates can fix known defects and vulnerabilities, they can insert new unknown ones,” he said. In software development and testing, engineers can identify weaknesses, but it is “literally impossible” to prove the absence of a vulnerability in a “non-trivial application,” he added.

Tom Kellermann, chief cybersecurity officer of U.S.-based cybersecurity firm Carbon Black, echoed that sentiment.

“The unfortunate reality is that most messaging apps have vulnerabilities that can be exploited by sophisticated cyber spies,” he said. “No messaging service is bulletproof.”

Such platforms usually secure the transmission of messages between users, but that’s not a “panacea,” Kellermann said.

Most security ratings for such platforms relate to encryption, which implies reduced risk of eavesdropping on messages and calls, explained Sasson. He noted that WhatsApp, like BBMe and other apps that are “considered secure,” has end-to-end encryption.

In the case of the WhatsApp attack, however, it was about “secure application development” rather than how well the app protects privacy and security, said Uren of ASPI, a Canberra-based think tank.

The onus is on developers to create secure apps, said experts, although one added it may not be realistic to expect a group to identify all vulnerabilities.

“For a consumer, there is very little you can do except update your apps and operating system as bug fixes and updates get released,” said Uren.

“Developers making apps need to dedicate the effort to build secure apps and use secure coding principles,” he said. “But in general, security is an afterthought.”

He added that he likes messaging app Signal, in part because its philosophy is about building secure and private messaging, though that doesn’t make it “immune.”

A spokeswoman for BlackBerry told CNBC that its app provides a “circle of trust” where users have to accept an invite before they can receive calls or messages from other users. Hence, what happened to WhatsApp “could not happen” with BBM Enterprise, claimed BlackBerry Head of Corporate Communications Sarah McKinney.

Carbon Black’s Kellermann said the “largest burden of responsibility” is on software creators to develop with cybersecurity in mind and conduct “vulnerability assessments.”

Security researchers with expertise in finding defects could also help to protect apps, Sasson said. But given the potential complexity of large software applications, “this may not be practical,” he added.

In the case of WhatsApp, he said “significant research and effort” is required in order to identify and exploit a vulnerability. Defects in the operating system may also have been needed.

“What this implies (is) that there is a high entry barrier to creating the means for such an attack,” Sasson said.

Given the amount of effort to find such a vulnerability, attackers are unlikely to put in the effort for apps that are not widely used, explained Sasson.

WhatsApp was likely targeted because of its “large user base” and the fact that attackers were able to find a weakness, he added.

Popular apps are the ones that will be targeted, said Uren, because “that is where the users are.”

But he also suggested that the people who use the app matter. “Ironically, the apps that are perceived as more secure will probably be more highly targeted because they’ll be used by people that are of interest to intelligence agencies,” Uren said.

Sasson, meanwhile, said there’s a “trade-off between convenience and security.” An app with fewer users could have more vulnerabilities because it is “less tested,” but cyber spies are unlikely to try to exploit the defect.

He added: “So you are likely to be safer from attacks, but less likely to be able to communicate with your contacts because many of them might not be using the same app.”

— CNBC’s Kate Fazzini contributed to this report.