This Forbes article screamed about a ‘surprising’ new warning for WhatsApp users, “with some security experts advising users to delete their apps.” Is this warning a beat-up?
This is an example of an article that highlights a generic cybersecurity problem but puts all the attention on specific apps (WhatsApp and Signal) and operating systems (macOS). Deleting WhatsApp and Signal desktop apps on macOS will not make this fundamental cybersecurity problem go away. This fundamental cybersecurity affects all apps for all traditional desktop operating systems (e.g. Windows, Linux and macOS).
So, what is the fundamental cybersecurity problem?
As I wrote in my book, Easy Guide to Cybersecurity & Privacy,
Why device operating systems are technically more secure [than traditional desktop operating systems]?
Compared to traditional computer operating systems (e.g. Windows, macOS), device operating systems (e.g. Android, iOS, iPadOS) are technically more secure. This is because they are designed from the ground up, while learning the lessons from years of experience with security issues and malware on the traditional computer operating systems (OS).
Traditional desktop operating systems (OS) belong to the previous era of computing, where everything was much more open because cybersecurity was not an issue back then. Today’s Windows, macOS and Linux inherit some of the characteristics of the more open era of the past. Apple, Microsoft and the Linux community cannot simply close their desktop OS without consequences of breaking lots of existing software applications. Instead, a complete break from the past era has to be built from scratch in the form of iOS, iPadOS and Android. The requirement to retain some of the characteristics of the more open era of the past resulted in this cybersecurity issue that you see today.
Why are device OS more secure than desktop OS?
There are 2 reasons why device OSs like iOS, iPadOS and Android are more secure than traditional desktop OSs like Windows, Linux and macOS:
- In the device OS, the end-user is barred from having administrative privilege over the device. In traditional desktop OS, you will often see that the end-user operates the computer as an administrator. My book has more detailed explanations of why using your computer as an administrator is a bad idea.
- More importantly, apps in the device OS are sandboxed from one another. In other words, they are isolated from one another, such that they cannot see and peek at the files and activity of one another. Traditional applications on desktop OS, on the other hand, are not sandboxed from one another. They can see and peek at the files and activity of one another.
However, macOS and Windows apps downloaded from the Mac App Store and Windows Store respectively are sandboxed from one another. On the other hand, applications that are installed traditionally (by downloading from websites) do not have sandboxing imposed on them. So, they can see and peek at the files and activity of sandboxed apps downloaded from the app store.
Here is the generic cybersecurity problem…
Generally, in macOS, Windows and Linux, software applications that you download from websites do not have sandboxing imposed on them. They have access to everything the user has access to, including the files from other software applications (including sandboxed apps downloaded from the app store)*.
Therefore, files created and stored by WhatsApp and Signal on the desktop OS cannot be protected from the prying eyes of other software running on the computer.
The best they can do is to encrypt the files so that the other software application cannot see their content. This is what Signal is already doing partially. For Signal, at least they have the wisdom to lodge the encryption keys in macOS’s Keychain, which can only be accessed by Signal (unless the user permits a rogue software). WhatsApp, on the other hand, stores their files in the clear.
* In macOS, the non-sandboxed software still has restrictions on what they can access by default. In the worst case scenario, they can have complete access to every file the user has access to. Basically, the containment is not water-tight.
What should you do if you have a high cybersecurity requirement?
What if you have a high cybersecurity requirement (e.g. if you work in the Department of Defence) and you have to use a desktop OS in your line of work?
Subscribe to continue reading
Subscribe to get access to the rest of this post and other subscriber-only content.