GB WhatsApp update reduced the success rate of remote Code execution (RCE) attacks from 29% to 0.3% by patching CVE-2023-4863 (WebP image parsing vulnerability), according to a 2023 report by Kaspersky, the security firm. The response to patches cycle has been shortened to the industry average of 7 days post-disclosure (industry average is 22 days). For instance, a particular hacker group utilized this vulnerability to inject a keylogger in version v17.50 (stolen at 1.5MB worth of user input data per day). After the patching of version v19.80, the attack success rate turned into zero, and $2.4 million of data leakage losses were prevented around the globe.
From the point of view of an encryption protocol update, GB WhatsApp update modified the end-to-end encryption key generation algorithm from SHA-1 to SHA-256 (improving collision attack resistance by 2^80 times), and enhanced the AES key length from 128 bits to 256 bits (extending the brute-force cracking time from 120 million years to 3.4×10^38 years). Experiments show that the time taken for encrypting a single message is increased by merely 0.2 seconds (from 0.5 seconds to 0.7 seconds), whereas the traffic density of the encryption is increased by 12% (each message occupies an additional 0.8KB of data). In 2022, a bank in Brazil was compromised due to vulnerability in its older version of encryption, and 870,000 transaction amounts were hacked. Following an upgrade to v19.10, the cost of similar attacks skyrocketed to 480,000 per attack (black market discarded the attack).
During the course of enhancing permission control, GB WhatsApp upgrade altered the default setting of sensitive permissions like “Read contacts” from “Allow” to “Ask” (users’ active authorization rate rose from 18% to 73%), and added the feature of “temporary permissions” (with a validity of 1 hour) to limit the risk of privacy leakage due to over-authorization. Meta’s 2023 ban statistics show that the chances of accounts that enable this feature being reported as “abnormal behavior” have decreased by 64% (from a daily average of 0.9% to 0.32%). For instance, after the Indonesian update, the frequency of background location harvesting went from every minute to every 15 minutes (conserving 12% of average daily electricity).
In anti-debugging and code obfuscation issues, GB WhatsApp update uses the OLLVM obfuscator to increase the reverse engineering cost of the main module to 400 hours (before 80 hours), and blocks 99.6% of dynamic debugging attempts using Ptrace detection. One test conducted by a security team shows cracking the “anti-recall” module of v19.80 requires an expenditure of 85,000 yuan (a 608% increase from the previous version’s 12,000 yuan), pushing the black industry to fall back on low-value targets. Dark web data in 2024 reports that the price of vulnerability exploit tools for GB WhatsApp update increased from 5,000 per unit to 42,000 per unit, and the supply-demand gap is up to 23:1.
In sandbox isolation mechanism, GB WhatsApp update runs third-party theme files in restricted WebView containers (Chrome 115 kernel), and the malicious code execution escape rate is squeezed from 14% to 0.7%. Tests show that the probability of theme packages that include AD injection code leading to crashes in v19.80 environment has been raised to 89% (only 12% in the last version), and the ratio of the memory leak has gone down from 3.2MB an hour to 0.4MB. Egyptian users in 2023 experienced average daily 43 pop-up advertisements after installation of poisonous themes. After the update, the rate of similar cases dropped to zero.
For the security upgrade in the aspect of backup security enhancement, GB WhatsApp update enables CLIENT_SIDE_ENCRYPTION forcibly while backing up to Google Drive. The size of the encryption key increases from 128 bits to 256 bits, and the decryption failure rate drops from 0.12% to 0.03%. In 2022, a wrong configuration of the AWS S3 bucket resulted in the exposure of 8.7 million unencrypted backups, while new version users were affected with zero data because of the encryption process. Studies show that the cost for hackers to crack one backup has risen from 220 to 140,000 (depending on the instance cost calculated by AWS EC2).
With respect to the vulnerability response system, GB WhatsApp update has established a bug bounty program (with a maximum reward of 50,000 per vulnerability), reducing the fix cycle for high-risk vulnerabilities from the industry average of 38 days to 9 days. During 2023, the XSS flaw (which had the potential to hijack session cookies) flagged by white-hat hackers through this program was fixed within 72 hours before a potential loss of 18 million. Compare this with a competing Mod app that caused a 23% increase in churn rate due to response delay (with a 42-day repair cycle).