The folks at the University of Toronto's Citizen Lab recently took a look into WeChat's encryption and found some potential security weaknesses. With more than a billion users logging in every month, WeChat operates a tailored version of the Transport Layer Security (TLS) 1.3 protocol, which they have named MMTLS.
Two Layers of Protection
WeChat’s encryption is designed with two different layers:
However, even with these two layers in place, the researchers encountered several problems:
Prior to 2016, WeChat only employed business-layer encryption for its requests. The addition of MMTLS was meant to improve the situation. Yet, while it enhanced the app's security by making internal encryption more difficult to breach, the researchers claim it still doesn't fully meet the modern cryptographic standards expected from an app of this scale.
A Larger Issue in China's Tech Landscape
The report highlights a significant concern within the tech industry in China: developers often create their own encryption solutions rather than relying on established protocols like TLS 1.3 or QUIC, which typically results in less secure systems.
Citizen Lab recommends that Tencent, which is WeChat's parent company, should adopt a standard TLS configuration or consider combining TLS with QUIC to enhance their security measures.