While apps that run on smartphones can be better controlled because they run on a limited environment and access, the same doesn't apply to desktop.
WhatsApp is the Meta-owned messaging platform. As the most popular messaging app in terms of number of users, Meta has the responsibility to protect the messages of WhatsApp's more than 2 billion users.
While WhatsApp is primarily made for users on smartphones, Meta cannot forget the fact that users can also use their desktop computers to chat.
And in the world where many people are still working remotely due to COVID-19, where WhatsApp users use their desktop computers/laptops more often, WhatsApp users on those devices can be at risk
This is why Meta has added another layer of security for WhatsApp users who use the Meta-owned messaging application via the web.
And that security addition comes in the form of a browser extension.
"Since WhatsApp introduced multi-device capability last year, we’ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we’ve been looking at ways to add additional layers of security to the WhatsApp Web experience," explained Software engineer and WhatsApps' Product Manager, Richard Hansen, in a blog post.
Calling it 'Code Verify', the browser extension ensures that the code running the user’s WhatsApp Web has not been tampered with by hackers, overreaching governments or others.
WhatsApp's messages are protected with end-to-end encryption.
But due to the flexibility of desktop operating systems, there are many factors that make the internet less secure than the mobile web.
Once the extension is installed, it will start working whenever WhatsApp Web is launched on the browser.
And when WhatsApp Web is launched, the extension will create a hash—like a fingerprint—of the the code the browser is receiving, to then matches it against the WhatsApp Web hash.
If the code matches, the icon on the browser will turn green.
The second icon color is orange, which means that either another browser extension is interfering with Code Verify’s ability to verify WhatsApp Web, or the request timed out and the page must be refreshed.
But if there is an issue, it will turn red.
If so, users can take actions including pausing other browser extensions that may be the culprit, switching to the WhatsApp mobile app or downloading the source code for a third-party organization to analyze.
Code Verify works in partnership with web infrastructure and security company Cloudflare, which provides independent, third-party, transparent code verification to WhatsApp Web users.
"The extension doesn’t log any data, metadata or user data, and it does not share any information with WhatsApp. It also does not read or access the messages you send or receive. In fact, neither WhatsApp nor Meta will know whether someone has downloaded the Code Verify extension. Additionally, the Code Verify extension never sends messages or chats between WhatsApp users to Cloudflare," the post continued.
"We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale. We hope that more services use the open-source version of Code Verify and make third-party verified web code the new norm. And in doing so, we hope this helps bring additional security protections to people all over the world and moves the entire industry forward."
In its own blog post, Cloudflare also verified this, saying that Cloudflare only acts as a "trusted audit endpoint to support Code Verify."
"Messages, chats or other traffic between WhatsApp users are never sent to Cloudflare; those stay private and end-to-end encrypted. Messages or media do not traverse Cloudflare’s network as part of this system, an important property from Cloudflare’s perspective in our role as a trusted third party," said Cloudflare.
The extension has been made available, initially on Google Chrome, Microsoft Edge and Mozilla Firefox, with its open-source code available on GitHub.