The WhatsApp for Android client is susceptible to malicious intrusion thanks to the way conversations are both stored and encrypted, a security expert has discovered. The bug opens up the potential for stored chats to be accessed via other apps, and even though the problem is, if anything, largely attributable to the way that Android is constructed rather than just being a WhatsApp issue, the apparent ease in which conversations can be gotten hold of and decrypted will no doubt leave users of the app feeling rather disconcerted.
As far as the first few months of a new year could go, WhatsApp has had it pretty good. Having been bought out by Facebook for the monumentally-high sum of $19 billion, the two co-founders of the popular cross-platform app also have a seat on the social company’s board, and since WhatsApp has always placed user security and privacy high on its agenda, this ethos will only be consolidated with the Facebook team overseeing matters from here on in.
But as Facebook and WhatsApp continue the courting process before the paperwork is signed and the acquisition is completed, the Android app looks as though it could use some attention. Bas Bosschert, security expert and CTO at DoubleThink, has detailed a method for accessing WhatsApp chats, and even after an update only yesterday to version 2.11.186, the security flaw still exists.
Simply put, WhatsApp keeps your conversations stored on a device’s SD card, and, provided you allow other apps to access your SD card (many request it upon installation), an app could easily grab your conversations. It’s worth pointing out that this is, if anything, an Android issue, and as such, WhatsApp is not the only app vulnerable. But since conversations hold potentially sensitive data – and WhatsApp saves these files on the SD card – the whole infrastructure is inherently flawed.
WhatsApp has taken steps to encrypt conversations, meaning they cannot be accessed via SQLite, but with Bosschert himself able to get into chats by using his own tailor-made Python script, this entire issue is the kind of glaring oversight that will need to be better managed – particularly with the looming acquisition from Facebook.
Even though Android’s structure makes it easy for SD card data to be nabbed, though, it’s worth noting that WhatsApp is not forced to store conversations in this way, and so hopefully, the company will review the way it keeps hold of these chat files so as not to compromise the privacy or security of its users.