WhatsApp For Android Flaw Lets Anyone Read Your Messages. Here’s How To Secure Them

According to a report by the Guardian, the glitch allows a different application to access the WhatsApp user's whole database of chats without their permission.

hngn.com

The error stems from the Android operating system’s handling of external storage, as well as lax security standards in the WhatsApp application itself.

theguardian.com

“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card,” Bosschert says. “And, as the majority of people allow everything on their Android device, this is not much of a problem.”

mashable.com

Android’s part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other applications have stored there.

redorbit.com

WhatsApp not only uses that external storage to hold its database, but on earlier versions of the app, does so without any encryption at all. Bosschert adds that even later versions, which encrypt the database, do so using a key which can be easily extracted from the app using third-party tools like WhatsApp Xtract.

examiner.com

He concludes that “every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases. “Facebook didn’t need to buy WhatsApp to read your chats,” Bosschert joked.

theguardian.com

In order to avoid the risk of having their chats stolen, users should be wary of granting suspicious apps access to the SD card; a theoretical example given by Bosschert is a Flappy Bird clone app.

firstpost.com

If the application is from an untrusted publisher, they should exercise caution over granting the permissions it requests upon launch, especially if they include access to the SD card.

theguardian.com

If you have turned off message backup during the initial setup, then your messages are safe. But if you have turned on backups, the easiest way to prevent this attack is doing a clean install of WhatsApp and turning off backup when prompted during the setup.

firstpost.com

Android’s policy of allowing total access to the SD card is at odds with Apple’s far more controlled security on iOS devices, where every app is “sandboxed” in a way that prevents others from accessing its data.

theguardian.com

That Android openness allows developers to build programs which would be impossible on an iOS device, but also opens up the risk of errors such as that which has affected WhatsApp.

redorbit.com

To explain his hack, Bosschert set up a web server and then created an Android application that required several special permissions on a user's phone. But because Android OS allows applications to access various parts of the phone - this is why users can conveniently share almost everything through any app on Android phone - Bosschert's app had no difficulty gaining access to WhatsApp data.

indiatimes.com

Bosschert wrote that the code that allows his application to access WhatsApp data and then upload it to his web server can be added to a popular Android app by a rogue developer to fool users and steal WhatsApp chat logs.

“The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database,” he said.

firstpost.com