WhatsApp For Android Flaw Lets Anyone Read Your Messages. Here’s How To Secure Them

Users of the popular messaging platform WhatsApp — which was recently acquired by Facebook for $16 billion last month — may be facing a major security flaw.

Cover image via

A Security Defect In The Android Version Of WhatsApp Leaves Conversations Vulnerable To A Third-Party Server

According to a report by the Guardian, the glitch allows a different application to access the WhatsApp user's whole database of chats without their permission.

Representational graphics

Image via

The error stems from the Android operating system’s handling of external storage, as well as lax security standards in the WhatsApp application itself.

Dutch Security Consultant Bas Bosschert Told The Guardian That Any Application For Android That Can Enter The Device's SD Card Has The Ability To Scan And Upload Whatever Is In The Communication Apps' Database

“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card,” Bosschert says. “And, as the majority of people allow everything on their Android device, this is not much of a problem.”

Android’s part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other applications have stored there.

WhatsApp not only uses that external storage to hold its database, but on earlier versions of the app, does so without any encryption at all. Bosschert adds that even later versions, which encrypt the database, do so using a key which can be easily extracted from the app using third-party tools like WhatsApp Xtract.
Image via

He concludes that “every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases. “Facebook didn’t need to buy WhatsApp to read your chats,” Bosschert joked.

So What’s The Solution?

In order to avoid the risk of having their chats stolen, users should be wary of granting suspicious apps access to the SD card; a theoretical example given by Bosschert is a Flappy Bird clone app.

If the application is from an untrusted publisher, they should exercise caution over granting the permissions it requests upon launch, especially if they include access to the SD card.

Basically, It's Only Possible When WhatsApp Is Backing Up Your Messages To The SD Card

If you have turned off message backup during the initial setup, then your messages are safe. But if you have turned on backups, the easiest way to prevent this attack is doing a clean install of WhatsApp and turning off backup when prompted during the setup.

Global messaging service WhatsApp

Image via

Opinion Is Split Over Whether WhatsApp Or Android Itself Is More To Blame For The Flaw

Android’s policy of allowing total access to the SD card is at odds with Apple’s far more controlled security on iOS devices, where every app is “sandboxed” in a way that prevents others from accessing its data.

That Android openness allows developers to build programs which would be impossible on an iOS device, but also opens up the risk of errors such as that which has affected WhatsApp.

Bosschert Published A Proof Of Concept On His Blog And Explained The Workings In Detail

To explain his hack, Bosschert set up a web server and then created an Android application that required several special permissions on a user's phone. But because Android OS allows applications to access various parts of the phone - this is why users can conveniently share almost everything through any app on Android phone - Bosschert's app had no difficulty gaining access to WhatsApp data.

Bosschert wrote that the code that allows his application to access WhatsApp data and then upload it to his web server can be added to a popular Android app by a rogue developer to fool users and steal WhatsApp chat logs.

“The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database,” he said.

So, If You Are Worried About Privacy, You’re Better Off Using Telegram With Its Secure Chat Feature For Secure Personal Chats

ALSO READ: WhatsApp Now Allows Android Users To Hide Their 'Last Seen'

You may be interested in: