WhatsApp for Android hole may expose chat history

Mar 12, 2014 by Nancy Owano weblog

(Phys.org) —"Is it possible to upload and read the WhatsApp chats from another Android application?"

"With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr [sic] answer is: "Yes, that is possible."

Those lines are from the question-and-answer posed on a Tuesday blog posting, with a closing line that "Facebook didn't need to buy WhatsApp to read your chats." The post sparked off numerous news headlines by Wednesday. Bass Bosschert, who identifies himself on the blog as consultant, system admin, and entrepreneur, was talking about WhatsApp for Android, which has a vulnerability, he said, that exposes a database of messages. He wrote, "The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [sic] majority of the people allows everything on their Android device, this is not much of a problem."

His presentation showed a flaw that could expose a WhatsApp chat history in the Android version. The reported flaw would involve another application being able to upload a user's database of chats to a third-party server. TechCrunch remarked that it appeared to be "a problem with Android's data sandboxing system," and calling it "predominantly an Android security issue," an "infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp." The Guardian chimed, that "Android's part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other have stored there."

By comparison, said TechCrunch, Apple does not permit access to data outside of an app's own sandbox. That is Apple's way of preventing mischief makers with developer skills to tinker with a potential victim's data through a dummy app.

One impractical solution would be to send chats that comment only on the weather and local traffic. Business Insider's more practical advice: "Security breaches such as the one outlined in Bosschert's post can be easily avoided by verifying an app's source and carefully reading an app's permissions before installing."

WhatsApp is an instant messaging app recently purchased by Facebook. This is a cross-platform mobile messaging app which allows the exchange of messages, available for iPhone, BlackBerry, Android, Windows Phone and Nokia.

Explore further: Groups seek privacy review of Facebook-WhatsApp tie-up

add to favorites email to friend print save as pdf

Related Stories

Security experts raise flags over WhatsApp

Feb 22, 2014

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp has everything Facebook needs to survive

Feb 21, 2014

Facebook has made a play for the mobile market by buying WhatsApp in what should be seen as a significant sign of the times. Desktop computing is the past and mobile access is the future. Facebook knows th ...

Recommended for you

Survey reveals sorry state of European cybersecurity

Feb 27, 2015

The European Commission's annual Eurobarometer Cyber Security Survey, the third edition of which was recently released, is a substantial survey of more than 27,000 respondents from 28 countries. It contains intere ...

US spymaster warns over low-level cyber attacks

Feb 27, 2015

A steady stream of low-level cyber attacks poses the most likely danger to the United States rather than a potential digital "armageddon," US intelligence director James Clapper said on Thursday.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.