WhatsApp for Android hole may expose chat history

Mar 12, 2014 by Nancy Owano weblog

(Phys.org) —"Is it possible to upload and read the WhatsApp chats from another Android application?"

"With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr [sic] answer is: "Yes, that is possible."

Those lines are from the question-and-answer posed on a Tuesday blog posting, with a closing line that "Facebook didn't need to buy WhatsApp to read your chats." The post sparked off numerous news headlines by Wednesday. Bass Bosschert, who identifies himself on the blog as consultant, system admin, and entrepreneur, was talking about WhatsApp for Android, which has a vulnerability, he said, that exposes a database of messages. He wrote, "The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [sic] majority of the people allows everything on their Android device, this is not much of a problem."

His presentation showed a flaw that could expose a WhatsApp chat history in the Android version. The reported flaw would involve another application being able to upload a user's database of chats to a third-party server. TechCrunch remarked that it appeared to be "a problem with Android's data sandboxing system," and calling it "predominantly an Android security issue," an "infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp." The Guardian chimed, that "Android's part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other have stored there."

By comparison, said TechCrunch, Apple does not permit access to data outside of an app's own sandbox. That is Apple's way of preventing mischief makers with developer skills to tinker with a potential victim's data through a dummy app.

One impractical solution would be to send chats that comment only on the weather and local traffic. Business Insider's more practical advice: "Security breaches such as the one outlined in Bosschert's post can be easily avoided by verifying an app's source and carefully reading an app's permissions before installing."

WhatsApp is an instant messaging app recently purchased by Facebook. This is a cross-platform mobile messaging app which allows the exchange of messages, available for iPhone, BlackBerry, Android, Windows Phone and Nokia.

Explore further: WhatsApp service restored after brief outage

add to favorites email to friend print save as pdf

Related Stories

Security experts raise flags over WhatsApp

Feb 22, 2014

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp has everything Facebook needs to survive

Feb 21, 2014

Facebook has made a play for the mobile market by buying WhatsApp in what should be seen as a significant sign of the times. Desktop computing is the past and mobile access is the future. Facebook knows th ...

Recommended for you

CloudFlare tackles lost SSL key risk with Keyless SSL

Sep 19, 2014

Organizations looking for and concerned about optimal security protection are the targets of a new service announced by San Francisco-based CloudFlare. The offering is called Keyless SSL. CloudFlare explained ...

When does Google hand over your data to governments?

Sep 19, 2014

Governments around the world want to know a lot about who we are and what we're doing online and they want communications companies to help them find it. We don't know a lot about when companies hand over ...

User comments : 0