WhatsApp for Android hole may expose chat history

Mar 12, 2014 by Nancy Owano weblog

(Phys.org) —"Is it possible to upload and read the WhatsApp chats from another Android application?"

"With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr [sic] answer is: "Yes, that is possible."

Those lines are from the question-and-answer posed on a Tuesday blog posting, with a closing line that "Facebook didn't need to buy WhatsApp to read your chats." The post sparked off numerous news headlines by Wednesday. Bass Bosschert, who identifies himself on the blog as consultant, system admin, and entrepreneur, was talking about WhatsApp for Android, which has a vulnerability, he said, that exposes a database of messages. He wrote, "The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [sic] majority of the people allows everything on their Android device, this is not much of a problem."

His presentation showed a flaw that could expose a WhatsApp chat history in the Android version. The reported flaw would involve another application being able to upload a user's database of chats to a third-party server. TechCrunch remarked that it appeared to be "a problem with Android's data sandboxing system," and calling it "predominantly an Android security issue," an "infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp." The Guardian chimed, that "Android's part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other have stored there."

By comparison, said TechCrunch, Apple does not permit access to data outside of an app's own sandbox. That is Apple's way of preventing mischief makers with developer skills to tinker with a potential victim's data through a dummy app.

One impractical solution would be to send chats that comment only on the weather and local traffic. Business Insider's more practical advice: "Security breaches such as the one outlined in Bosschert's post can be easily avoided by verifying an app's source and carefully reading an app's permissions before installing."

WhatsApp is an instant messaging app recently purchased by Facebook. This is a cross-platform mobile messaging app which allows the exchange of messages, available for iPhone, BlackBerry, Android, Windows Phone and Nokia.

Explore further: New technology to help users combat mobile malware attacks

add to favorites email to friend print save as pdf

Related Stories

Security experts raise flags over WhatsApp

Feb 22, 2014

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp has everything Facebook needs to survive

Feb 21, 2014

Facebook has made a play for the mobile market by buying WhatsApp in what should be seen as a significant sign of the times. Desktop computing is the past and mobile access is the future. Facebook knows th ...

Recommended for you

Does your password pass muster?

Mar 25, 2015

"Create a password" is a prompt familiar to anyone who's tried to buy a book from Amazon or register for a Google account. Equally familiar is that red / yellow / green bar that rates the new password's strength. ...

Beijing behind Internet security violation: group

Mar 25, 2015

China's cyberspace administration is "complicit" in attacks on major Internet companies including Google, an anti-censorship group said Wednesday, calling on firms worldwide to strengthen their defences.

House unveils cyber bill and signals bipartisan compromise

Mar 24, 2015

House intelligence committee leaders unveiled a bipartisan cybersecurity bill Tuesday amid signs of broad agreement on long-sought legislation that would allow private companies to share with the government details of how ...

The ongoing war against cybercrime

Mar 24, 2015

Cybercrime is estimated to cost the global economy upwards of US$400 billion a year, and these costs are expected to continue to rise. ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.