WhatsApp for Android hole may expose chat history

Mar 12, 2014 by Nancy Owano weblog

(Phys.org) —"Is it possible to upload and read the WhatsApp chats from another Android application?"

"With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr [sic] answer is: "Yes, that is possible."

Those lines are from the question-and-answer posed on a Tuesday blog posting, with a closing line that "Facebook didn't need to buy WhatsApp to read your chats." The post sparked off numerous news headlines by Wednesday. Bass Bosschert, who identifies himself on the blog as consultant, system admin, and entrepreneur, was talking about WhatsApp for Android, which has a vulnerability, he said, that exposes a database of messages. He wrote, "The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [sic] majority of the people allows everything on their Android device, this is not much of a problem."

His presentation showed a flaw that could expose a WhatsApp chat history in the Android version. The reported flaw would involve another application being able to upload a user's database of chats to a third-party server. TechCrunch remarked that it appeared to be "a problem with Android's data sandboxing system," and calling it "predominantly an Android security issue," an "infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp." The Guardian chimed, that "Android's part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other have stored there."

By comparison, said TechCrunch, Apple does not permit access to data outside of an app's own sandbox. That is Apple's way of preventing mischief makers with developer skills to tinker with a potential victim's data through a dummy app.

One impractical solution would be to send chats that comment only on the weather and local traffic. Business Insider's more practical advice: "Security breaches such as the one outlined in Bosschert's post can be easily avoided by verifying an app's source and carefully reading an app's permissions before installing."

WhatsApp is an instant messaging app recently purchased by Facebook. This is a cross-platform mobile messaging app which allows the exchange of messages, available for iPhone, BlackBerry, Android, Windows Phone and Nokia.

Explore further: WhatsApp service restored after brief outage

add to favorites email to friend print save as pdf

Related Stories

Security experts raise flags over WhatsApp

Feb 22, 2014

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp has everything Facebook needs to survive

Feb 21, 2014

Facebook has made a play for the mobile market by buying WhatsApp in what should be seen as a significant sign of the times. Desktop computing is the past and mobile access is the future. Facebook knows th ...

Recommended for you

Court: UK spies get bulk access to NSA data

17 hours ago

The British government's insistence that its spies don't use the vast espionage powers of the U.S. National Security Agency to sidestep U.K. restrictions on domestic eavesdropping was called into question by a court document ...

Georgia Tech releases 2015 Emerging Cyber Threats Report

21 hours ago

In its latest Emerging Cyber Threats Report, Georgia Tech warns about loss of privacy; abuse of trust between users and machines; attacks against the mobile ecosystem; rogue insiders; and the increasing involvement of cyberspac ...

South Korea spy agency says North hacking smartphones

Oct 29, 2014

North Korea attempted to hack tens of thousands of South Korean smartphones this year, using malware disguised in mobile gaming apps, the South's spy agency said in a report submitted to parliament this week.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.