WhatsApp for Android hole may expose chat history

Mar 12, 2014 by Nancy Owano weblog

(Phys.org) —"Is it possible to upload and read the WhatsApp chats from another Android application?"

"With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr [sic] answer is: "Yes, that is possible."

Those lines are from the question-and-answer posed on a Tuesday blog posting, with a closing line that "Facebook didn't need to buy WhatsApp to read your chats." The post sparked off numerous news headlines by Wednesday. Bass Bosschert, who identifies himself on the blog as consultant, system admin, and entrepreneur, was talking about WhatsApp for Android, which has a vulnerability, he said, that exposes a database of messages. He wrote, "The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [sic] majority of the people allows everything on their Android device, this is not much of a problem."

His presentation showed a flaw that could expose a WhatsApp chat history in the Android version. The reported flaw would involve another application being able to upload a user's database of chats to a third-party server. TechCrunch remarked that it appeared to be "a problem with Android's data sandboxing system," and calling it "predominantly an Android security issue," an "infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp." The Guardian chimed, that "Android's part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other have stored there."

By comparison, said TechCrunch, Apple does not permit access to data outside of an app's own sandbox. That is Apple's way of preventing mischief makers with developer skills to tinker with a potential victim's data through a dummy app.

One impractical solution would be to send chats that comment only on the weather and local traffic. Business Insider's more practical advice: "Security breaches such as the one outlined in Bosschert's post can be easily avoided by verifying an app's source and carefully reading an app's permissions before installing."

WhatsApp is an instant messaging app recently purchased by Facebook. This is a cross-platform mobile messaging app which allows the exchange of messages, available for iPhone, BlackBerry, Android, Windows Phone and Nokia.

Explore further: WhatsApp service restored after brief outage

add to favorites email to friend print save as pdf

Related Stories

Security experts raise flags over WhatsApp

Feb 22, 2014

The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp has everything Facebook needs to survive

Feb 21, 2014

Facebook has made a play for the mobile market by buying WhatsApp in what should be seen as a significant sign of the times. Desktop computing is the past and mobile access is the future. Facebook knows th ...

Recommended for you

Estonian man faces cyber scam charges in US

36 minutes ago

An Estonian man accused of being part of a ring that swindled advertisers out of millions of dollars by "hijacking" online traffic was hauled before a US judge.

Humans are largely the problem in cyber security failures

22 hours ago

When people think about cyber and information security they often think about anti-virus software and firewalls; however, according to an information security expert from the University of Adelaide, organisations would become ...

Pirate Bay founder jailed for hacking Danish data

22 hours ago

A Danish court on Friday sentenced the Swedish founder of file-sharing site The Pirate Bay to 3½ years in prison after he was found guilty of hacking into a private company handling sensitive information for Danish authorities.

What's causing the recent string of data breaches?

Oct 30, 2014

It's Cyber Security Awareness month, which has me wondering: are we doing all we can to protect our data? To help answer this question, I sat down with Girish Bhat of Wave Systems—an important collaborator of Micron's—to ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.