Forget TINSTAFL, remember TINSTAP
Messenger app, WhatsApp has recently been acquired by Facebook for $19B, and today they unveil a gorgeous redesign. It’s been a great year for the team.
But now, a dark cloud is hovering over the company, as security consultant, Bas Bosschert uncovered a way for Android developers and hackers alike to easily access WhatsApp chat logs.
The circumstances involve SD storage of the chat program’s backup database, and Bosschert walks through how developers who need access to large storage on any device would be able to see the database once given permission through an app, and hackers can use the same channel to simply access the database via malware.
Bosschert had a conversation with his brother on the topic and discovered the workaround based on the possibility of uploading and reading the chat logs from another Android application. He details the process of using a PHP script, an Android application asking for phone access, a web server and some XML file edits to be able to pull down the data from an Android device.
Then, he says that with a key readily available on the Internet, the downloaded database is pulled over to Excel, where the data is then decrypted with a Python script revealing user chat history from the backup database WhatsApp writes to memory.
WhatsApp reacts
WhatsApp has responded by improving their database encryption and offloading it from a hard-cded key for all devices, implementing use of “the account name to create a device (account) unique encryption key,” according to Bosschert.
Bosschert has outlined a way that even with the new encryption, a few extra steps taken leads to the data still vulnerable to extraction.
A spokesman for WhatsApp tells TechCrunch that Bosschert’s claims “have not painted an accurate picture and are overstated.”
Why Android and not iOS?
What cannot be debated is the fact that Android offloads larger files onto expandable memory, and while most conditions would require malware to be loaded specifically seeking to compromise a device to access the logs, but given current privacy and security concerns over data, this information could still be accessed by legitimate developers unbeknownst to users after given access to at least the SD card.
Apple’s iOS does not have this problem, since the operating system sets up each application within their own sandbox, generally not allowing apps to access data outside of it.
