Private chat on WhatsApp for Android may not have been so private

March 17, 2014


Forget TINSTAFL, remember TINSTAP

Messenger app, WhatsApp has recently been acquired by Facebook for $19B, and today they unveil a gorgeous redesign. It’s been a great year for the team.

But now, a dark cloud is hovering over the company, as security consultant, Bas Bosschert uncovered a way for Android developers and hackers alike to easily access WhatsApp chat logs.

The circumstances involve SD storage of the chat program’s backup database, and Bosschert walks through how developers who need access to large storage on any device would be able to see the database once given permission through an app, and hackers can use the same channel to simply access the database via malware.

Bosschert had a conversation with his brother on the topic and discovered the workaround based on the possibility of uploading and reading the chat logs from another Android application. He details the process of using a PHP script, an Android application asking for phone access, a web server and some XML file edits to be able to pull down the data from an Android device.

Advertise with The American Genius

Then, he says that with a key readily available on the Internet, the downloaded database is pulled over to Excel, where the data is then decrypted with a Python script revealing user chat history from the backup database WhatsApp writes to memory.

WhatsApp reacts

WhatsApp has responded by improving their database encryption and offloading it from a hard-cded key for all devices, implementing use of “the account name to create a device (account) unique encryption key,” according to Bosschert.

Bosschert has outlined a way that even with the new encryption, a few extra steps taken leads to the data still vulnerable to extraction.

A spokesman for WhatsApp tells TechCrunch that Bosschert’s claims “have not painted an accurate picture and are overstated.”

Why Android and not iOS?

What cannot be debated is the fact that Android offloads larger files onto expandable memory, and while most conditions would require malware to be loaded specifically seeking to compromise a device to access the logs, but given current privacy and security concerns over data, this information could still be accessed by legitimate developers unbeknownst to users after given access to at least the SD card.

Apple’s iOS does not have this problem, since the operating system sets up each application within their own sandbox, generally not allowing apps to access data outside of it.

best downtowns
10 best downtowns by name If you said that Fort Worth had the best downtown in America just a few years ago, you would have been laughed out of the building, but times have changed and it has become vibrant, clean, beautiful, and even prosperous. It's not just Fort Worth…
errol samuelson
Move, NAR sue Zillow and Errol Samuelson According to court documents filed in the State of Washington, a lawsuit has been filed by the National Association of Realtors (NAR) and Move, Inc. (operator of realtor.com, Top Producer, SocialBios, ListHub, and several other companies) against Zillow, Inc. and Errol Samuelson. The…

Marti Trewe reports on business and technology news, chasing his passion for helping entrepreneurs and small businesses to stay well informed in the fast paced 140-character world. Marti rarely sleeps and thrives on reader news tips, especially about startups and big moves in leadership.

Leave A Comment