The Inquirer-Home

Whatsapp disputes Android security flaw, says claims are 'overstated'

Updated The bug is thought to allow hackers to steal Whatsapp conversations
Fri Mar 14 2014, 12:04
Whatsapp logo

MOBILE MESSAGING SERVICE Whatsapp has said claims regarding a security vulnerability affecting its Android app are "overstated".

The flaw was discovered in the Android mobile operating system on Wednesday, and researchers claimed it allowed cyber criminals to steal conversations from users of mobile messaging service Whatsapp.

Discovered by Bas Bosschert, the CTO of startup company Doublethink, the flaw was detailed in a blog post in which Bosschert demonstrated the method for accessing Whatsapp chats. He confirmed that the vulnerability still exists even after Google updated the Whatsapp app just last week.

Whatsapp has since disputed the claims, saying that such accusations were "overstated". 

"We are aware of the reports regarding a 'security flaw.' Unfortunately, these reports have not painted an accurate picture and are overstated," a Whatsapp spokesman said.

Bosschert said the exploit is possible due to the Whatsapp database on Android being saved on the SD card, which can be read by any Android application if the user allows it to access the card.

"And since majority of the people [allow] everything on their Android device, this is not much of a problem," Bosschert said, noting that this is an issue in the Android infrastructure, specifically a problem with Android's data sandboxing system, as opposed to a security flaw in Whatsapp.

From there, a malicious app could access the Whatsapp conversation database, Bosschert said, testing his method with a companion app that he built, which uses a loading screen to distract the user while the database files are being uploaded.

Whatsapp said that the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk.

"As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies," the Whatsapp spokesman added.

Bosschert said that he can even decrypt the database on the Android device with his own script despite the Whatsapp application's attempts in its recent update to encrypt the database to the point where it can't be opened by SQLite.

"We can simply decrypt this database using a simple python script," Bosschert said. "This script converts the [encrypted] database to a plain SQLite3 database.

"So, we can conclude that every application can read the Whatsapp database and it is also possible to read the chats from the encrypted databases. Facebook didn't need to buy Whatsapp to read your chats."

The full step by step guide for how he hacked Whatsapp can be found in Bosschert's blog post.

Whatsapp added privacy features and the ability to pay for a friend's subscription when it updated its Android app on Monday.

The added privacy includes controls for users to hide when they were last seen, their profile photo and their status updates from prying eyes.

While these are not groundbreaking changes, releasing a privacy update likely will appease its user following Facebook's $19bn acquisition of the company that has sparked privacy fears among Whatsapp users. These concerns are ongoing, as privacy groups called for the FTC to investigate the buyout last week, saying that it represents a threat to privacy. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?