"ummm I think Facebook didn't need to buy WhatsApp to read our
chats." : Nikhil Dhawan
If you use WhatsApp on an Android phone, you should be
careful about what you talk about or share on the app. Using a few scripts and
a rogue app, anyone can see what you talk about with your friends.A Dutch security consultant has found that WhatsApp chat logs saved on the SD card of an Android phone can be read by other apps because of the way Android allows sharing of data between apps.
"The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem," Bas Bosschert wrote on his blog.
When I contacted Bosschert through his blog I asked him, "What do we need to steal someone's WhatsApp database? Bosschert explained that First we need a place to store the database, "Next thing we need is an Android application which uploads the WhatsApp database to the website."
When an Android application is installed, whether from the Play store or through an APK file, which is an installer file for Android phones and can be downloaded from various sources, the app requests for permissions to use network and SD card etc.
To explain his hack, Bosschert set up a web server and then created an Android application that required several special permissions on a user's phone. But because Android OS allows applications to access various parts of the phone - this is why users can conveniently share almost everything through any app on Android phone - Bosschert's app had no difficulty gaining access to WhatsApp data.
The older versions of WhatsApp were so insecure that they didn't even encrypt their data stored on SD card. The data from older versions of whatsApp could be read by anyone once it was uploaded on the web server. Even the data from newer version of WhatsApp, which uses encryption, can be accessed with ease.
"The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database," wrote Bosschert. "We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases."
The security issue apparently doesn't exist on iPhones or Windows Phone devices because on these smartphones, apps have limited access to storage and other phone hardware. The more flexible access to phone hardware allows Android apps to talk to each other and helps a user quickly share content between apps. This is very convenient compared to what is possible on iPhone or Windows Phone, where it is difficult to share content between apps. But it also exposes data to rogue apps.
Update: On March 14, WhatsApp issued a statement saying that the reports of security flaw in the app were overstated. However, the company didn't deny the loophole found by Bosschert. It only said that most people who installed apps from outside Google Play store faced privacy or security risk whether they had WhatsApp installed or not. It also said that users should update the WhatsApp to the latest version.
Here is the full statement given by WhatsApp to TechCrunch:
We are aware of the reports regarding a "security flaw". Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.
We are aware of the reports regarding a "security flaw". Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.
0 comments:
Post a Comment