Encryption Flaw In WhatsApp Highlights Android's Security Concerns

Even after numerous security and privacy updates, controversies surrounding the Facebook acquired messenger WhatsApp do not seem to slow down. More and more privacy concerns as well as security holes are being bought to forefront each day, even after the WhatsApp For Android Can Now Hide 'Last Seen' Message, Latest Update Is Here.

Bas Bosschert, the CTO at DoubleThink, wrote about the security flaw in WhatsApp in his blog yesterday. The flaw however, concerns more to Android data infrastructure security rather than concerning WhatsApp. What Mr. Bosschert did was he used another app to read WhatsApp's conversation data and while the database files were being uploaded, the users were fooled with a "Loading" screen which made users think that the app was doing something 'interesting' in the background.

whatsapp_1
Image: #-Link-Snipped-#
This results from the fact that WhatsApp stores conversation data on the phone's SD Card, which is pretty normal in Android smartphones. This data can be read by any app to which the user has given the "Full access to phone" permissions.

The steps for the 'hack' can be described as follows:
  1. Create a place to store the database, say a webserver.
  2. Create an Android application that uploads the conversation database to the server.
  3. To do that, simply modify the AndroidManifest.xml file which allows the app to permission access the SD card and to upload it using internet.
  4. The msgstore.db and the wa.db are the two files which contain chat data. These are unencrypted and can be read by SQLite 3 and even be converted to Excel. But lately, WhatsApp has been encrypting chats in a msgstore.db.crypt file. However, the .crypt file can be decrypted using a simple Python script and the key for the encryption can be obtained from WhatsApp Xtract. Therefore the encryption of the database does not turn out to be a big deal for a smart hacker.
  5. Create a loading screen or something interesting that will trick the user into believing that the application is carrying out some process in the background.
The code for the 'robber' app can be copied in to any other app that requests the access to user's SD card and the new modified app will now do the dirty work.

Here is where the difference between iOS and Android comes. Apple does not give permission to data outside of the app's own sandbox. This stops malevolent developers from accessing data through a dummy app.

So, to conclude, we would like to convey our apologies on the demise of privacy of Android WhatsApp users and it would also be safe to say that at the NSA HQ, the party must've already begun.

Source: Hole In WhatsApp For Android Lets Hackers Steal Your Conversations • TechCrunch|#-Link-Snipped-#

Replies

You are reading an archived discussion.

Related Posts

Steve Edwards submitted a new project: Mi World Portable Computing System: Mobile Server & Personal Cloud - Secure, mobile, supercomputer, server, hot spot, & personal cloud that fits in your...
Stanford Assistant Professor and TED Fellow Manu Prakash has taken the humble paper to newer heights by making a microscope out of it using the old art of Origami and...
Howdy CEans! We've upgraded CrazyEngineers to make it more stable, secure and have added a few new features. This post gives you a quick overview of what's new in the...
Phew! I thought it was just me whose Google search results were appearing all different of late. Came to know that the search giant is experimenting with the way it...
Opera has released the new Opera Mini 8 Browser for all the basic phones or Blackberry OS running smartphones. With a refreshing look and a bunch of new features, Opera...