1. Home >
  2. Apps >
  3. Groups >

Encryption Flaw In WhatsApp Highlights Android's Security Concerns

Question asked by Chaitanya Kukde in #Hacking and Security on Mar 12, 2014
Chaitanya Kukde
Chaitanya Kukde · Mar 12, 2014
Rank C2 - EXPERT
Even after numerous security and privacy updates, controversies surrounding the Facebook acquired messenger WhatsApp do not seem to slow down. More and more privacy concerns as well as security holes are being bought to forefront each day, even after the big software update that could hide the last seen field.

Bas Bosschert, the CTO at DoubleThink, wrote about the security flaw in WhatsApp in his blog yesterday. The flaw however, concerns more to Android data infrastructure security rather than concerning WhatsApp. What Mr. Bosschert did was he used another app to read WhatsApp's conversation data and while the database files were being uploaded, the users were fooled with a "Loading" screen which made users think that the app was doing something 'interesting' in the background.

whatsapp_1
Image: Androidpit
This results from the fact that WhatsApp stores conversation data on the phone's SD Card, which is pretty normal in Android smartphones. This data can be read by any app to which the user has given the "Full access to phone" permissions.

The steps for the 'hack' can be described as follows:
  1. Create a place to store the database, say a webserver.
  2. Create an Android application that uploads the conversation database to the server.
  3. To do that, simply modify the AndroidManifest.xml file which allows the app to permission access the SD card and to upload it using internet.
  4. The msgstore.db and the wa.db are the two files which contain chat data. These are unencrypted and can be read by SQLite 3 and even be converted to Excel. But lately, WhatsApp has been encrypting chats in a msgstore.db.crypt file. However, the .crypt file can be decrypted using a simple Python script and the key for the encryption can be obtained from WhatsApp Xtract. Therefore the encryption of the database does not turn out to be a big deal for a smart hacker.
  5. Create a loading screen or something interesting that will trick the user into believing that the application is carrying out some process in the background.
The code for the 'robber' app can be copied in to any other app that requests the access to user's SD card and the new modified app will now do the dirty work.

Here is where the difference between iOS and Android comes. Apple does not give permission to data outside of the app's own sandbox. This stops malevolent developers from accessing data through a dummy app.

So, to conclude, we would like to convey our apologies on the demise of privacy of Android WhatsApp users and it would also be safe to say that at the NSA HQ, the party must've already begun.

Source: TechCrunch|Bas Bocchert's Blog Posted in: #Hacking and Security

You must log-in or sign-up to reply to this post.

Click to Log-In or Sign-Up