Chaitanya Kukde
Member • Mar 12, 2014
Encryption Flaw In WhatsApp Highlights Android's Security Concerns
Even after numerous security and privacy updates, controversies surrounding the Facebook acquired messenger WhatsApp do not seem to slow down. More and more privacy concerns as well as security holes are being bought to forefront each day, even after the WhatsApp For Android Can Now Hide 'Last Seen' Message, Latest Update Is Here.
Bas Bosschert, the CTO at DoubleThink, wrote about the security flaw in WhatsApp in his blog yesterday. The flaw however, concerns more to Android data infrastructure security rather than concerning WhatsApp. What Mr. Bosschert did was he used another app to read WhatsApp's conversation data and while the database files were being uploaded, the users were fooled with a "Loading" screen which made users think that the app was doing something 'interesting' in the background.
Image: #-Link-Snipped-#
This results from the fact that WhatsApp stores conversation data on the phone's SD Card, which is pretty normal in Android smartphones. This data can be read by any app to which the user has given the "Full access to phone" permissions.
The steps for the 'hack' can be described as follows:
Here is where the difference between iOS and Android comes. Apple does not give permission to data outside of the app's own sandbox. This stops malevolent developers from accessing data through a dummy app.
So, to conclude, we would like to convey our apologies on the demise of privacy of Android WhatsApp users and it would also be safe to say that at the NSA HQ, the party must've already begun.
Source: Hole In WhatsApp For Android Lets Hackers Steal Your Conversations • TechCrunch|#-Link-Snipped-#
Bas Bosschert, the CTO at DoubleThink, wrote about the security flaw in WhatsApp in his blog yesterday. The flaw however, concerns more to Android data infrastructure security rather than concerning WhatsApp. What Mr. Bosschert did was he used another app to read WhatsApp's conversation data and while the database files were being uploaded, the users were fooled with a "Loading" screen which made users think that the app was doing something 'interesting' in the background.
Image: #-Link-Snipped-#
The steps for the 'hack' can be described as follows:
- Create a place to store the database, say a webserver.
- Create an Android application that uploads the conversation database to the server.
- To do that, simply modify the AndroidManifest.xml file which allows the app to permission access the SD card and to upload it using internet.
- The msgstore.db and the wa.db are the two files which contain chat data. These are unencrypted and can be read by SQLite 3 and even be converted to Excel. But lately, WhatsApp has been encrypting chats in a msgstore.db.crypt file. However, the .crypt file can be decrypted using a simple Python script and the key for the encryption can be obtained from WhatsApp Xtract. Therefore the encryption of the database does not turn out to be a big deal for a smart hacker.
- Create a loading screen or something interesting that will trick the user into believing that the application is carrying out some process in the background.
Here is where the difference between iOS and Android comes. Apple does not give permission to data outside of the app's own sandbox. This stops malevolent developers from accessing data through a dummy app.
So, to conclude, we would like to convey our apologies on the demise of privacy of Android WhatsApp users and it would also be safe to say that at the NSA HQ, the party must've already begun.
Source: Hole In WhatsApp For Android Lets Hackers Steal Your Conversations • TechCrunch|#-Link-Snipped-#