“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card,” Bosschert says. “And, as the majority of people allow everything on their Android device, this is not much of a problem.”
Android’s part in the weakness comes from the fact that the operating system only allows all-or-nothing access to the SD card. Any application which can read and write to the external storage can thus also read what other applications have stored there.
WhatsApp not only uses that external storage to hold its database, but on earlier versions of the app, does so without any encryption at all.
Bosschert adds that even later versions, which encrypt the database, do so using a key which can be easily extracted from the app using third-party tools like WhatsApp Xtract.
He concludes that “every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases.
“Facebook didn’t need to buy WhatsApp to read your chats.”
In order to avoid the risk of having their chats stolen, users should be wary of granting suspicious apps access to the SD card; a theoretical example given by Bosschert is a Flappy Bird clone app. If the application is from an untrusted publisher, they should exercise caution over granting the permissions it requests upon launch, especially if they include access to the SD card.
No comments:
Post a Comment