Dutch researcher warns that WhatsApp user chats on Android devices are highly vulnerable to theft
The Android version of the popular mobile instant messaging app WhatsApp contains an inherent system flaw that could allow user chats to be stolen.
This is the warning from Dutch security researcher and consultant, Bas Bosschert, who warned that the flaw is caused by poorly secured encryption keys, as well as a design flaw within the Android OS itself.
The discovery came when Bosschert decided to research whether it is possible to upload and read the WhatsApp chats from another Android application. And he soon discovered that it was indeed possible, leading to fears that user chats could be uploaded to a third-party server without the knowledge or consent of the user.
“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card,” wrote Bosschert “And since majority of the people allow everything on their Android device, this is not much of a problem.”
Bosschert had discovered that due to a combination of the poor levels of encryption within the WhatsApp application, coupled with the way that Android handles external storage, means that there is an exploitable vulnerability.
The flaw is partly to blame on Android because the mobile operating system only allows all-or-nothing access to the SD card. Therefore any app that can read and write to the external storage can also read what other applications have stored there.
WhatsApp is also to blame because early versions of its app do not feature any encryption at all. And even later versions, which actually do encrypt the database, are also vulnerable, because the encryption key can be easily located using third-party tools.
“So, we can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases,” warned Bosschert. “Facebook didn’t need to buy WhatsApp to read your chats,” he cheekily concluded.
This last point is especially noteworthy considering that complaints have already been filed with the Federal Trade Commission by two privacy groups, asking authorities to investigate Facebook’s expensive acquisition of WhatsApp. The privacy advocates are deeply concerned about what Facebook plans to do with the data of WhatsApp’s 450 million users – especially considering WhatsApp’s strict ban on advertising.
Security concerns about WhatsApp have been raised before. Last October for example, a European researcher claimed that WhatsApp encryption did not work in a secure way and users should consider all their previous communications compromised.
Thijs Alkemade, a computer science student at Utrecht University, said that the problem was that WhatsApp used the same RC4 encryption key in both directions. Because of the way RC4 works, this would allow an attacker to look at how the XOR operation used by the standard is working in both ways, in order to reveal bits of the plain text.
And last July security researcher Troy Hunt uncovered SSL encryption weaknesses in the payment processing of the WhatsApp application, which could have exposed users’ details.
“Anyone using WhatsApp for sensitive communications probably needs their head examined. It’s hardly had a spotless record when it comes to security,” security expert Graham Cluley had previously told TechWeekEurope.
Bosschert meanwhile states that in order to prevent others from stealing their chats, users must be extremely cautious about granted third party apps access to their Android SD cards.
What do you know about Internet security? Find out with our quiz!