Site   Web

March 12, 2014

WhatsApp Flaw Leaves Chats Vulnerable to App Developers

Privacy Protection Shortcoming Only a Threat With Android Apps

Android Smatphone users may be sharing their WhatsApp conversations with more than the intended audience.

The permissions in some Android apps can leave a WhatsApp user’s chat history vulnerable to being viewed by third parties, according to a security consultant from the Netherlands.

Bas Bosschert told Business Insider that developers can fool WhatsApp users into handing over access to their entire message database. WhatsApp backs up messages on the SD cards of users’ phones. Apps can access that data if given permission to do so. The information can then be uploaded to the developer’s personal Web server.

“People would only see a loading screen when they started the game,” Bosschert told Business Insider. “They wouldn’t notice that their WhatsApp database has been uploaded.”
Bosschert, in a blog post, offered detailed instructions on how to create an app that can access WhatsApp chat history. The post includes code and screenshots that can be added to an Android game.

“Every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases,” Bosschert wrote. “Facebook didn’t need to buy WhatsApp to read your chats.”

Bosschert is not the first security aficionado to find flaws in WhatsApp privacy protections.

Thijs Alkemade, who is studying computer science at Utrecht University in the Netherlands, said in an October blog post that because WhatsApps’ ingoing and outgoing messages are encrypted with the same key, a hacker can analyze them to cancel out the key stream and recover the actual text.

“You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort,” Alkemade wrote. “You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but except to stop using it until the developers can update it.”

Although Google Play does bar from its store all apps that collect user info without permission, there is no guarantee some haven’t slipped through the cracks.

According to Bosschert, the only way to be truly safe is to read the app’s permissions before installing.

It was announced last month that Facebook would acquire WhatsApp for $19 billion, although the popular messaging service would remain as an independent service.


Jennifer Cowan is the Managing Editor for SiteProNews.