Sign in with
Sign up | Sign in

WhatsApp Flaw Makes Your 'Private' Messages Easy to Read

By - Source: Tom's Guide US | B 4 comments

Popular instant-messaging app WhatsApp backs up messages on Android in an insecure way, according to one security researcher — and it isn't the first WhatsApp security flaw.

WhatsApp may be riding high since Facebook last month agreed to buy the five-year-old startup for a stunning $19 billion. But security experts have long had concerns about how WhatsApp encrypts users' conversations and what kind of private contact information the app collects from users' phones.

MORE: 10 Best Messaging Apps 

WhatsApp stores an archive of your messages on the phone's SD card, which is not a secure storage area. Many other apps also require permission to access the SD card, and most Android users have no choice but to grant it if they want those apps. 

In a blog posting yesterday (March 11), Dutch security researcher Bas Bosschert said he and his brother Thijs created a proof-of-concept exploit that showed any app with access to the SD card could read and transmit the database of WhatsApp messages.

By default, WhatsApp backs up your chats to your phone's SD card daily, according to the app's Android FAQ. From the app's "Chat Settings" menu, users can also manually back up chats, or delete all conversations. However, on the same FAQ, WhatsApp says users can recover deleted chats by uninstalling and reinstalling the app and then tapping "Restore."

The Bosschert brothers also showed that the database's encryption is so weak that "we can simply decrypt this database using a simple Python script."

The two said an attacker could easily create a malicious app that accesses a phone's SD card and then uploads the WhatsApp database to a remote server. The attacker could even hide the necessary code in another app, such as a Flappy Bird clone, in order to trick people into downloading it.

"Facebook didn't need to buy WhatsApp to read your chats," Bas Bosschert concluded.

This vulnerability is the latest in a string of WhatsApp security snafus. Last fall, researchers showed that WhatsApp used the same encryption key for every message in a given conversation.

If attackers captured just part of an encrypted WhatsApp conversation (via a man-in-the-middle attack, for example), and guessed part of one message's contents, they could then use simple math to identify the mathematical similarities between the messages, i.e. the encryption key. The key could then decrypt the entirety of the conversation.

WhatsApp also collects personal information from devices on which it's installed and stores the data on the company's servers. This is hugely valuable information for marketers and advertisers; some experts have argued that Facebook's $19 billion for WhatsApp really works out to $42 for each contact list extracted from WhatsApp's 450 million users.

WhatsApp is far from the only insecure messaging app. If you're serious about wanting to keep your messages private and secure, Wickr and Silent Circle's Silent Text app are considered among the best. 

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us@TomsGuide, on Facebook and on Google+

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 2 Hide
    de5_Roy , March 12, 2014 9:26 AM
    "WhatsApp Flaw Makes Your 'Private' Messages Easy to Read"- so that's why facebook wants WhatsApp. great data-leakers think alike. :whistle: 
  • 1 Hide
    bmwman91 , March 12, 2014 9:35 AM
    Well, I mean really, how much security can you expect for a measly $19B? Chump change!
  • 2 Hide
    gmaclean , March 12, 2014 3:43 PM
    I'm sorry, what? "If you're serious about wanting to keep your messages private and secure, Wickr and Silent Circle's Silent Text app are considered among the best."Or BBM? You can say a lot of things about BlackBerry, a knock at security is not among them.
  • Display all 4 comments.
  • 0 Hide
    Toni Vicente , March 19, 2014 9:18 AM
    Its same problem to symbian mobile? I dont have sd card (its broke).
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter