WhatsApp users on Android should know that someone could be reading the content of their chats, chuckling along with every corny joke you make, or doing way creepier thing with every flirtatious message sent. Consultant and CTO Bas Bosschert discovered a disturbing hole in WhatsApp security that allows people to upload and read Android WhatsApp chats.
Bosschert outlined the chat-stealing process on his blog: Because Android stores WhatsApp conversations on SD cards, hackers need to remotely access the SD card through another app. Then they need a place to store the WhatsApp database, like a webserver. Then they need to put a malicious Android app on the user’s phone; this malware will download the WhatsApp database onto the server.
WhatsApp tightened its security so would-be hackers can’t de-encrypt using SQLite. But they can de-encrypt the database using a Python script.
I would never be able to hack WhatsApp because I don’t know how to do any of that stuff, but for Bosschert, exploiting this security breach was no problem. He double-checked that this security weakness was still present after WhatsApp updated this week, and was still able to hack onto the conversations of others.
Bosschert only went through the hacking process as a demonstration, but he noted that this security failure had already been exploited. “It has been done in the past by other people,” he said, discussing how Google had to remove a game called Balloon Pop 2 from the Play store after it turned out the app was actually a backdoor way to spy on people’s WhatsApp chats. People are already trying to do this. It’s startling that there hasn’t been a comprehensive fix for this glaring security failure.
To be fair, this kind of security problem is not entirely WhatsApp’s fault, since it’s not a bug on the app, but rather a design issue for Android –though the design of WhatsApp doesn’t compensate for Android’s lagging security. But it is WhatsApp’s fault for allowing it to continue without making fixes, or at least alerting users to the fact that randoms could be reading their sexts.
Bosschert had some suggestions about how WhatsApp could improve security. “They could move the database backups to the protected space on the mobile devices. Or they could create an unique device created encryption key which they store in the protected space,” he told Daily Dot.
And WhatsApp users with iPhones shouldn’t get cocky, because your chats could be exposed if you use the app to talk with people on Android.