WhatsApp users who have Android devices will want to beware a security hole uncovered by DoubleThink Chief Technology Officer Bas Bosschert. He walks readers of his site through the process of stealing people’s conversations.
Android left WhatsApp security hole open
Android rolled out an update to WhatsApp this week, but unfortunately, the vulnerability he uncovered is still there. Basically he noted that the app on Android stores conversations on the SD card of the phone. Other apps on the phone can access the conversations if users allow that access. Many apps do request full access to the phone, if you’ve never taken the time to read through those permissions before pressing “Allow.” He says this is more of a problem with Android itself rather than WhatsApp.
He said then a malicious app could get into the conversation database which is stored on the phone. He built an app to test it out and was able to get access to the WhatsApp conversations. By creating a loading screen, he was able to hide the download of the conversations by making users think it was just loading while the app was downloading their conversations.
WhatsApp tries to close security hole
WhatsApp has tried to close security holes by encrypting the conversations before storing them. However, Bosschert says it is still possible for other apps on the phone to access those conversations and send them to other people.
He said WhatsApp uses a SQLite3 database, which is able to be converted into Excel format so the recipient can more easily access it. The app did make it impossible for SQLite to open its database through the encryption, but he said it’s easy to decrypt the database “using a simple python script,” which just converts it into a regular SQLite3 database.
So those who have been using WhatsApp for privacy are probably surprised to find out that their conversations are so easily accessible. Needless to say, Android and WhatsApp are going to have to patch this security hole, and fast.