Security Flaw In WhatsApp Can Reveal Your Messages With Ease

March 12, 2014 - Written By Patrick Northcraft

There is always a trade-off when it comes to technology.  The eternal battle of privacy vs. convenience is one that has been taking center stage as smartphones become more and more pivotal in our daily lives.  Thankfully, Android apps do ask the user for permission to access their phones, but the average user does not read these.  This oversight could be detrimental for some users, especially if you use the WhatsApp messaging app.

The issue with the app was revealed by Bas Bosschert, an IT guru from the Netherlands.  He has spent years working with Linux and Unix, so he knows how to dig into open source software.  He reveals that WhatsApp asks for permission to access and write to the external SD card, which is one of the most insecure locations on the phone.  The app has a service that backs up your messages to the SD card, which is convenient to be sure, but awfully insecure.  Any other app that is granted permission to access the SD card could theoretically access your backed up messages.  Any app could do this, and you would not even know that it is happening.  As Bosschert said himself, “People would only see a loading screen when they started the game.  They wouldn’t notice that their WhatsApp database had been uploaded.”

To add icing on the proverbial cake, WhatsApp uses the same encrypting for its incoming and outgoing messages, so should a potential hacker just figure out one of these, he or she would have access to the plain text files of both.  This fact was revealed by Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, who has taken a particular interest in WhatsApp ever since Facebook had started the moves to acquire it.  While Google does take steps to try to prevent things like this from being accessible on the Play Store, things slip through the cracks.  Even thought they are working on a process to stop duplicate or malicious apps from existing on the store, nothing is fool-proof.  The best defense you can have against things like this would be reading all the app’s permissions before you download and install it, thus keeping you aware of what could be accessed… and as always, avoid apps from untrusted sources.  Have any thoughts on the matter?  Let us know down below.