WhatsApp says Android app is safe - Was Bosschert's claim 'overstated'?

If you were worried about Facebook's purchase of WhatsApp making the app more vulnerable and less private, you should be even more worried now. Now, even before the purchase is finalized, WhatsApp is suffering from a pretty serious security flaw in the encryption of its Android app.

As it stands, hackers can easily access the conversations of Android users on WhatsApp and steal them. Bas Bosschert, the CTO of Doublethink discovered the security hole and wrote a detailed blog post about how easy it is for a hacker to read every Android users' WhatsApp chats.

Essentially, the problem is of greater concern on Android because WhatsApp conversations are saved on the users' smartphone SD card, which is also used by many other apps. So all a hacker has to do is wait for the user to download a malicious app, grant it access to the SD card and next thing you know, the hacker is reading all of your conversations.

"And since majority of the people [allow] everything on their Android device, this is not much of a problem," Bosschert said in a blog post, explaining the hack.

It's more of an Android infrastructure problem than a WhatsApp issue. But nonetheless, WhatsApp could certainly send out an update to patch the security hole. After all, the security flaw also lies in the encryption of the Android version of WhatsApp.

"We can simply decrypt this database using a simple python script," Bosschert explained. "This script converts the [encrypted] database to a plain SQLite3 database."

Bosschert even made a fake malicious app to prove his point. While a silly loading animation played in the malicious app, it silently stole all of his WhatsApp conversations.

"So, we can conclude that every application can read the Whatsapp database and it is also possible to read the chats from the encrypted databases," he continued. "Facebook didn't need to buy Whatsapp to read your chats."

WhatsApp quickly responded to Bosschert's claims that your conversations are at risk, saying that its Android app is secure and reports to the contrary are exaggerated.

"Unfortunately, these reports have not painted an accurate picture and are overstated," WhatsApp said in a statement. "Under normal circumstances, the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk."

Even so, WhatsApp will probably seal this security hole soon with a new update. In a way, WhatsApp is right: this security flaw isn't really its fault. This latest security breach has more to do with irresponsible app downloading and Android's infrastructure than it does with WhatsApp's encryption. The flaw forces the debate over the inherent problems in parts of the Android infrastructure to resurface. In general, iOS is considered the more secure of the two most popular OSs simply because it is a closed system. It's much harder for malicious apps to make their way onto the App store in the first place and Apple denies data access between apps for the most part.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics