Android Version of WhatsApp

Android Version of WhatsApp Chats Liable to Theft

A newly found security flaw with the Android version of WhatsApp allows a users entire chat history to be stolen and read.

A report on the website of Bas Bosschart, a Dutch security analyst, details the exact steps required to steal the WhatsApp chat database and upload it to an external server.

The flaw uses an Android permissions feature that grants applications access to read and write data to and from the SD card.

By releasing a rogue application, the WhatsApp databases can be uploaded to an external server.

WhatsApp Encryption

Earlier versions of the WhatsApp application stored the chat databases on the SD card without any form of encryption. Although later versions now store the data in an encrypted format, it is easy enough to obtain the decryption key for the WhatsApp application.

In theory, any application that requires the permission to read/write to the SD card can be used to access this data.

The issue occurs on Android due to the fact that the permissions are not fine grained enough. If you grant an application full permission to read/write to the SD card then in theory it can also read data placed on the SD card by any other application. It should be noted that this issue only applies to Android due to the way in which permissions are granted.

Solution

Until there is a WhatsApp update that secures the encryption key so that it cannot be easily extracted, there are only a couple of precautions you can take if you are concerned about the privacy of your WhatsApp chats.

Only install applications requiring this permission if you are 100% certain of their trustworthiness. Never install applications from an untrusted publisher.

Switch to using a different messaging application until there is a WhatsApp update to address this issue.

In order to prevent installation of applications from untrusted publishers, on your Android device navigate to Settings -> Security and ensure that the option Unknown Sources, Allow installation of apps from unknown sources in unchecked.