WhatsApp is one of the world’s most popular cross platform communications app that was created in 2009 and has over 400 million active users each month. The app has recently been placed under the spotlight when Facebook offered to buy it for a cool US$19 billion. Facebook will pay $4 billion in cash, $12 billion in stocks, and $3 billion in restricted stock to acquire the messaging app.
WhatsApp is now again back in the headlines but this time around for another reason. It appears that the Android version of the app has a critical flaw that allows anyone to read your messages. This is possible because the database of WhatsApp messages is stored in the SD card of a device and any Android app can access this database, even malicious apps.
This flaw was discovered by Bas Bosschert, security expert and CTO at DoubleThink. He first wondered “Is it possible to upload and read the WhatsApp chats from another Android application?” He soon found out the answer to this. “The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem.”
So what is needed to steal the messages? Bosschert explains that the first thing needed is a place to store the database. Then “Next thing we need is an Android application which uploads the WhatsApp database to the website.”
Bosschert then setup a web server and created an Android app that required several permissions. The app has a cute loading screen that distracts the user while the database files are being uploaded to the web server. This simple procedure is how hackers can read WhatsApp messages. The old version of the app is not encrypted making it easy for anyone to gain access. The recent update of WhatsApp has already encrypted the database however Bosschert says that the encryption can still be easily broken.
“The WhatsApp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database. We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases.”
Bosschert further explains that this security issue is not present in the iOS or Windows Phone version of the app since it has limited access to storage and phone hardware on these devices.