WhatsApp For Android Flaw Lets Anyone Read Your Messages

WhatsApp is one of the world’s most popular cross platform communications app that was created in 2009 and has over 400 million active users each month. The app has recently been placed under the spotlight when Facebook offered to buy it for a cool US$19 billion. Facebook will pay $4 billion in cash, $12 billion in stocks, and $3 billion in restricted stock to acquire the messaging app.


WhatsApp is now again back in the headlines but this time around for another reason. It appears that the Android version of the app has a critical flaw that allows anyone to read your messages. This is possible because the database of WhatsApp messages is stored in the SD card of a device and any Android app can access this database, even malicious apps.

This flaw was discovered by Bas Bosschert, security expert and CTO at DoubleThink. He first wondered “Is it possible to upload and read the WhatsApp chats from another Android application?”  He soon found out the answer to this. “The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem.”

So what is needed to steal the messages? Bosschert explains that the first thing needed is a place to store the database. Then “Next thing we need is an Android application which uploads the WhatsApp database to the website.”

Bosschert then setup a web server and created an Android app that required several permissions. The app has a cute loading screen that distracts the user while the database files are being uploaded to the web server. This simple procedure is how hackers can read WhatsApp messages. The old version of the app is not encrypted making it easy for anyone to gain access. The recent update of WhatsApp has already encrypted the database however Bosschert says that the encryption can still be easily broken.

“The WhatsApp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database. We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases.”

Bosschert further explains that this security issue is not present in the iOS or Windows Phone version of the app since it has limited access to storage and phone hardware on these devices.

via basbosschert


Leave a Reply
  1. WhatsApp has an edge when it comes to popularity and word of mouth, almost leaving Telegram out of everyones mind.

  2. Yeah. That’s the only hope. But I wonder why an app like Telegram with such security features and speed hasn’t been able to take on WhatsApp. Early to market theory I guess.

  3. I wouldn’t think a whole lot is going to “crop up.” Under Facebook’s ownership, it should be a lot more secure going forward. Although if more does, I certainly would be surprised.

  4. Yeah, it can be scary, but again, with Facebook at the helm now, it shouldn’t be much of a issue going forward. Some serious changes are coming down the pipeline when it comes to the backend of the app.

  5. With Facebook at the helm now, this shouldn’t be much of a problem. Give WhatsApp a couple of months and it’s going to be much more secure than it ever was.

  6. Why din’t WhatsApp take care of this? Should a company like this wait till people report such crucial issues to worry about it?

  7. Until this issue is fixed you can do something easy. Delete all the back up that WhatsApp makes of your chats. If however your friends are ready to shift to other apps like Telegram, then you can do that.

  8. I’m uninstalling this right away, after sending this link to all my contacts on WhatsApp. 🙂

  9. This is some serious stuff. A company like WhatsApp not encrypting the database? God! Unimaginable and scary. And now that it is encrypted, it is so easy to decrypt! I guess its time to move on to Telegram.

  10. I am sending this over to my buddy now. He is all about running Android only and I am pretty sure he uses this. How many other issues are going to crop up with this app? Anyone want to bet another hits before the week is out?

Leave a Reply

Your email address will not be published. Required fields are marked *