Worried that someone might be eavesdropping on your WhatsApp chats? Facebook might just have the solution.
Earlier today, we reported on a security issue involving the Android version of mobile messenger WhatsApp. The vulnerability, discovered by security researcher Bas Bosschert, basically involves extracting the app’s SQLite database from the phone’s microSD storage, which is usually accessible from all other Android applications.
The vulnerability is limited to Android, due to how apps are designed to store data in the external memory — or the emulated external storage if there is none. According to Bosschert, WhatsApp in itself is not vulnerable, particularly if the user does not have any other potentially risky apps. However, as proof-of-concept, the DoubleThink CTO built an Android app with the sole purpose of extracting WhatsApp data and uploading this to a third-party server — all while displaying a cute animation that’s meant to distract the user while the extraction is taking place.
Sandboxing and encryption
In essence, most Android apps will be vulnerable to such an attack, if the database they use is not secure enough. While the vulnerability may be indicative of the limitations of Android’s current sandboxing techniques for its app data, it’s actually the responsibility of the developer to select a strong enough encryption for user data stored in external media. In this case, WhatsApp’s SQLite3 database can easily be decrypted using a simple python script.
Facebook actually offered a solution for developers that will address vulnerabilities in data stored in the microSD. In early February, Facebook released its “Conceal” code library, meant to improve privacy of mobile data, while still optimizing for speed and snappy performance, even on low-spec devices. The protocol basically encrypts data, so that third-party applications cannot read nor tamper with the contents of the database stored in the microSD.
Conceal provides an easy to use API … To encrypt data, you simply pass an output stream and get back a wrapped OutputStream which encrypts data as it is written to it. A similar abstraction is provided for an InputStream to decrypt data.
Facebook has released this code library as an open source project, which enables third party developers to take advantage of the added security for their app data. Apart from encrypting data, Conceal also enforces additional steps that prevent tampering with this data.
What’s curious in the case of WhatsApp is why the developers did not choose a better method of storing and encrypting the app data of Android users. With Facebook’s recent acquisition of the chat app, however, expect the development team to quickly implement better encryption — most likely Conceal — to improve security.
Are you worried about privacy?
For now, users are advised to take precaution when using WhatsApp. Some might go as far as deleting app data and removing the app altogether, as a safeguard against malicious individuals or entities snooping on conversations. In the first place, WhatsApp is not exactly the most secure of apps. You’re better off using the likes of Telegram (with its secure chat feature) for secure personal chats. BBM, with its enterprise-grade security is also an option. Organizations that require more secrecy might benefit from Silent Circle’s premium service.
It’s interesting how WhatsApp’s security flaw can be fixed by a solution provided by its new owner. What’s worrying is why the developers did not implement such safeguards in the first place, especially given mobile users’ paranoia over mobile privacy amid government eavesdropping.