, ,

WhatsApp security flaw should be a quick fix for Facebook

Worried that someone might be eavesdropping on your WhatsApp chats? Facebook might just have the solution.WhatsApp Facebook

Earlier today, we reported on a security issue involving the Android version of mobile messenger WhatsApp. The vulnerability, discovered by security researcher Bas Bosschert, basically involves extracting the app’s SQLite database from the phone’s microSD storage, which is usually accessible from all other Android applications.

The vulnerability is limited to Android, due to how apps are designed to store data in the external memory — or the emulated external storage if there is none. According to Bosschert, WhatsApp in itself is not vulnerable, particularly if the user does not have any other potentially risky apps. However, as proof-of-concept, the DoubleThink CTO built an Android app with the sole purpose of extracting WhatsApp data and uploading this to a third-party server — all while displaying a cute animation that’s meant to distract the user while the extraction is taking place.

Sandboxing and encryption

In essence, most Android apps will be vulnerable to such an attack, if the database they use is not secure enough. While the vulnerability may be indicative of the limitations of Android’s current sandboxing techniques for its app data, it’s actually the responsibility of the developer to select a strong enough encryption for user data stored in external media. In this case, WhatsApp’s SQLite3 database can easily be decrypted using a simple python script.

Facebook actually offered a solution for developers that will address vulnerabilities in data stored in the microSD. In early February, Facebook released its “Conceal” code library, meant to improve privacy of mobile data, while still optimizing for speed and snappy performance, even on low-spec devices. The protocol basically encrypts data, so that third-party applications cannot read nor tamper with the contents of the database stored in the microSD.

Conceal provides an easy to use API … To encrypt data, you simply pass an output stream and get back a wrapped OutputStream which encrypts data as it is written to it. A similar abstraction is provided for an InputStream to decrypt data.

Facebook has released this code library as an open source project, which enables third party developers to take advantage of the added security for their app data. Apart from encrypting data, Conceal also enforces additional steps that prevent tampering with this data.

What’s curious in the case of WhatsApp is why the developers did not choose a better method of storing and encrypting the app data of Android users. With Facebook’s recent acquisition of the chat app, however, expect the development team to quickly implement better encryption — most likely Conceal — to improve security.

Are you worried about privacy?

For now, users are advised to take precaution when using WhatsApp. Some might go as far as deleting app data and removing the app altogether, as a safeguard against malicious individuals or entities snooping on conversations. In the first place, WhatsApp is not exactly the most secure of apps. You’re better off using the likes of Telegram (with its secure chat feature) for secure personal chats. BBM, with its enterprise-grade security is also an option. Organizations that require more secrecy might benefit from Silent Circle’s premium service.

It’s interesting how WhatsApp’s security flaw can be fixed by a solution provided by its new owner. What’s worrying is why the developers did not implement such safeguards in the first place, especially given mobile users’ paranoia over mobile privacy amid government eavesdropping.

8 Comments

Leave a Reply
  1. Indeed. WhatsApp has a larger user base. Having access to private chats of millions of users is something dangerous and unlawful.

  2. That’s an interesting observation. WhatsApp really should have looked into security heavily considering its millions of users.

  3. They’ll fix it soon. This is too big of an issue to ignore, otherwise, their reputation is in jeopardy.

  4. As you said, it’s going to be a quick fix with Facebook owning WhatsApp now. There’s no doubt that they’re taking care of this problem as quickly as they can, if they haven’t already fixed it.

  5. How come WhatsApp never realized about this major security issue. Facebook should fix it. Or else, I’m moving over to Telegram!

  6. Well it is worrisome that your chats can be extracted and read by other people. Hope Facebook fixes this problem soon. The app is wonderful and I would hate to stop using it.

  7. You uninstalled WhatsApp only after one day’s use? That’s very interesting. Now that most people are using WhatsApp, you’ll be left out of the group chats if you are also not in there. But what you have done is good, fighting the instincts.

  8. All of my buddies got on the WhatsApp! bandwagon and I held back a bit. i tried it out for a day and then uninstalled it. I had a feeling it was going to miss something but now it is all over the nerd news sites with issues.

Leave a Reply

Your email address will not be published.