Andre Yoskowitz
12 Mar 2014 21:57
It has been discovered that popular cross-platform messenger WhatsApp has a vulneranability that could make Android users susceptible to their conversations being read by other apps.
Even with the company's major update for Android this week, Bas Bosschert, CTO at DoubleThink, has posted a method to accessing WhatsApp chats, using an exploit in the service's encryption.
Bosschert (via TCrunch) explains how it works:
"WhatsApp for Android stores conversations on the phone's SD card, which is accessible by many other apps on the phone as long as the user gives those apps the permissions they ask for (many apps ask for full access to the phone). This is an infrastructure issue for Android more than a gaping security flaw on the part of WhatsApp.
From there, a malicious app could access the WhatsApp conversation database. Savvy users will note that this is hardly a hack but more of a problem with Android's data sandboxing system."
The CTO built a test app to try out his method, using a distracting splash screen to entertain users while their conversations were being taken. More recently, WhatsApp has patched the database to block the SQLite hack, but Bosschert built his own custom Python script which can once again decrypt the database.