Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

WhatsApp co-founder and CEO Jan Koum speaking at Mobile World Congress last month. AP Photo/Manu Fernandez

Security flaw on Android version of WhatsApp could leave user chats exposed

The flaw would allow another app to access a user’s entire database of chats by accessing their SD card.

A SECURITY FLAW in the Android version of WhatsApp, which allows another application to upload a user’s chats without permission, was discovered.

Bas Bosschert, a security consultant from Holland, found a loophole which would allow third-party app developers to gain access to a user’s entire message database.

Since WhatsApp backs up its chat history and stores it on an Android device’s SD card, any app developer which asks for access to a phone’s SD card can then read and upload WhatsApp’s database. According to Bosschert:

The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [the] majority of people allow everything on their Android device, this is not much of a problem.

Android only allows developers full access to the SD card storage or none at all. Any application that can read and write to the external storage can also read what other applications are stored there.

While later versions of WhatsApp encrypt the database, they use a key which can be easily extracted from the app using third-party tools like WhatsApp Xtract.

This isn’t the first time WhatsApp has been at the centre of security concerns. Back in October, Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, found that WhatsApp’s ingoing and outgoing messages were encrypted with the same key.

This meant that by intercepting a message, you could cancel out the key and recover the plain text by analysing them

Read: WhatsApp apologises after ‘server issues’ affect millions worldwide >

Read: The knock-on effect: WhatsApp rival adds 8m users in 4 days >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
7 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds