Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

€2 a Month €5 a Month One-off amount
WhatsApp co-founder and CEO Jan Koum speaking at Mobile World Congress last month. AP Photo/Manu Fernandez
Loophole

Security flaw on Android version of WhatsApp could leave user chats exposed

The flaw would allow another app to access a user’s entire database of chats by accessing their SD card.
4.46pm, 12 Mar 2014
8.8k
7

A SECURITY FLAW in the Android version of WhatsApp, which allows another application to upload a user’s chats without permission, was discovered.

Bas Bosschert, a security consultant from Holland, found a loophole which would allow third-party app developers to gain access to a user’s entire message database.

Since WhatsApp backs up its chat history and stores it on an Android device’s SD card, any app developer which asks for access to a phone’s SD card can then read and upload WhatsApp’s database. According to Bosschert:

The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [the] majority of people allow everything on their Android device, this is not much of a problem.

Android only allows developers full access to the SD card storage or none at all. Any application that can read and write to the external storage can also read what other applications are stored there.

While later versions of WhatsApp encrypt the database, they use a key which can be easily extracted from the app using third-party tools like WhatsApp Xtract.

This isn’t the first time WhatsApp has been at the centre of security concerns. Back in October, Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, found that WhatsApp’s ingoing and outgoing messages were encrypted with the same key.

This meant that by intercepting a message, you could cancel out the key and recover the plain text by analysing them

Read: WhatsApp apologises after ‘server issues’ affect millions worldwide >

Read: The knock-on effect: WhatsApp rival adds 8m users in 4 days >

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Support us Learn More

Author
Quinton O'Reilly
quinton@thejournal.ie
@qoreilly
Send Tip or Correction
Read Next
More Stories
Related Tags
Your Voice
Readers Comments
7
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.