#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 1°C Sunday 28 November 2021

Security flaw on Android version of WhatsApp could leave user chats exposed

The flaw would allow another app to access a user’s entire database of chats by accessing their SD card.

WhatsApp co-founder and CEO Jan Koum speaking at Mobile World Congress last month.
WhatsApp co-founder and CEO Jan Koum speaking at Mobile World Congress last month.
Image: AP Photo/Manu Fernandez

A SECURITY FLAW in the Android version of WhatsApp, which allows another application to upload a user’s chats without permission, was discovered.

Bas Bosschert, a security consultant from Holland, found a loophole which would allow third-party app developers to gain access to a user’s entire message database.

Since WhatsApp backs up its chat history and stores it on an Android device’s SD card, any app developer which asks for access to a phone’s SD card can then read and upload WhatsApp’s database. According to Bosschert:

The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since [the] majority of people allow everything on their Android device, this is not much of a problem.

Android only allows developers full access to the SD card storage or none at all. Any application that can read and write to the external storage can also read what other applications are stored there.

While later versions of WhatsApp encrypt the database, they use a key which can be easily extracted from the app using third-party tools like WhatsApp Xtract.

This isn’t the first time WhatsApp has been at the centre of security concerns. Back in October, Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, found that WhatsApp’s ingoing and outgoing messages were encrypted with the same key.

This meant that by intercepting a message, you could cancel out the key and recover the plain text by analysing them

Read: WhatsApp apologises after ‘server issues’ affect millions worldwide >

Read: The knock-on effect: WhatsApp rival adds 8m users in 4 days >

About the author:

Quinton O'Reilly

Read next: