Hit messaging app Whatsapp may not be as secure as its 450 million users believe – after an independent security consultant revealed a loophole which rogue app developers could use to steal Android users’ entire Whatsapp history.
“Facebook didn’t need to buy WhatsApp to read your chats,” says Dutch consultant Bas Bosschert in a blog post this week.
Bosschert says that Whatsapp saves its database on the SD card in Android smartphones, potentially allowing rogue apps to upload users’ entire Whatsapp database to remote web sites, according to Mashable’s report.
“People would only see a loading screen when they started the game,” Bosschert said in an email interview with Business Insider. “They wouldn’t notice that their WhatsApp database has been uploaded.”
Bosschert says that while Whatsapp stores its database in encrypted form, it can be decrypted using a Python script. All an attacker would need to do would be to add the code from Bosschert’s post to an Android game, then they could steal the entire database and decrypt and read it remotely, providing the user allowed the app permission to read data from the SD card.
“The Whatsapp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem,” says Bosschert.
Whatsapp has a history of security concerns, as discussed by ESET Distinguished Researcher Aryeh Goretsky in an in-depth article on the messaging service in the wake of Facebook’s purchase of the company for $19 billion.
“One of the main attractions to users of WhatsApp has been claims of its ability to offer secure, private communications between people. However, if that is the case, security and privacy have gotten off to a slow start in WhatsApp,” Goretsky writes, noting that governments on three continents have taken note of privacy concerns relating to the messaging service.
Author Rob Waugh, We Live Security