Bad news: If you use Whatsapp on Android, Your chats are not secure

whatsappvoivemessageAre you a user of WhatsApp on any Android device? you should be careful about what you talk about or share on the instant messaging app.

Using a few scripts and a rogue app, anyone can peer into your chat logs and see what you talk about with your friends.

This has been revealed by a Dutch security consultant who said that WhatsApp chat logs saved on the SD card of an Android phone can be read by other apps because of the way Android allows sharing of data between apps.

“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem,” Bas Bosschert wrote on his blog.

“What do we need to steal someone’s WhatsApp database? First we need a place to store the database,” Bosschert explained. “Next thing we need is an Android application which uploads the WhatsApp database to the website.”

When an Android application is installed, whether from the Play store or through an APK file, which is an installer file for Android phones and can be downloaded from various sources, the app requests for permissions to use network and SD card etc.

Bosschert set up a web server and then created an Android application that required several special permissions on a user’s phone. But because Android OS allows applications to access various parts of the phone – this is why users can conveniently share almost everything through any app on Android phone – Bosschert’s app had no difficulty gaining access to WhatsApp data.

He wrote that the code that allows his application to access WhatsApp data and then upload it to his web server can be added to a popular Android app by a rogue developer to fool users and steal WhatsApp chat logs.

Older versions of WhatsApp were so insecure that they didn’t even encrypt their data stored on SD card. The data from older versions of whatsApp could be read by anyone once it was uploaded on the web server.

Even the data from newer version of WhatsApp, which uses encryption, can be accessed with ease.

“The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database,” wrote Bosschert. “We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases.”

However, the security issue apparently doesn’t exist on iPhones or Windows Phone devices because on these smartphones, apps have limited access to storage and other phone hardware. The more flexible access to phone hardware allows Android apps to talk to each other and helps a user quickly share content between apps.

This is very convenient compared to what is possible on iPhone or Windows Phone, where it is difficult to share content between apps. But it also exposes data to rogue apps.

Source: Times of India