Security consultant Bas Bosschert picked up on the flaw in a blog post on Tuesday, where he detailed how WhatsApp – which was acquired by Facebook for US$16 billion last month – saves private messages onto the phone or tablet's Secure Digital (SD) card, which could be intercepted if the developer of another Android application asks the user to permission to access the SD card when downloading the app.
This is a common practice for most mobile applications, across Android, iOS and Windows, with permissions often including access to SMS messages, the phone's contact book or to cellular data.
Bosschert, CTO at DoubleThink and a technical consultant with more than 10 years' experience working with Linux and Unix, suggested that user permissions are a weakness in the users' armour and added that developers could well take these personal messages, decrypt them – using some Python script and even OpenSSL - and send them to their own web servers.
“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since the majority of people allow everything on their Android device, this is not much of a problem.”
“…We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases. Facebook didn't need to buy WhatsApp to read your chats.”
Bosschert urges users to verify the app source and read application permissions before installing, in order to avoid a loss of personal information. He added that the flaw was still present despite the fact that WhatsApp had updated the Android app on 11 March.
In response to the news, Paco Hope – principal consultant at Cigital – said that this latest issue is proof that mobile developers need to catch up with the latest security features.
“The fundamental problem with the WhatsApp database, which is virtually identical to the problem with the RSA Security Conference App [which was also reported leaky earlier this month], is that data on a mobile device is not protected in any way more sophisticated than if it was on garden variety PC,” Hope told SCMagazineUK.com.
“Many technologies are being developed first on the mobile, or exclusively on mobile devices and it is mistakenly assumed that the mobile device or its application store add some layer of security. We know how to build secure software. Banks and independent software vendors have pioneered techniques like architecture risk analysis (which would have found this flaw), static code analysis, and penetration testing (the most belated and expensive way to find this flaw),” he added.
“Mobile developers need to apply and evolve the security techniques we have learned over the last three decades.”
WhatsApp may be one of the up-and-coming private messaging apps right now - along with Viber and Snapchat, but its ascent has been in part tainted by privacy and security fears.
Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, claimed last October that WhatsApp's ingoing and outgoing messages are encrypted with the same key – meaning attackers could potentially intercept and recover messages – while in late January it was revealed that the app breached privacy laws by asking subscribers for access to their contacts, and by storing every phone number.