WhatsApp is one of the most widely used apps by Android users, so it should be one of the safest, right? But that's not the way things work. According to digital security consultant Bas Bosschert, an application crash lets you steal conversations between users.
Apparently, the problem allows other applications to access the message history of Google OS users. According Bosschert, who published his own method for accessing WhatsApp conversations, the vulnerability still exists, even after a major Android app update released yesterday.
How the failure works:
As the WhatsApp database saves to the SD card, it can be read by any other Android app if the user allows the app access to the card. In this way, the history of conversations is extremely vulnerable, since many people accept any kind of permission without even checking the type of access they are allowing.
Although the instant messaging service uses an encryption system, the consultant still says that access to the messaging content is easily obtained through a conversation backup application that can be created by another developer. The problem is that WhatsApp uses the same encryption in all cases, when it would be safer to create new encryption keys for each user.
Incidentally, the issue can also be viewed as a problem in the Android OS infrastructure, as iOS users reportedly need not worry about it. Apple software does not allow access to data outside the app's own sandbox, which prevents hackers can manipulate user data using dummy applications.
Once again, I reinforce that paying attention to the permissions you are giving an application before downloading it is extremely important to prevent your data from falling into the wrong hands.
So far, the WhatsApp / Facebook team has not yet commented on the issue raised by Bas Bosschert. According to Google's advisory, the flaw seems to be in the design of WhatsApp and developers are already working to provide a corrective update to the problem.
Updated at 23h (Brasilia time) – The WhatsApp team contacted AndroidPIT and stated the following regarding the issue reported by Bas Bosschert:
We are aware of the news about a "security breach". Unfortunately, these reports do not represent an accurate picture and are exaggerated. Under normal circumstances, data from a microSD card is not exposed. However, if a user downloads malware or a virus, the phone will be at risk. As always, we recommend that WhatsApp users install all software updates to ensure they have the latest security fixes, and we strongly encourage users to download trusted software from reputable companies. The current version of WhatsApp on Google Play has been updated to further protect our users from malicious applications.
. (tagsToTranslate) Security Fault (t) Conversations (t) WhatsApp (t) Android (t) Privacy