Printed from http://www.electronista.com

WhatsApp backup chat logs vulnerable to Android developers, hackers

updated 02:45 pm EDT, Sun March 16, 2014

SD stored backup allows developers, hackers access with permission request

A security consultant has found a way for Android developers and for hackers to access WhatsApp chat logs under a set of circumstances involving SD storage of the chat program's backup database. Developers who need access to large storage on a device or request complete access would be able to see the database once given permission through an app, while a hacker would be able to access the database using malicious software through the same channel.

Bas Bosschert uncovered the workaround after a conversation with his brother about the possibility of uploading and reading the chat logs from another Android application. On his blog he details the process of using a PHP script, an Android application asking for phone access, a web server and some XML file edits to be able to pull down the data from an Android device. From there, using a key readily available on the Internet, the downloaded database is pulled over to Excel, where the data is then decrypted with a Python script revealing user chat history from the backup database WhatsApp writes to memory.

Since the loophole was outlined, WhatsApp has strengthened their encryption of their databases and offloaded it from a hard-coded key for all devices, and instead use "the account name to create a device (account) unique encryption key," says Bosschert. Even with the increased encryption, with a few extra steps the chat data was still able to be extracted, which Bosschert again outlined in a follow-up post on his blog.

A spokesman for WhatsApp says that Bosschert's claims "have not painted an accurate picture and are overstated" in a statement to Techcrunch.

It is true that the access happens because of the way Android is setup, and how it offloads larger files onto expandable memory. Most conditions would require malicious software to be loaded specifically seeking to compromise a device to access the logs, but given current privacy and security concerns over data, this information could still be accessed by legitimate developers unbeknownst to users after given access to at least the SD card.

Apple's iOS, on the other hand, doesn't suffer from the same sort of problem, since the operating system sets up each application within their own sandbox, generally not allowing apps to access data outside of it.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

IDrive cloud backup and sync service

There are a lot of cloud services out there, and nearly all of them can be used for backing up key files and folders. A few dedicated ...

Asus Chromebook C300

When Chromebooks hit the market back in 2011, consumers didn't know what to do with them. The low-cost laptops, powered by Google's Ch ...

Plantronics BackBeat Pro Bluetooth headphones

Looking for a pair of headphones that can do everything a user requires is a task that can take some study. Trying to decide on in-ear ...

Sponsor

toggle

Most Commented

 
toggle

Popular News