updated 02:45 pm EDT, Sun March 16, 2014
SD stored backup allows developers, hackers access with permission request
A security consultant has found a way for Android developers and for hackers to access WhatsApp chat logs under a set of circumstances involving SD storage of the chat program's backup database. Developers who need access to large storage on a device or request complete access would be able to see the database once given permission through an app, while a hacker would be able to access the database using malicious software through the same channel.
Bas Bosschert uncovered the workaround after a conversation with his brother about the possibility of uploading and reading the chat logs from another Android application. On his blog he details the process of using a PHP script, an Android application asking for phone access, a web server and some XML file edits to be able to pull down the data from an Android device. From there, using a key readily available on the Internet, the downloaded database is pulled over to Excel, where the data is then decrypted with a Python script revealing user chat history from the backup database WhatsApp writes to memory.
Since the loophole was outlined, WhatsApp has strengthened their encryption of their databases and offloaded it from a hard-coded key for all devices, and instead use "the account name to create a device (account) unique encryption key," says Bosschert. Even with the increased encryption, with a few extra steps the chat data was still able to be extracted, which Bosschert again outlined in a follow-up post on his blog.
A spokesman for WhatsApp says that Bosschert's claims "have not painted an accurate picture and are overstated" in a statement to Techcrunch.
It is true that the access happens because of the way Android is setup, and how it offloads larger files onto expandable memory. Most conditions would require malicious software to be loaded specifically seeking to compromise a device to access the logs, but given current privacy and security concerns over data, this information could still be accessed by legitimate developers unbeknownst to users after given access to at least the SD card.
Apple's iOS, on the other hand, doesn't suffer from the same sort of problem, since the operating system sets up each application within their own sandbox, generally not allowing apps to access data outside of it.