Printed from http://www.electronista.com

WhatsApp backup chat logs vulnerable to Android developers, hackers

updated 02:45 pm EDT, Sun March 16, 2014

SD stored backup allows developers, hackers access with permission request

A security consultant has found a way for Android developers and for hackers to access WhatsApp chat logs under a set of circumstances involving SD storage of the chat program's backup database. Developers who need access to large storage on a device or request complete access would be able to see the database once given permission through an app, while a hacker would be able to access the database using malicious software through the same channel.

Bas Bosschert uncovered the workaround after a conversation with his brother about the possibility of uploading and reading the chat logs from another Android application. On his blog he details the process of using a PHP script, an Android application asking for phone access, a web server and some XML file edits to be able to pull down the data from an Android device. From there, using a key readily available on the Internet, the downloaded database is pulled over to Excel, where the data is then decrypted with a Python script revealing user chat history from the backup database WhatsApp writes to memory.

Since the loophole was outlined, WhatsApp has strengthened their encryption of their databases and offloaded it from a hard-coded key for all devices, and instead use "the account name to create a device (account) unique encryption key," says Bosschert. Even with the increased encryption, with a few extra steps the chat data was still able to be extracted, which Bosschert again outlined in a follow-up post on his blog.

A spokesman for WhatsApp says that Bosschert's claims "have not painted an accurate picture and are overstated" in a statement to Techcrunch.

It is true that the access happens because of the way Android is setup, and how it offloads larger files onto expandable memory. Most conditions would require malicious software to be loaded specifically seeking to compromise a device to access the logs, but given current privacy and security concerns over data, this information could still be accessed by legitimate developers unbeknownst to users after given access to at least the SD card.

Apple's iOS, on the other hand, doesn't suffer from the same sort of problem, since the operating system sets up each application within their own sandbox, generally not allowing apps to access data outside of it.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fro ...

Polk Audio 4 Shot headset

Sound quality and design are two of the biggest areas of focus for manufacturers when coming up with a new gaming headset. Depending o ...

Patriot Supersonic Phoenix USB 3.0 drive

USB thumb drives aren't the end all solutions for data transfer and traveling needs. Sometimes people want something with a little mor ...

Sponsor

toggle

Most Commented

 
toggle

Popular News