NEW DELHI: If you use WhatsApp on an Android phone, you should be careful about what you talk about or share on the instant messaging app. Using a few scripts and a rogue app, anyone can peer into your chat logs and see what you talk about with your friends.
A Dutch security consultant has found that WhatsApp chat logs saved on the SD card of an Android phone can be read by other apps because of the way Android allows sharing of data between apps.
“The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem,” Bas Bosschert wrote on his blog.
“What do we need to steal someone’s WhatsApp database? First we need a place to store the database,” Bosschert explained. “Next thing we need is an Android application which uploads the WhatsApp database to the website.”
When an Android application is installed, whether from the Play store or through an APK file, which is an installer file for Android phones and can be downloaded from various sources, the app requests for permissions to use network and SD card etc.
To explain his hack, Bosschert set up a web server and then created an Android application that required several special permissions on a user’s phone. But because Android OS allows applications to access various parts of the phone – this is why users can conveniently share almost everything through any app on Android phone – Bosschert’s app had no difficulty gaining access to WhatsApp data.
Bosschert wrote that the code that allows his application to access WhatsApp data and then upload it to his web server can be added to a popular Android app by a rogue developer to fool users and steal WhatsApp chat logs.
The older versions of WhatsApp were so insecure that they didn’t even encrypt their data stored on SD card. The data from older versions of whatsApp could be read by anyone once it was uploaded on the web server. Even the data from newer version of WhatsApp, which uses encryption, can be accessed with ease.
“The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite. But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database,” wrote Bosschert. “We can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases.”
Bosschert joked, “Facebook didn’t need to buy WhatsApp to read your chats.”
The security issue apparently doesn’t exist on iPhones or Windows Phone devices because on these smartphones, apps have limited access to storage and other phone hardware. The more flexible access to phone hardware allows Android apps to talk to each other and helps a user quickly share content between apps. This is very convenient compared to what is possible on iPhone or Windows Phone, where it is difficult to share content between apps. But it also exposes data to rogue apps.
Google says that it keeps an eye on apps inside its Play store and removes apps if they pose any security risks. But this doesn’t negate the fact that theoretically it is possible for a rogue app to do more damage on Android because of the open nature of the OS compared to iOS, which uses silos. Google also advises people against installing apps that don’t come through Play store. By default Android phones are set to not install apps downloaded outside the Play store.