Popular messaging service, WhatsApp, has said that their security is just fine and that rumours about their Android security vulnerability, has been ‘overstated’. Android’s mobile operating system has an apparent flaw that researchers claim, allows cyber criminals to steal peoples’ conversations from Whatsapp.
Although Whatsapp has been updated to fix such weaknesses in the system, Bas Boschert (CTO of Doublethink) showed on his blog, how Whatsapp could still be penetrated. He believes there is still a liability within the system.
However, Whatsapp claims that these accusations are being over-exaggerated. A Whatsapp spokesman commented, “We are aware of the reports regarding a ‘security flaw.’ Unfortunately, these reports have not painted an accurate picture and are overstated.” Bosschert thinks that the problem lies within Whatsapp’s database on Android. If its saved on a SD card, any Android application can read it if the unknowing user allows it access to the card.
Bosschert continued, “And since majority of the people [allow] everything on their Android device, this is not much of a problem”. This is probably not a problem with Whatsapp but rather a problem with Android’s data sandboxing system, a system that is a last line of defense against compromised applications.
A malevolent application could gain access to Whatsapp’s conversation database. Bosschert tested the security by creating an app which uses a loading window that diverts the user’s attention while files are being uploaded.
Whatsapp has stated that if owners unknowingly download malware or viruses to their device, their phone may be at risk of possible stolen data. But in fact, Whatsapp is not the reason for this.
Spokesman from Whatsapp stated, “As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies.” However, despite this, Bosschert has said that he can still penetrate and decrypt the database on an android phone even with this update. He reasons, “We can simply decrypt this database using a simple python script. This script converts the [encrypted] database to a plain SQLite3 database. So, we can conclude that every application can read the Whatsapp database and it is also possible to read the chats from the encrypted databases. Facebook didn’t need to buy Whatsapp to read your chats.”
Some of the privacy features Whatsapp have added are: paying for the subscription of a friend; controls that allow users to ‘hide’ their profile picture and status updates from any potential snoopers. Although these don’t seem to be big changes, at least it will mollify users after Facebook bought out the company for $19 billion which caused privacy fears between Whatsapp users.
[Image via readwrite]