1 Comment

Summary:

WhatsApp is challenging a security report claiming weakness in its Android app, calling the threat “overstated” and the report inaccurate.

WhatsApp Android voice

WhatsApp, the mobile messaging company recently acquired by Facebook for $16 billion, said Thursday that reports of a security flaw in its system were “overstated”, 

Earlier this week, tech consultant and CTO at DoubleThink Bas Bosschert released a report warning that an exploit in the app’s Android encryption would enable another app to access WhatsApp chat transcripts and use them for any purpose. The key to the hack, according to Bosschert, is that WhatsApp uses a phone’s SD card to store messages, which “can be read by any Android application if the user allows it to access the SD card.”

However, WhatsApp denies that Bosschert’s methods are accurate, and said in a statement (via TechCrunch):

“We are aware of the reports regarding a ‘security flaw.’ Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.

In short, the company claims it’s not WhatsApp’s security problem — any user who downloads a malicious app that can access other information on the SD card is always at risk of losing information to hackers, WhatsApp’s data included.

I have reached out to WhatsApp, and will update this story once I receive more information.

  1. Try this one as a flow:
    https://github.com/tgalal/yowsup/issues/234

    According to this, WhatsApp hides a special key in WhatsApp/Profile Pictures/.nomedia on the SD card.
    This key can be used to register WhatsApp without going through SMS verification. Although the file is encrypted, the link above claims to contain code to decrypt it.

    One can imagine an Android malware that reads this file of user’s devices and allows the malware’s author to hijack the WhatsApp account (register with the same phone number – but on another device).

    Share

Comments have been disabled for this post