WhatsApp, the mobile messaging company recently acquired by Facebook for $16 billion, said Thursday that reports of a security flaw in its system were “overstated”,
Earlier this week, tech consultant and CTO at DoubleThink Bas Bosschert released a report warning that an exploit in the app’s Android encryption would enable another app to access WhatsApp chat transcripts and use them for any purpose. The key to the hack, according to Bosschert, is that WhatsApp uses a phone’s SD card to store messages, which “can be read by any Android application if the user allows it to access the SD card.”
However, WhatsApp denies that Bosschert’s methods are accurate, and said in a statement (via TechCrunch):
“We are aware of the reports regarding a ‘security flaw.’ Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.
In short, the company claims it’s not WhatsApp’s security problem — any user who downloads a malicious app that can access other information on the SD card is always at risk of losing information to hackers, WhatsApp’s data included.
I have reached out to WhatsApp, and will update this story once I receive more information.