Android WhatsApp security flaw allows download of messages

12 Mar 2014

A flaw has been discovered in WhatsApp’s Android version that supposedly lets a third-party access and download a user’s messages onto a server without his or her knowledge.

Bas Bosschert, a Dutch security consultant, made the discovery. Bosschert saw that with a little coding trickery, it was relatively straight-forward to download a person’s messages in one bulk download.

On his blog post, Bosschert explains how people’s lack of security settings on their phone means that they are leaving their phone open to this problem: “The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card, and as the majority of people allow everything on their Android device, this is not much of a problem.”

Currently, an Android user can either allow its apps have access to the SD card in the phone, or else not at all with no individual apps allowed to have specialised access or restrictions.

An app developer can now download this data with access to the SD card and place it on their own server.

This is not the first instance of WhatsApp having a flaw in its security program as last October it was shown that through simply monitoring a message transferring the data between its servers, a person could easily decrypt its contents.

Colm Gorey was a senior journalist with Silicon Republic