Original URL: http://www.theregister.co.uk/2014/03/13/whatsapp_chats_not_as_secret_as_you_think/

WhatsApp chats not as secret as you think

Malicious apps can steal chat history

By Richard Chirgwin

Posted in Security, 13th March 2014 02:34 GMT

Mark Zuckerberg's $19bn darling, WhatsApp, isn't as secure as we thought: a Dutch researcher has found that chats can be accessed and read by other apps.

Bas Bosschert has described a process by which the chat database can be read even if it's encrypted. His proof-of-concept, here, runs through the process.

Here's the short version: Bosschert first created a php Web server to run on the target device, then with a bit more code work, he uploaded the WhatsApp message files to his own app – msgstore.db and wa.db for older versions, msgstore.db.crypt for newer versions.

If an attacker was to “combine it with something like FlappyBird and a description how to install applications from unknown sources,” he writes, “you can harvest a lot of databases”.

Code snippet WhatsApp vuln

Bas Bosschert has worked out how to read WhatsApp stored chats

For unencrypted stores, the work's already done. For newer versions of WhatsApp, he writes, decryption is already available from the WhatsApp Xtract backup tool.

For Bosschert's attack to work, all that's required is that the user grants sufficient permissions to the malicious app. As he writes: “ since [the] majority of the people allows everything on their Android device, this is not much of a problem.” ®