Monday, March 24, 2014

Android WhatsApp Liable to Theft

Security researchers have just discovered security flaw in Android version of WhatsApp, which stores user database on SD card with poorly secured encryption keys and thus can allow another app to upload your entire database of chats to a 3rd-party server, without your consent.
d6b11c54-c005-406b-848f-44049c075cb4-460x276.jpeg

The flaw in question stems from the Android OS’s handling of external storage coupled with lax security standards of the app. Security experts point out that the flaw allows any Android app with access to the phone’s SD card to read and upload WhatsApp’s database. Taking into account that the majority of users allow everything on their Android device, it isn’t much of a problem.

Android’s fault isthat the OS only allows all-or-nothing access to the SD card. This means that any app able to read and write to the external storage can also access data other apps store there. Aside from the fact that WhatsApp uses that external storage to hold its database, on its earlier versions it does so without any encryption at all. As for its later versions, which encrypt the database, they do so with a key which can be easily extracted from the app. As a result, any app can read the WhatsApp database and the chats from the encrypted databases.

So, what’s the way out? To avoid the risk of having your chats stolen, be wary of granting suspicious apps access to your SD card. It is still unclear whether WhatsApp or Android itself is more to blame for the vulnerability. Android’s policy of allowing total access to the external storage differs from Apple’s far more controlled security on iOS devices. Apple “sandboxes” each app in a way that prevents others from accessing its data.

In the meantime, Android openness allows developers to create apps which can’t be run on an iOS device, but opens up the risk of flaws like this one. This isn’t the only security hole at WhatsApp, by the way. A few months ago, security researchers proved it was possible to decrypt messages sent thanks to data gained through eavesdropping on the WhatsApp connection.

Moreover, one of the flaws which enabled this latest attack has been known about for at least a year, because tool used to decrypted the database was released back in 2012. Probably, this is why Germany’s privacy regulators recommended all WhatsApp users to switch to a more secure service this past February.

No comments:

Post a Comment