Eek! Android WhatsApp database can be stolen and shared by other apps
The Android version of WhatsApp, the cross-platform messaging tool recently snapped up for $19 billion by Facebook, contains a security flaw that means its chat database could be accessed by any app and uploaded to a web server without user knowledge or intervention. It's not clear whether this vulnerability has yet been exploited, but a proof-of-concept attack by Bas Bosschert (consultant, sysadmin and entrepreneur) shows that it is not only possible, but also incredibly simple. To cut to the chase, the answer to the question posed by Bas' brother, "is it possible to upload and read the WhatsApp chats from another Android application?", is "yes, that is possible".
In order for an "attack" to be successful, a user must have granted the app access to the SD card. As Bas points out, "since [a] majority of the people allow everything on their Android device, this is not much of a problem" for an attacker to overcome. Assuming this setting has been enabled, there really is very little work to be done. With a webserver at hand, it is quite easy to create an app that seeks out WhatsApp's database and uploads it ready for perusal.
Depending on the version of WhatsApp that is installed, the database could be encrypted, or it may not be. Ultimately it does not really matter, as decryption can be simply accomplished. What does cracking open the database reveal? A full, comprehensive chat history. Bas sums up by saying "Facebook didn’t need to buy WhatsApp to read your chats." This may be a slightly cynical way of looking at things, but when security is so lax, cynicism is entirely understandable.
So what’s the solution? At this stage, the problem arises because of the way Android works. Apps are not sandboxed, so once one particular app has been granted access to the SD card, it is able to access data also stored there by other apps, regardless of whether this is appropriate or not. Of course, an app needs to be coded that specifically seeks out other apps' data, but this is neither difficult to imagine nor difficult to achieve. Addressing the issue would involve changing the way Android operates at quite a low level, so it's not clear how long it would take Google to fix -- or even if there are any plans to.
It does highlight the fact that IM services are poor means of communication when dealing with sensitive information, but it is unlikely that this latest revelation will do much to change people's habits.