AAPL Stock: 118.3 ( + 0.49 )

Printed from

WhatsApp backup chat logs vulnerable to Android developers, hackers

updated 02:45 pm EDT, Sun March 16, 2014

SD stored backup allows developers, hackers access with permission request

A security consultant has found a way for Android developers and for hackers to access WhatsApp chat logs under a set of circumstances involving SD storage of the chat program's backup database. Developers who need access to large storage on a device or request complete access would be able to see the database once given permission through an app, while a hacker would be able to access the database using malicious software through the same channel.

Bas Bosschert uncovered the workaround after a conversation with his brother about the possibility of uploading and reading the chat logs from another Android application. On his blog he details the process of using a PHP script, an Android application asking for phone access, a web server and some XML file edits to be able to pull down the data from an Android device. From there, using a key readily available on the Internet, the downloaded database is pulled over to Excel, where the data is then decrypted with a Python script revealing user chat history from the backup database WhatsApp writes to memory.

Since the loophole was outlined, WhatsApp has strengthened their encryption of their databases and offloaded it from a hard-coded key for all devices, and instead use "the account name to create a device (account) unique encryption key," says Bosschert. Even with the increased encryption, with a few extra steps the chat data was still able to be extracted, which Bosschert again outlined in a follow-up post on his blog.

A spokesman for WhatsApp says that Bosschert's claims "have not painted an accurate picture and are overstated" in a statement to Techcrunch.

It is true that the access happens because of the way Android is setup, and how it offloads larger files onto expandable memory. Most conditions would require malicious software to be loaded specifically seeking to compromise a device to access the logs, but given current privacy and security concerns over data, this information could still be accessed by legitimate developers unbeknownst to users after given access to at least the SD card.

Apple's iOS, on the other hand, doesn't suffer from the same sort of problem, since the operating system sets up each application within their own sandbox, generally not allowing apps to access data outside of it.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented