Security flaw exposes WhatsApp chats on Android to theft

LONDON — Android users, beware. If you use WhatsApp, there is a possibility that the chats on your phone can be stolen.

A newly discovered security flaw in the Android version of WhatsApp — the instant messaging platform Facebook is purchasing for US$19 billion (S$24 billion) — allows another application to upload a user’s entire database of chats to a third-party server, without his consent. As detailed by Dutch security consultant Bas Bosschert, the flaw allows any Android application that has access to the device’s SD (Security Digital) card to read and upload WhatsApp’s database.

“The WhatsApp database is saved on the SD card, which can be read by any Android application if the user allows it to access the SD card,” Mr Bosschert says. “And as the majority of people allow everything on their Android device, this is not much of a problem.”

Opinion is split over whether Whats App or Android is more to blame for the flaw. Android’s policy of all-or-nothing access to the SD card is at odds with Apple’s far more controlled security on iOS devices, where every app is “sandboxed” in a way that prevents others from accessing its data.

But this breach is also the latest in a string of security holes at WhatsApp. In October, a security researcher showed that it was possible to decrypt messages as they were sent, using data gained through eavesdropping on the WhatsApp connection. The Guardian