According to a statement by Bas Bosschert, a Dutch security researcher, apps on Android stores user database on the memory card of the device with poorly secured encryption keys. This flaw in the Android version of WhatsApp is recently discovered and it enables other apps to steal user database of chats to a third-party server without their consent.
The root cause of this error stems from the operating system’s way of functioning, and also because of the presence of lax security standards in WhatsApp itself. Android OS is largely dependent on external storage and this feature easily exposes the stored data to another app. According to Bas, all Android apps which are allowed access to the SD card can read the WhatsApp database and since most users allow almost everything, it isn’t much of a hassle.
Android plays a significant role equally in producing this flaw. Like I mentioned above, the fragility lies in the fact that the OS allows all access to the SD card and any app stored can read what other apps have stored. It was worse earlier as WhatsApp used to store its database in the external storage without any encryption at all. Though the recent versions are encrypted, the key can be easily extracted using a third party tool such as WhatsApp Xtract.
Now that we know that every WhatsApp database is readable, encrypted or not, it is of outmost importance to avoid such occurrences for the greater good. Users should naturally be picky while allowing or installing a suspicious app from sources that cannot be trusted. A typical example of one such app is the clone app of Flappy bird. Word of advice here is to practice routine check over launchers asking for permission to access the SD card. Bas finally adds, “Facebook didn’t need to buy WhatsApp to read your chats”.
The situation is affected by the great dilemma as to who needs to be blamed – WhatsApp or Android! Evidently, Android is an open source and functions as one by allowing a wide range of independent developers to build apps based on its platform. In comparison, Apple has better control over such security issues on an iOS device where all apps are restricted from accessing each other’s data.
Reportedly, it has been shown by a researcher earlier that it is possible to decrypt messages as they were sent using just the data gained through WhatsApp connection. It has also been pointed that this latest development in flaw is a game that started years back. There are certain other factors such as multiple users who have physical access to the phone/device using WhatsApp.
The open nature of Android allows millions of developers around the globe to work on it as opposed to the strictness of Apple or Windows, but it also opens up avenues for flaws in different levels; a trade off that we have to live with.