back to article WhatsApp chats not as secret as you think

Mark Zuckerberg's $19bn darling, WhatsApp, isn't as secure as we thought: a Dutch researcher has found that chats can be accessed and read by other apps. Bas Bosschert has described a process by which the chat database can be read even if it's encrypted. His proof-of-concept, here, runs through the process. Here's the short …

COMMENTS

This topic is closed for new posts.
  1. Charles Manning

    "Isn't as secret as you think"

    Ok, own up...

    Which numpties out there thought it was secret?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Isn't as secret as you think"

      Mark Zuckerberg's $US19-billion darling, WhatsApp, isn't as secure as we thought: a Dutch researcher has found that chats can be accessed and read by other apps.

      Indeed. The very assumption that WhatsApp is "secure" is preposterous. Secure from what and whom? Any details on how the App was developed? Did they make a statement on it being secure in memory, transport, what?

      1. Anonymous Coward 101

        Re: "Isn't as secret as you think"

        The claim "WhatsApp isn't as secure as we thought" does not presume that WhatsApp security was any good.

        1. GBE

          Re: "Isn't as secret as you think"

          "The claim "WhatsApp isn't as secure as we thought" does not presume that WhatsApp security was any good."

          No but it does presume that we _thought_ WhatsApp security was someting other than completely and utterly non-existant. Nobody with half a clue thought that _before_ they were acquired by Facebook, and there's certainly no doubt after becoming part of Facebook (even for those totally sans clue).

  2. as2003

    Did anyone think WhatsApp was secure?!

    They have a notoriously bad track record. Prior to August 2012, messages weren't even encrypted!

  3. Joe 48

    Shock Horror!

    Nope, standard.

  4. Anonymous Coward
    Anonymous Coward

    That's exactly what Facebook paid for...

    .... being able to access all your messsages...

    1. Amorous Cowherder
      Facepalm

      Re: That's exactly what Facebook paid for...

      Oh come on, what utter dipstick down-voted this?!

      Take a bite of the reality pie! As LDS above has said, this is the one and only reason Zuck want's WhatsApp, purely to get his greedy mitts on your private's and preferably a way through, via your phonebook, to all your mates private's too!

  5. Robert Grant

    Crazy

    Why aren't all apps properly sandboxed? Boggles the mind.

    1. Anonymous Coward
      Anonymous Coward

      Re: Crazy

      What's your definition of proper? I personally want apps that can work with each others data.

      I want to be able to save X from Y and open it in Z. It's the inability to do that which irritates me so much about iOS.

      All that's needed to 'fix' this is a concept of file permissions. It's all running on Linux I can't imagine it's that difficult to add an API call to say this file is private and can only be read by apps in this family.

      But the thing is, if I buy a file manager app because I want to see what's stored on my phone. Shouldn't that work? Shouldn't I be able to do what I like with the files including read them?

      If WhatsApp wants their data private then they should take steps to protect it.

      1. Jonathan Richards 1

        Re: Crazy

        > this file is private and can only be read by apps in this family

        This is just what one uses users and groups for in a Unix-like environment. It's so odd that the security model for Android seems to ignore that heritage, or at least not to use it efficiently.

    2. Anonymous Coward
      Anonymous Coward

      Re: Crazy

      On iOS, they are.

      Relying on each individual application to re-invent their own implementation of something the OS should be doing is just stupid.

  6. Velv

    You get what you pay for...

    And I'm not knocking it, WhatsApp is good for a free app.

    But if you want secure communications you need to buy secure communications. There are plenty of companies out there that will sell you something to do the job (assuming you pass the government scrutiny of your case for secure communications).

    1. Fred Flintstone Gold badge

      Re: You get what you pay for...

      If you like the functionality of WhatsApp, use Threema.

      That's secure, runs over Swiss servers and the guy who developed it actually has a clue about security.

    2. Roland6 Silver badge

      Re: You get what you pay for...

      >There are plenty of companies out there that will sell you something to do the job

      However, unless you've already passed government scrutiny these companies probably won't even speak to you in anything other than generalities - the fun and games of highly secure systems integration!

  7. Elmer Phud

    ooh, a squirrel

    Ah, there is evidence that this came with the product that Zuck bought.

    But that's not going to stop the 'another reason I've never used FB' whinges.

  8. Rob Crawford

    Strange

    It's funny how people expect storage on a phone to be sandboxed yet they don't expect it on a desktop or laptop for example. The developer should be looking after the saved data properly even if a sandbox is in place.

    Yet there's so much whining going on now that Google are restricting the ability to write to SD card, however and whenever a developer wants.

    No doubt sandboxing of data is on the way (now that KitKat permits automated cleanup of directories after an app is uninstalled)

    If I released such an application then the data would be encrypted right from the start and the encryption key would NOT be easily available.

    1. Jess--

      Re: Strange

      maybe its because on most mobile devices the user doesn't have direct access to the file system or the data stored without going through the installed app they assume that means it is only ever accessible through or by the app concerned.

      compare that to a laptop or desktop environment where the user has access to the file system and can usually see what is being stored where and how.

      1. Irongut

        Re: Strange (Jess)

        Actually since Android has the largest market share and it does not have iOS's stupid no access to the file system policy this is not the case. On most mobile devices the user has full access to the file system, they just need to install a file manager app. And, it should stay that way, if it's my phone I should have access to it.

        1. Seanie Ryan

          Re: Strange @Irongut

          yes, yes, thats what YOU want, maybe not what others want. Entitled to your opinion etc, but i'd suggest you are most likely in denial about the actual usage of all that Android market share. Most have not got a clue what a file manager is about, or why they would want it.

          Techies are a small, small minority, yet their arrogance leads them to think that the rest of the world SHOULD think and buy EXACTLY like they would.

          Disclaimer?: yes, i am techie. learned many years ago to not give a crap what someone whats as a phone/laptop/OS. I just only work on what I want. If they don't have it, I don't help.

          simple way to look at things. If the device/os doesn't do what you want it to do, get something else. Other people quite happy with device A, thats their choice. You are as equally wrong to them as they are to you.

          Except in my case where I am more right. :-)

          1. BristolBachelor Gold badge
            Trollface

            Re: Strange

            "yes, yes, thats what YOU want, maybe not what others want."
            Indeed. What I want is sandboxed data. If I save a spreadsheet attachment from en email, I don't want no other app reading it; certainly not Excel! And when I've finished writing my monthly progress report in Word, I don't want another app to be able to read it either.

            Oh, and those pictures should only be available to the camera app. Not the Photoshopmini app, not a gallery app; only the camera app!

            Nurse! I think my meds are wearing off!

            1. Werner McGoole
              Facepalm

              Re: Strange

              It's an interesting sleight of hand. On a desktop with no Android-like permissions, any program that started reading data it hadn't written and calling home with it would be called spyware and the antibodies in your AV/security suite would be out to kill it.

              OTOH, by including permission settings on mobile devices, it comes to be assumed that if an app has a permission then it's justified in using it, even if it didn't actually need it. So adding something that apparently enhances privacy and security actually ends up reducing it. You'd almost think that was a deliberate move unless you knew better ;-)

        2. Jess--

          Re: Strange (Jess)

          Hmmm so having to install a file manager app and then using that to gain access to the file system counts as direct access in your mind.

          In my mind if I have to go and get something that is not included as standard on the devices operating system it is not direct access.

    2. Anonymous Coward
      Anonymous Coward

      Re: Strange

      >If I released such an application then the data would be encrypted right from the start and the encryption key would NOT be easily available.

      You know something Information Theory doesn't?

      If your app can decrypt it, any app can decrypt it. The way you keep information safe from other users or other apps is through controlling access, not through smoke-and-mirrors "encryption" where the data and the key are kept in the same place.

  9. nsld
    Paris Hilton

    Zuckerberg didnt pay $18 billion

    For data he couldnt easily access to find out how to advertise to you.

    Why is anyone even surprised by this?

  10. Ketlan
    Thumb Down

    Pffft...

    I'd never even heard of WhatsApp before Zuckerberg threw his money at it, so I neither knew nor cared how secure (or otherwise) it was. Strangely enough, now it's part of the Facebook empire, I REALLY don't give a shit.

  11. Anonymous Coward
    Anonymous Coward

    "For Bosschert's attack to work, all that's required is that the user grants sufficient permissions to the malicious app. As he writes: “ since [the] majority of the people allows everything on their Android device, this is not much of a problem."

    Wait...so this "attack" requires someone to write an app that harvests the data of another app, some how get it approved to go into an app store, convince the user to download it by making it appealing enough, avoid the inevitable police investigation (blame the cat) all so they can access teenagers conversations about how "chantelle gave max a blowey behind the bikeshed in front of bobby and he totally got a stiffy and everything".

    Seems like a lot of effort and risk for pretty much no reward, it's not like state secrets are transferred using whats app. At least I hope they aren't...shit, now I've scared myself.

    There's a time and a place to be worried about security and if you are then you wouldn't use a public messaging service anyway.

    1. Anonymous Coward
      Anonymous Coward

      Hot chat action!

      "chantelle gave max a blowey behind the bikeshed in front of bobby and he totally got a stiffy and everything".

      I got a bit of a semi myself reading that.

This topic is closed for new posts.

Other stories you might like