
Any Android app can read your WhatsApp database - mathias
http://bas.bosschert.nl/steal-whatsapp-database/
======
pinaceae
19bn $.

No way anyone else at FB could have built this app and given it away for free
for years for that price.

No way. Totally worth it. 19bn $.

Sequoia's deck on the amazing sclaing of 32 devs supporting that many users?
well, guess what, they did it through taking shortcuts. Who would have
guessed. Totally flabbergasted.

~~~
weixiyen
So much jelly in this comment. They obviously made good product decisions to
get to this point. A few blips along the way will happen, when you are
focusing on much more important things.

Your entire SMS history is available to any app with permissions. Most people
don't even know that, or are not bothered by it. This is literally feature
parity with default SMS. WhatsApp is about messaging that is simple and
functional. Security is not even a main selling point.

If you want security, there are apps for that. Good luck getting your friends
to use it.

~~~
doktrin
> _Security is not even a main selling point._

Didn't the founder specifically cite growing up under an oppressive regime as
a key motivation behind WhatsApp?

~~~
visakanv
Hrm. I'm torn both ways. I think a world with whatsapp is less oppressive than
a world without whatsapp, even if people can spy on it, tap into it, etc-
because it allows people to communicate where they previously might not have
been able to. A world with secure whatsapp would, of course, be even better
than a world with insecure whatsapp.

~~~
doktrin
> _I think a world with whatsapp is less oppressive than a world without
> whatsapp, even if people can spy on it, tap into it, etc- because it allows
> people to communicate where they previously might not have been able to._

That's a fair stance. I don't have strong feelings vis a vis WhatsApp, so this
is more of a general statement :

I think the illusion of secure communication is more dangerous than insecure
communication. People who think they can't be spied on will expose themselves
in ways they otherwise wouldn't.

~~~
visakanv
I agree with that. I think it's important to always assume that your
communications are insecure.

------
kllrnohj
Holy shit, the _SAME_ AES key is used for everyone? Good god WhatsApp, what
the fuck are you doing?

~~~
sentenza
What's troubling is, that their security track record has been abysmal from
the start. In that regard, the acquisition sends entirely the wrong message.

~~~
stingraycharles
What message does it send, other than valuation not being based on the
reputation of technical superiority?

~~~
eropple
It sends a message that caring about your users' trust, that doing what's
right for them, is for suckers.

This is not a test of "technical superiority". This is working against your
users' best interests. One mistake is understandable, and sometimes
forgivable, but you don't bilge it twice so cavalierly if you rank on the
give-a-damn scale. (I say "cavalierly" because, as I noted elsewhere in this
thread, I can't shake the feeling that this is the result of a design
decision, not a technical failure.)

------
izacus
Storing critical data to external storage (which is clearly explained as
unsecure in [http://developer.android.com/guide/topics/data/data-
storage....](http://developer.android.com/guide/topics/data/data-
storage.html#filesExternal)) is a huge security hole. This kind of basic
oversight makes me wonder about base competence of WhatsApp developers -
anyone with basic understanding of the OS would get that anyone can read
external storage.

~~~
DCKing
You are absolutely right.

Still, I think Google is taking the wrong approach: the insecure /sdcard
partition is the place where most of the storage is in nearly all Android
phones. If your app needs to store larger amounts of data, that is the place
to do it. Now, there are methods to use that storage a lot more securely than
this, but the way Android works really leaves developers no other option than
storing this stuff on the SD card.

Google should lock down access to the SD card even more, but they'll probably
cause an uproar and break many apps.

~~~
kllrnohj
> the insecure /sdcard partition is the place where most of the storage is in
> nearly all Android phones.

/sdcard and /data are on the same partition these days, you should just be
using the app's private folder if the data is sensitive in the slightest.
Which in this case it clearly is, and it's not even large data.

~~~
eropple
This is true on Nexus phones, but it's a mount point (not "emulated") on
Samsung or other SD-card-equipped phones, which I think--not sure--is more of
a majority.

~~~
kllrnohj
No, on Samsung & other SD-card-equipped phones /sdcard points to internal
storage and there's some other path, like /sdcard2, that points at the actual
SD card.

------
mncolinlee
As an Android developer, the real hole here is being able to read the
encryption key. Jelly Bean 4.3 adds the potential for "secure key storage"
which only works if the user is not smart or persistent enough to break the
obfuscation through using the application itself with a debugger and a rooted
phone. There is no fully safe method to store keys on a device if the attacker
can gain access to the same device.

~~~
giovannibajo1
Depends on the definition of "fully safe", or maybe "device". Extracting
keychain secrets from a iOS device requires brute-forcing the lock screen
password.

Bruteforcing the 4-pin digit is easy "math-wise", but complicated in practice
because you can't really access the data on the flash (not even dumping it, as
it's fully encrypted with a hardware key), and the device will not pair to a
new PC/Mac without first unlocking; so you would also need physical access to
a paired PC/Mac.

For the newest devices, fingerprints can't really be bruteforced (not because
of complexity, but the because the hardware locks down burning its secret
after a few attempts) and Apple advises using a complex password as a fallback
for the fingerprint; basically the password is the real secret for encryption,
while the fingerprint hw just holds a temporary unlock secret which
selfdestroys if bruteforced; this is why the user is always required to enter
the password after a reboot.

Of course you might still have a 0-day root exploit to use if you're NSA (or
somebody with $300K to invest), and that's where I concede the "not fully
safe".

------
nchlswu
I thought WhatsApp had a history of horrendous security?

------
Nux
Whatsapp's security is "legendary":
[http://tinyurl.com/nenaht8](http://tinyurl.com/nenaht8)

~~~
biot
Please don't post mystery URLs. The above goes to this search:

[https://www.google.com/search?q=whatsapp+site:h-online.com](https://www.google.com/search?q=whatsapp+site:h-online.com)

------
anoncow
Does this happen on Windows Phone devices as well? While WP allows reading and
writing to the SD card, it provides isolated storage for apps(which is a
source of much pain). While I am not sure about how android handles storage
for apps, there should be a middle ground where users can explicitly permit
apps to read protected storage data of other apps. WP disallows storage data
sharing between apps leading to limited functionality.(this is not related to
the article, just a wp rant)

~~~
matt_heimer
Google switched to the isolated storage model (on the sd card) for KitKat -
[http://source.android.com/devices/tech/storage/](http://source.android.com/devices/tech/storage/).
Google has content providers so if an app wants to share data it can do so
[https://developer.android.com/guide/topics/providers/content...](https://developer.android.com/guide/topics/providers/content-
provider-basics.html). If you really want to do something unsafe like allow
direct file access to any folder then that is a reason to root your Android
phone. Then using an app like SuperSU your can grant root permission to an
application.

------
LaSombra
I am flabbergasted they still didn't improve it properly...

Let's hope Facebook helps their development team.

~~~
balladeer
As long as Facebook gets to read all those billions of "personal"
communications - messages, videos, audio, images - they are fine with
anything.

~~~
LaSombra
Are you... are you saying they are trying to copy... _Google_?!?

I am speechless by such a statement.

~~~
Yetanfou
Nah, of course not. They're copying Apple of course, everybody does after all?
iMessage, FaceTime, whatnot.

~~~
krrrh
Apple doesn't read or store iMessages.

~~~
gaadd33
Any proof of that? I know there was an article about how it encrypts each
message with the key of the device it is being sent to however I haven't seen
anyone audit it to be sure that it isn't adding an Apple key to that list.

------
JelteF
From the title I thought the current database. But it's just the by default
daily created backup.

I remember writing a rooted script for Tasker to get the actual messages to my
pebble, since WhatsApp still doesn't expose them through their notifications.

I fired an SQL query to their sqlite database everytime a notification from
WhatsApp came in to see what the new message actually contained.

------
hagope
wait a second...my SD card folder contains a folder called DCIM which includes
all my camera photos... are you suggesting that all my images are available to
any app that includes SD card permissions?

~~~
jnbiche
Yes. There is no way on Android to give fine-grained directory-based access
permissions (unfortunately). So all SD card permitted apps can read the SD
card globally.

~~~
hagope
So why isn't HN up-in-arms about Google allowing Android apps access to all
your phone's un-encrypted images?!? That seems like a much bigger issue!

~~~
72deluxe
Since most desktops/PCs/Macs are now always online, why is nobody up in arms
that _any_ application has access to your home directory, your registry (HKCU
at very least) and your "My Documents" directory either?

This is basically what Android apps have access to when requesting STORAGE
permission.

Surely it is the same "problem"?

~~~
hagope
Yes, I agree. I'm not outraged at all, the lesson is to be careful when
accepting SD Storage permission on android...

------
delecti
Unless I'm mistaken, any application can read the device's SMS database if
given the appropriate permission (and few users are very discerning with
regards to permissions).

To an end-user, WhatsApp is essentially an SMS application, except it doesn't
use SMSs. Given that, this doesn't seem like the end of the world.

~~~
sp332
WhatsApp claims to keep your texts secret, and this is a big selling point.
They make privacy claims that go beyond normal SMS messages, and that's why
this is a big deal.

~~~
weixiyen
I've been using WhatsApp for years and seen many selling points, but security
has never been one. A link would help because I've never gotten the impression
that they were trying to sell security.

~~~
bennyg
[http://www.whatsapp.com/faq/en/general/21864047](http://www.whatsapp.com/faq/en/general/21864047)
\- from their FAQ

~~~
skeg
WhatsApp communication between your phone and our server is encrypted.

...

Please be aware of who has physical access to your phone.

~~~
bennyg
Well yeah, encrypted with one AES key per user. That shit isn't secure.

------
baby
> if the user allows it to access the SD card. And since majority of the
> people allows everything on their Android device

1\. So basically, if you're installing an app AND you're allowing the app to
access all of your phone (and its dirty secrets)

2\. I don't see why whatsapp would encrypt the chats (I might be very wrong on
this one), isn't it better if we can access them offline through a computer if
the phone crashes?

3\. Bigger picture: at first, dividing permissions and asking for the user to
accept them was a good idea, but now we tend to accept anything because in the
end, we want to use the app. Same problem with facebook login, google login,
where we tend to accept whatever info websites request just to get to the app.

~~~
giovannibajo1
There are endless good reasons for an app to request access to the SD card, so
I would say it's still very reasonable to trick anybody into accepting it.

The idea of handling the SD card has a global shared filesystem that totally
bypasses the application sandbox is a security disaster from the get go.
Fortunately, SD cards are on the way out, and Google doesn't even bother to
fix it at the system level since they're dropping it anyway at some point.

~~~
userbinator
> Fortunately, SD cards are on the way out,

I don't know about you, but I'd rather not sacrifice my freedom to manage
storage for a little temporary security...

------
bobbles
Considering apps like this exist:
[https://play.google.com/store/apps/details?id=com.androidapp...](https://play.google.com/store/apps/details?id=com.androidappetizers.whatstat)

it seems pretty obvious that this was the case

------
gress
One of the great advantages of android is that it permits developers to do
things like this. Let's not get upset about it when mistakes happen. Users can
always choose a different app if they dislike the behavior.

~~~
danielweber
This is actually good news . . .?

~~~
gress
Sure - consumers get to decide what tradeoffs they want, and the media assists
by exposing information that might not be otherwise available, as is happening
here.

------
pritambaral
OT, but AES write(decrypt(open())) in python as done on the post seems to be
padding the decrypted data with extra bits to match up in size with the
source.

OpenSSL's aes-192-ebc gives me a slightly shorter, but well-formed db.

------
tbaba18
Are you in search a legitimate hacker? Do you wish to hack someone else
facebook, gmail, hotmail, yahoomail, bank account without trace? Do you wish
to upgrade your university score or college score without fear of been caught?
Do you wish to delete some information from a website database, do you need a
website? Search no more as hack word is here to give you a new lease of life.
Interested persons should contact us now on this mail. dgf090293@gmail.com

------
EvilBanshee
This is nothing new - I've been using this app
([https://play.google.com/store/apps/details?id=com.zegoggles....](https://play.google.com/store/apps/details?id=com.zegoggles.smssync))
for ages to sync my SMS and call log to Gmail, and for the past year or so,
it's also been able to sync Whatsapp messages.

------
kzahel
I thought the way android apps can lock down information away from other apps
is they are able to set permission bits to be for their own unix "user" (e.g.
each app gets their own userid). It's conceivable that WhatsApp simply set the
permissions to be too open.

~~~
izacus
Em, no - that can only be done in internal store "data" directories which are
usually formatted with UNIX filesystems and are by default secure (and cannot
be accessed by other apps at all).

WhatsApp is storing to external (on most devices FAT) storage (which was SD
card on older devices, it's usually a separate directory/partition on newer
ones) which does not have any ACL-like system due to FAT backwards
compatibility.

~~~
Pxtl
Honestly, the more I tinker with Android, the more I'm terribly disappointed
in Google. I mean, around Android 2 we were all excited by the potential of a
first-class big-money supported open-source OS to really shake up the
industry. It had so much potential.

Now? Well, it still has a lot of potential. Even Google seems kind of
embarrassed by it, compared to the Chrome brand.

~~~
css771
I've never seen Google put out that vibe. If anything they're proud of it. I'm
not sure what you mean. Can you elaborate?

~~~
Pxtl
I just mean how they use the "Chrome" branding on everything, even Android-
based devices like the Chromecast.

------
arsupertec
This is actually ridiculous because having this much largest app in android
market and this type of bug can kill all of their audience.... must have to
aware from now..

------
barbs
> _I used this webserver with a simple php script._

"webserver" is a hyperlink, but it just links back to the blog. Anyone know
what he's referring to here?

~~~
userbinator
What's his blog hosted on...?

------
sidmkp96
This is where something like
[https://github.com/facebook/conceal](https://github.com/facebook/conceal)
will help.

------
rahij
Can't any app access all SMSs too in an easier manner? Whatsapp is a similar
app, so why hold it to different standards?

------
sebastianavina
What is a AES Key?

~~~
skeg
If you think of encrypted data as being locked in a box, then the AES key is
the key that unlocks that box.

[http://en.wikipedia.org/wiki/Advanced_Encryption_Standard](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)

