Thanks to last month’s big Facebook acquisition, WhatsApp has been attracting a lot of attention lately. While that should only help grow its already impressively large 450-million-person-strong user base, that extra attention also means that more people are placing the app under a critical light. Today we learn of a potential security vulnerability in how WhatsApp saves logs of your conversations; what exactly is the problem here, and is it one you need to be concerned about?
WhatsApp uses your phone’s SD card for storage (whether physical or a virtual part of the internal file system), and that’s where it keeps a database containing the content of past chats. Problem is, with the lax security Android affords SD card data, that database is quite easy for another app on your phone to read (and then, if it were malicious, to send your chat data to some remote server).
There are already steps in place to limit the impact, like encrypting the chat database, but the problem here is that WhatsApp appears to be using a fixed key, which is the same across all devices – know that, and the encryption’s a non-issue.
So currently, other apps on your phone (with a little bit of doing) can read your WhatsApp chat history – that’s it. As such, we’re inclined to treat this as a relatively minor vulnerability; if malware’s getting on your phone in the first place, as it would have to in order to take advantage of this hole, you’ve got larger problems to deal with.
Maybe WhatsApp could make things a little more difficult for potential attackers by using a device-specific key for encrypting the chat database, but even lacking that, we’re not too worried here.