If you’re chatting in WhatsApp, you may not want to say anything too private. Double Think chief technology officer Bas Bosschert has discovered a glaring security flaw sure to put frowns on plenty of people’s faces.
Here’s what’s wrong: When you back up your WhatsApp data, possibly because you want to install the app on another device, the back-up goes to the WhatsApp database, which is saved on your phone’s SD card. Rather than make a unique code for each user, WhatsApp uses the same encryption code for everyone. This spells bad news for users since, in theory, a developer can make an app that can decrypt and gain access to that data. So long as you grant the app the permissions it asks for, your messages will be exposed in all their glory and possibly uploaded to third-parties.
Bosschert tested the theory by developing a companion app, and used a loading screen while the app acquired the database files and uploaded them. Unfortunately, the app succeeded in doing so, with Bosschert reporting that, even with yesterday’s WhatsApp for Android update, the security flaw still exists.
For reference, the iOS version of the app does the same thing, but Apple prevents access to the sandbox WhatsApp creates when storing data.
We have no idea when or if a fix is coming. Until then, chat casual.