Any Android app can read your WhatsApp database

267 点作者 mathias大约 11 年前

23 条评论

pinaceae大约 11 年前

19bn $.No way anyone else at FB could have built this app and given it away for free for years for that price.No way. Totally worth it. 19bn $.Sequoia's deck on the amazing sclaing of 32 devs supporting that many users? well, guess what, they did it through taking shortcuts. Who would have guessed. Totally flabbergasted.

评论 #7382027 未加载

评论 #7381005 未加载

评论 #7384204 未加载

评论 #7383629 未加载

kllrnohj大约 11 年前

Holy shit, the SAME AES key is used for everyone? Good god WhatsApp, what the fuck are you doing?

评论 #7381678 未加载

评论 #7380572 未加载

评论 #7380588 未加载

评论 #7380654 未加载

评论 #7383634 未加载

评论 #7380672 未加载

izacus大约 11 年前

Storing critical data to external storage (which is clearly explained as unsecure in <a href="http://developer.android.com/guide/topics/data/data-storage.html#filesExternal" rel="nofollow">http://developer.android.com/guide/topics/data/data-storage....</a>) is a huge security hole. This kind of basic oversight makes me wonder about base competence of WhatsApp developers - anyone with basic understanding of the OS would get that anyone can read external storage.

评论 #7380994 未加载

评论 #7380455 未加载

评论 #7381140 未加载

评论 #7381717 未加载

mncolinlee大约 11 年前

As an Android developer, the real hole here is being able to read the encryption key. Jelly Bean 4.3 adds the potential for "secure key storage" which only works if the user is not smart or persistent enough to break the obfuscation through using the application itself with a debugger and a rooted phone. There is no fully safe method to store keys on a device if the attacker can gain access to the same device.

评论 #7383348 未加载

评论 #7383587 未加载

nchlswu大约 11 年前

I thought WhatsApp had a history of horrendous security?

Nux大约 11 年前

Whatsapp's security is "legendary": <a href="http://tinyurl.com/nenaht8" rel="nofollow">http://tinyurl.com/nenaht8</a>

评论 #7382279 未加载

评论 #7381786 未加载

评论 #7381791 未加载

anoncow大约 11 年前

Does this happen on Windows Phone devices as well? While WP allows reading and writing to the SD card, it provides isolated storage for apps(which is a source of much pain). While I am not sure about how android handles storage for apps, there should be a middle ground where users can explicitly permit apps to read protected storage data of other apps. WP disallows storage data sharing between apps leading to limited functionality.(this is not related to the article, just a wp rant)

评论 #7380796 未加载

评论 #7380721 未加载

LaSombra大约 11 年前

I am flabbergasted they still didn't improve it properly...Let's hope Facebook helps their development team.

评论 #7380564 未加载

JelteF大约 11 年前

From the title I thought the current database. But it's just the by default daily created backup.I remember writing a rooted script for Tasker to get the actual messages to my pebble, since WhatsApp still doesn't expose them through their notifications.I fired an SQL query to their sqlite database everytime a notification from WhatsApp came in to see what the new message actually contained.

hagope大约 11 年前

wait a second...my SD card folder contains a folder called DCIM which includes all my camera photos... are you suggesting that all my images are available to any app that includes SD card permissions?

评论 #7381756 未加载

delecti大约 11 年前

Unless I'm mistaken, any application can read the device's SMS database if given the appropriate permission (and few users are very discerning with regards to permissions).To an end-user, WhatsApp is essentially an SMS application, except it doesn't use SMSs. Given that, this doesn't seem like the end of the world.

评论 #7381681 未加载

baby大约 11 年前

> if the user allows it to access the SD card. And since majority of the people allows everything on their Android device1. So basically, if you're installing an app AND you're allowing the app to access all of your phone (and its dirty secrets)2. I don't see why whatsapp would encrypt the chats (I might be very wrong on this one), isn't it better if we can access them offline through a computer if the phone crashes?3. Bigger picture: at first, dividing permissions and asking for the user to accept them was a good idea, but now we tend to accept anything because in the end, we want to use the app. Same problem with facebook login, google login, where we tend to accept whatever info websites request just to get to the app.

评论 #7381581 未加载

评论 #7381588 未加载

bobbles大约 11 年前

Considering apps like this exist: <a href="https://play.google.com/store/apps/details?id=com.androidappetizers.whatstat" rel="nofollow">https://play.google.com/store/apps/details?id=com.androidapp...</a>it seems pretty obvious that this was the case

gress大约 11 年前

One of the great advantages of android is that it permits developers to do things like this. Let's not get upset about it when mistakes happen. Users can always choose a different app if they dislike the behavior.

评论 #7381845 未加载

评论 #7381594 未加载

评论 #7382011 未加载

pritambaral大约 11 年前

OT, but AES write(decrypt(open())) in python as done on the post seems to be padding the decrypted data with extra bits to match up in size with the source.OpenSSL's aes-192-ebc gives me a slightly shorter, but well-formed db.

tbaba18大约 11 年前

Are you in search a legitimate hacker? Do you wish to hack someone else facebook, gmail, hotmail, yahoomail, bank account without trace? Do you wish to upgrade your university score or college score without fear of been caught? Do you wish to delete some information from a website database, do you need a website? Search no more as hack word is here to give you a new lease of life. Interested persons should contact us now on this mail. dgf090293@gmail.com

EvilBanshee大约 11 年前

This is nothing new - I've been using this app (<a href="https://play.google.com/store/apps/details?id=com.zegoggles.smssync" rel="nofollow">https://play.google.com/store/apps/details?id=com.zegoggles....</a>) for ages to sync my SMS and call log to Gmail, and for the past year or so, it's also been able to sync Whatsapp messages.

kzahel大约 11 年前

I thought the way android apps can lock down information away from other apps is they are able to set permission bits to be for their own unix "user" (e.g. each app gets their own userid). It's conceivable that WhatsApp simply set the permissions to be too open.

评论 #7380353 未加载

arsupertec大约 11 年前

This is actually ridiculous because having this much largest app in android market and this type of bug can kill all of their audience.... must have to aware from now..

barbs大约 11 年前

> I used this webserver with a simple php script."webserver" is a hyperlink, but it just links back to the blog. Anyone know what he's referring to here?

评论 #7383733 未加载

sidmkp96大约 11 年前

This is where something like <a href="https://github.com/facebook/conceal" rel="nofollow">https://github.com/facebook/conceal</a> will help.

rahij大约 11 年前

Can't any app access all SMSs too in an easier manner? Whatsapp is a similar app, so why hold it to different standards?

sebastianavina大约 11 年前

What is a AES Key?

评论 #7386004 未加载