By John Gruber
Due — never forget anything, ever again.
Ingrid Lunden, writing for AOL/TechCrunch:
WhatsApp — the popular messaging app with 465 million users acquired by Facebook for $19 billion last month — came under fire earlier this week after tech consultant Bas Bosschert published a blog post explaining how malicious developers can access your messages via the microSD card, and the post went viral (yes, we wrote about it, too).
Now, WhatsApp has responded — perhaps unsurprisingly, to refute the weight of the information. A spokesperson tells us the reports “have not painted an accurate picture and are overstated.” He also notes that the latest version in Google Play was updated with further security protection.
The original blog post (and follow-up) make for an interesting read. The gist of it, as I understand it, is that if WhatsApp is configured to store your message history on your phone, it uses the SD card (or, on devices without an SD card, the general file system). Any other app with access privileges to the file system can then read WhatsApp’s history database. The file is encrypted, but this Python script will decrypt it.
That any app with SD card access privileges can read anything on the SD card is not a bug — that’s how Android is designed to work. Android is more like Mac OS X or Windows in this regard than iOS (on iOS, all file storage is sandboxed, and apps can only read and write to their own sandbox). It seems like a problem, though, that WhatsApp’s encryption has been cracked.
Mac apps worked liked this for decades — all apps had complete access to any file owned by the current user. Today, apps from the Mac App Store are sandboxed by default, as a defense against just this sort of thing. But apps from outside the Mac App Store still have read/write access to your entire home folder.
★ Tuesday, 18 March 2014