WhatsApp users should be careful when downloading Android apps. If you don’t read an app’s permissions attentively before installing, your WhatsApp chat history could end up in a stranger’s hands, according to one IT specialist from the Netherlands.
Bas Bosschert, a technical consultant with more than 10 years experience working with Linux and Unix, explained how developers can trick WhatsApp users into granting access to their entire message database. Since WhatsApp backs up messages on your phone’s SD card, apps can easily access this information if granted permission to do so. This data can then be uploaded to the developer’s personal Web server.
Bosschert’s blog post details how to create these types of apps. The Netherlands-based technical consultant says that if the code shown in his screenshots was added to an Android game, it could be used to extract a WhatsApp user’s database.
“People would only see a loading screen when they started the game,” Bosschert said in an email to Business Insider. “They wouldn’t notice that their WhatsApp database has been uploaded.”
Security concerns surrounding WhatsApp aren’t new, but have been attracting more attention since Facebook acquired the text messaging alternative last month. According to Thijs Alkemade, a computer science and mathematics student at Utrecht University in the Netherlands, WhatsApps’ ingoing and outgoing messages are encrypted with the same key. This means that if an attacker intercepts these messages, he or she can analyse them to cancel out the key and recover the plain text, Alkemade wrote in a blog post from October.
Google currently bans apps that “collect information without the user’s knowledge” from entering its Play store, but that hasn’t stopped some apps from slipping through the cracks. In 2012 a Redditor spotted apps from an unknown source posing as popular games in Google Play, such as Imangi Studios’ Temple Run.
Security breaches such as the one outlined in Bosschert’s post can be easily avoided by verifying an app’s source and carefully reading an app’s permissions before installing.
Business Insider Emails & Alerts
Site highlights each day to your inbox.