WhatsApp still hasn’t responded to our inquiry regarding the existence of a security hole that can be leveraged by hackers to obtain users’ private chats with the aid of other Android applications, but the company has responded to TechCrunch.
The company says it’s not as bad as it sounds.
“We are aware of the reports regarding a ‘security flaw’. Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk,” WhatsApp representatives have told TechCrunch.
Basically, WhatsApp is saying that if users grant permissions to a malicious app, they’re already in trouble, so their private chats being exposed should be the least of their concerns.
Furthermore, the company highlights the fact that the latest version of WhatsApp includes some enhancements to further protect users against malicious applications.
However, in a comment posted to his original advisory, Bas Bosschert, the security consultant who raised concerns about the issue, claims that his proof-of-concept also works on the latest version of the app.
It’s true that in the latest variant private chats are encrypted, but the information can still be retrieved by any Android app that’s granted permission to access the SD card after it's decrypted.
What Bosschert has found isn’t a completely new issue, and malicious Android apps such as the one he has described are not uncommon.
Back in December 2013, Google removed a game called Balloon Pop 2 from Google Play. The game in question was designed to steal private WhatsApp conversations and upload them to a website.