It should perhaps surprise no one that WhatsApp would release a statement that washes its hands regarding a recently reported security flaw. One is left wondering, however, if there is any truth to the company’s claims or if it’s simply applying age-old damage control techniques.
WhatsApp came under even more heat yesterday when reports of a security flaw in the instant messaging service’s Android app went viral. According to researcher and consultant Bas Bosschert, a user’s entire WhatsApp chat history is stored on the SD card in such an insecure fashion that, given the right permissions, malware masquerading as legitimate apps or games can easily get access to that private data. This revelation is definitely something WhatsApp can do without after its rather controversial acquisition by Facebook. Naturally, WhatsApp downplayed the findings, calling it overstated and inaccurate.
“We are aware of the reports regarding a “security flaw”. Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.”
It is interesting to note that WhatsApp isn’t categorically denying that it is possible to snatch the data as reported. It is just saying that under normal circumstances it would not be easy to do so, except via malware, which is actually the point of Bosschert’s disclosure. No one will probably install an app that explicitly tries to extract their WhatsApp chat data and any such exploit will most likely come from malicious software that users have unwittingly installed. Of course, now WhatsApp puts the onus on users to be careful when installing apps, which is, of course, also true. That, however, doesn’t excuse WhatsApp from securing users’ private data.
That said, WhatsApp does claim that its latest version of the Android app, which was released Tuesday, addresses security issues, which it does, sort of. Unfortunately, Bosschert counterclaims that his example exploit code still works in that version, calling into questions WhatsApp’s sincerity and veracity in addressing this issue.