WhatsApp Security insights
Brief security analysis on WhatsApp for Android
The WhatsApp messenger app receives an unbroken popularity. The company behind the app was acquired by Facebook earlier this year and faced several security audits investigating the security situation of the app.
Out of curiosity we installed the app on an Android device, fired up the Android debug bridge and took a look “under the hood” — we just want to check: How did WhatsApp react on all this?
The connection
A very simple dumpsys meminfo “com.whatsapp” command unveils a bad first result: No use of OpenSSL sockets.
Whereas this might sound good these days with the unveilings of the OpenSSL vulnerability Heartbleed, it’s actuall NOT. The OpenSSL exploit seems to impact mostly servers. Here we take a look at the client. And the fact that the WhatsApp app is simply not connecting via OpenSSL sheds some light on the overall security strategy.
The Messages
Let’s proceed to the data-at-rest in WhatsApp: The messages.
The messages are backuped on the sdcard of every users smartphone. You can access these messages simply via ls/sdcard/WhatsApp/Databases. As a result we find the above outlined msgstore.db.crypt5. This is a SQLite database — a standard database available on Android and quite handy for storing relational datasets on smartphones. And it is encrypted. That’s a good sign! Although there are already numerous approaches (and ready-to-use scripts) to decrypt the database.
Conclusion
WhatsApp improved the encryption of the messages. This might sound good, but actually we see it more as a state-of-the-art. Of course there are already decrypting approaches and hacks available — this happens for EVERY app that sees great popularity and it’s a game that WhatsApp might lose.
More important is the connection: C’mon WhatsApp USE SSL (at least)! Whereas there are even stronger encryption solutions available, let’s make the first step and use a secure connection to send messages. Fullstop.
If you found this post interesting or helpful, follow me on twitter or like me on Facebook where we keep you updated about secure mobile app development :-)
Also make sure to check out SecureBeam which applies the mentioned secure push notification concepts.
