How to Fix WhatsApp

whatsapp.pngIf you read the tech news you will know Facebook intends to buy WhatsApp. One of WhatsApp’s USPs and appeal is privacy of messages. However, as Bas Bosschert showed yesterday, it’s very easy for any other app to read the WhatsApp database.

So what did WhatsApp do wrong? For some strange reason they decided to store the database outside the private app specific directories and on the sd card. The only reason I can think the developer did this was to make the database more readable during development. In later releases they encrypted the database. However, they seem to have made the decryption key easily available (hardcoded in code?) which means Bas was able decompile to extract the key and re-use to easily decrypt the database.

What can WhatsApp do? 

1. Store the database and all data files in the private directory space where they are inaccessible to all but rooted devices.

2. They can still encrypt the database and files. Take a look at Conceal and/or SQLCipher.

3. Store the decryption key where it’s less easily read. In the private directory space is better than in code, fetched online via SSL even better and not stored at all (generated from a user password entered each session) the best.

UPDATE: It’s entertaining that TheGuardian implies this is a problem with Android. As with a previous article, they seem to blur the truth.