The story starts with a blog post from Bas Bosschert on Tuesday. While the logic flaw has long been known, what Bosschert did was develop proof-of-concept code to exploit the flaw.
In simple terms, WhatsApp stores its chat history on the SD card. It is encrypted; but the encryption key is discoverable. Bosschert uses a separate app (that has to be granted permission to access the SD card – but many are, and users often don't question new apps' permission requests) to access and exfiltrate the database to a remote server. Like much malware, all this requires is a little bit of social engineering.
In fact, this happened as recently as December 2013. A game able to steal WhatsApp backups was for a while available from Google Play.
WhatsApp responded to Bosschert's blog with a statement quoted in full by TechCrunch. It says, "We are aware of the reports regarding a 'security flaw'. Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps."
The problem with this statement is that it does not directly address the issue. It suggests that the current version of WhatsApp has been updated, but doesn't say that it solves the specific issue at stake. Indeed, in a new post yesterday, Bosschert writes, "Does it still work with the new update? Yes, see above adjustments to the original PoC."
WhatsApp's main recommendation is that users protect themselves by keeping apps updated and to use only trusted apps from reputable companies. This is good general advice, but does not solve the problem. Users can protect themselves by not enabling backup on WhatsApp, but, notes Bosschert, "you can’t turn it off, once enabled."
Bosschert suggests that the real problem is one that afflicts many new ideas. "WhatsApp is not secure by design, security wasn’t as important as usability. It is something which became more important along the way. They focused on usability and that’s why they are successful. WhatsApp grew so hard that there was never time to implement a good security model. Something which became harder along the way, cause you don’t want to interrupt usability."
Coupled with Android's 'all or nothing' attitude to granting permissions, all an attacker really needs do is hide the malicious code within an app that the user would really like. Bosschert believes that WhatsApp could solve the problem with improved encryption. "A random unique salt per device stored in /data for their encryption key will prevent that malicious people can decrypt the database this way. I have faith," he adds, "that they will find a good solution, especially with involvement from Facebook, they always were more focused on security."
Facebook recently announced its intent to purchase the What'sApp messaging service for $19 billion, but privacy groups have asked the US Federal Trade Commission (FTC) to suspend the deal to investigate the privacy implications of Facebook's potential access to WhatsApp user information.