Bad programming practices , Android malware attack is to open the database backup WhatsApp chat.
Boss Bosschert, a self- billed “consultant / sysadmin / business , ” that is used by WhatsApp messages stored locally on the local access database file system as any other Android, read by the application of shows how that can be a proof of concept exploit is performed .
WhatsApp Boss chert proof of concept that the silence of the SQLite database used to steal one and the Android application , involved created . After that he moved for work to a remote web server results.
A key aspect of the exploitation and possible mitigating factor : the program from your backup function placed on the phone ‘s SD card , only copies of the database access . Database as a backup , there is stored , it can read SD Card will be accessible to any application . The Android developer docs on an external card to store data that is inherently unsafe, says in no uncertain terms.
For this purpose , WhatsApp backup database is encrypted , but with Bosschert work around this exploit . No common encryption – for one , each has the same AES key to encrypt WhatsApp user database was used . (Bosschert a simple Python script to perform the decryption provided . )
What is doubly ironic , as exposed by Bosschert with WhatsApp biggest weaknesses are easily solved with good programming practices is how . Including features to external storage , Android introduced to enhance security features, support for many , it may not be available for all users means – unfortunately, wide compatibility with this app WhatsApp seems to aim for .
WhatsApp is insecure programming practices has been nailed for the first time .the main mistake was committed.
In principle , surreptitiously stealing from other applications apps that have been banned from the Google Store , but such programs can be difficult to police. It thus on the Android community – as sometimes in users monitoring is the only way to bring these matters.
Cryptography is hard to do well , and WhatsApp as wide a user base as a request is too difficult to implement it properly . WhatsApp is siphoned off , but the data can be decrypted subtle ways in which not only serve as an important warning ought to matter.