Author:  SB

Using WhatsApp in WiFi makes conversations public

With a newly released app, even a rooted Android can intercept all messages

Due to the fact that the WhatsApp data stream is not encrypted, all messages, pictures, locations etc. sent over WiFi can be intercepted. Data sniffing in WiFi networks is not a new threat, we have been warning about it for a long time. But with the newly released app, it becomes highly convenient for folks who really want to intercept WhatsApp data: They don’t need a laptop or computer within the WiFi network anymore; they only need a rooted Android device.

The app developer states that he only wants to highlight the problematic WhatsApp security situation, but this obviously does not stop anybody from downloading the app and using it against others. This is another opportunity to discuss responsible disclosure and also responsible behavior of vendors alerted – but we won’t go into detail at this point.

Just imagine how much data someone could grab, unnoticed, while sitting in a popular coffee bar or being logged in to any other public WiFi network used by many visitors and customers around. Have a look at how easy it was for us to intercept messages, pictures and phone contacts in our Lab scenario:
Screenshot of what we intercepted, using the same WiFi network as the recipient. The sender used a 3G connection.

WhatsApp does not encrypt the data sent and this is the reason for such sniffing tools working easily! According to several reports on the Internet, the WhatsApp vendor has been informed about this and several other issues in late 2011 by at least one security consultant.

What you can do to be protected:
The only possibility to avoid all WhatsApp traffic being easily sniffed is to ensure that all communication partners use their carrier’s mobile communications network. As soon as one of the participants is using WhatsApp in a WiFi network, the whole conversation can be compromised and/or altered.
Please note: Data sniffing is also possible in GSM networks, but this is much more difficult (needs different hardware not easily accessible) and therefore it is less likely to happen.


Update, 4 May:
Google has reacted quickly and pulled the app from Google Play. Nevertheless, the app was installed on some thousand devices before it was banned and we expect it to be available in unofficial markets as well.

Update, 7 May:
On 7 May 2012, a Spanish blog reports that there is another security issue regarding WhatsApp. This time, the researcher found a problem in the WhatsApp storage database. According to the reports, this encrypted database, which stores all incoming and outgoing messages, can be accessed on rooted or jailbroken mobile devices and easily decoded with a hard-coded and static key.

Update, 10 May:
The WhatsApp developers pushed an update for their Android app and this update has been declared mandatory. No update = no WhatsApp usage. We tested this update to find out whether the developers added encrypted/secured data transmition now and found out: No, they did not. The newest Android WhatsApp version (2.7.7532) is still vulnerable for the sniffing tool. The announced "security improvements" did not include the encryption feature.