Steal WhatsApp database (PoC)

“Is it possible to upload and read the WhatsApp chats from another Android application?”

With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr answer is: “Yes, that is possible”.

The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem.

So what do we need to steal someones Whatsapp database? First we need a place to store the database. I used this webserver with a simple php script.

Make sure you configure you php.ini so that you can upload (large) files.

Next thing we need is an Android application which uploads the WhatsApp database to the website. I created a new default project in Eclipse and made a couple of changes. First of all we need some extra rights to access the SD card and to upload to the internet. To do this I added some lines to the AndroidManifest.xml file.

For the layout I used the default layout which Eclipse creates, but I moved the TextView to the center and increased the text size. The upload magic happens before you see the layout, for this proof of concept this activity_main.xml is good enough.

So far, nothing exciting yet, the real excitement comes in the MainActivity.java file. We will try to upload 3 files:

  • /WhatsApp/Databases/msgstore.db
  • /WhatsApp/Databases/wa.db
  • /WhatsApp/Databases/msgstore.db.crypt

In newer versions WhatsApp decided to do some crypto magic on their database (msgstore.db.crypt), so it is more secure. It is still possible to read chats from this database, but more on that later. The msgstore.db and wa.db are the old unencrypted databases of WhatsApp.

During the upload of the WhatsApp database files we will display a simple Loading screen, so people think the application is doing something interesting in the background.

By doing the magic in the loading screen you can also add this code to a real application instead of the Hello World message you see now. Combine it with something like FlappyBird and a description how to install applications from unknown sources and you can harvest a lot of databases.

The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite.  But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database (got key from Whatsapp Xtract).

So, we can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases. Facebook didn’t need to buy WhatsApp to read your chats.


Newest version of WhatsApp still vulnerable, read the  update.

Share:Tweet about this on Twitter1,354Share on Facebook2,063Share on Google+260Share on LinkedIn111

45 thoughts on “Steal WhatsApp database (PoC)

  1. Pritam Baral says:

    The decryption can be done with plain old openssl thus:

    openssl aes-192-ecb -d -in msgstore.db.crypt -out msgstore.db \
    -K 346a23652a46392b4d73257c67317e352e3372482177652c

    The python edition adds extra bits towards the end, btw.

    • raj Kumar says:

      The attacker can social engineer the victims device and copy the .crypt files copy in his device in the what’s app /database folder and reinstall the what’s app on his device when what’s app will restore old chat it will also make the victims chat readible in attackers what’s app .

      • They will need the users WhatsApp registered mobile phone number + if they do that the user will get a message that his WhatsApp account was moved to another device and asking if they want to reinstate their account back.

      • allo says:

        Good argument … does Whatsapp migrate old logs to new phones?
        Because the attacker could just steal phonenumber and IMEI (a lot of apps do this) and then login to the whatsapp-account.

  2. hey would one of you mind emailing me back? whatsapp released an update to the android app today so i’m just wondering if this is still relevant given the update?

    thanks!
    jordan

  3. anonymous says:

    tested the new update and it does not work with .crypt5 files. Can you confirm?

    • I will have to research this. On my device the new update didn’t create a .crypt5 file. Google learned me that the crypt5 file can’t be decrypted with posted script though.

  4. Matthias says:

    I think this only works when the WhatsApp backup features is used. Only then does the databases gets copied to /WhatsApp/Databases/

      • Matthias says:

        No, just checked it (clean install). But if you enabled it, it will backup the database every night at 4:00am.

        I am with you, this is a security problem. But only for the subset of users who enabled the automatic backup.

        • Thijs says:

          The backup feature actually is set by default, they might have changed this in the latest version, but that doesn’t change anything for all the current users. Also, there is no way to turn it off at this moment once turned on.

  5. This key stopped working in a beta version published end of february that created .crypt2 files instead of crypt. They went through a few iterations and two days ago published a version in google play store that now uses crypt5.

    It’s still possible to decrypt the file though. Our statistics app does it. Though we don’t have the INTERNET permission so you can rest assured we’re not stealing anything from your device. :-)

  6. IMHO it would be much more useful to tell people how they can disable WhatsApp’s backup feature – assuming it can be disabled.

    Root users could edit WhatsApp’s preferences file to disable backups, and then make properly encrypted backups with eg: Titanium Backup. In addition to be properly encrypted, the backups would be compressed as well.

  7. anonymous says:

    This issues (both the backup file as well as the sd card can be read by any app) is known for years – what’s the deal?
    Google for the encryption key, known since at least 2012. Old as the hills.

    • I am not claiming that I found something new. I thought this was already known and am surprised about all the news footage. But apparently this is news for a lot of people. It is nice to see though that it opens discussion about the Android security model or the way WhatsApp saves their databases and also creates some awareness by users.

  8. Smartass says:

    Thanks for so detailed instructions. Now every jerk on the world can steal messages from the people ;)

  9. ProV says:

    This issue is indeed not new. Potentially even slightly plagiarized and then presented as new, which I find slightly unethical, but I am also surprised about the news attention; especially as there was an app in the play store a few months ago that stole your database and published it online; all you had to do was give the number, pay them and you would get the full database.

    Anyway, this issue has indeed been solved weeks ago, latest beta build from Monday already patches this as well by using .crypto5.

    • First of all, I post articles for my own. Anyone is free to read it or not. I wrote all text and code on this website myself, so I wonder how you can see this as plagiarism. But you are entitled to have your opinion, feel free to think what you want.

      If this is solved weeks ago, why does this still work on my phone? And what is the solution? The .crypt5 files can also be decrypted according the developers of Chat Statistics for “WhatsApp”. Can you substantiate your claim that it is solved?

      • andQlimax says:

        whatsapp is doing such a shame error by saving the conversation with not enough crypting on the sdcard..

  10. caio says:

    i don’t think this is a big deal.. the victim needs to execute an app to steal the whatsapp files somehow.. considering the default security settings for application execution and that the application is not signed. even sending this application to someone they will get warned this is not a trusted application and if they still want to execute it, they need to disable the protection. who will be so stupid ? even a dumb person will question this and not execute the application. you will have to make an real application and put in the play store with something that make people download and execute this..

  11. Gino Scarpino says:

    Hi! Whatsapp doesn’t allow you to move the app to the external SD card, so i don’t understand how this security issue is posible?

  12. Jack Ketch says:

    Here’s another exploit: https://github.com/tgalal/yowsup/issues/234

    WhatsApp stores some critical information on the SD card – specifically in /sdcard/WhatsApp/Profile Pictures/.nomedia

    Using this info, one can hijack the WhatsApp account and register instead of the legitimate user – without SMS verification.

    As the SD card is accessible to any app running on Android, a malware may thus steal thousands (or millions?) of accounts.

    (the link contains code that can decrypt the file)

    • Since, I get a lot of these requests, which I most of the time just put in the trash, I as well can answer one of them.

      First of all, you should read the update, WhatsApp changed their encryption scheme to crypt5 databases, still unsafe, but it requires some changes in the code to get the account name to decrypt the database backup.

      Secondly, WhatsApp soon will introduce crypt6 which finally uses a server generated key saved in /data, which can’t be required by described methodes on my page.

      • hasan says:

        Thank For ur reply :)
        The app Worked
        But the php upload script is not working in 000webhost :'( is there another php upload script

  13. Anonimo says:

    Gooood Job!! What about MessageStore.db from blackberry? Can we read it?

    • Abhishek Khandal says:

      If you have a non-rooted android device, you need not to worry as it is impossible to decrypt the crypted database without a key file which is stored in /data/data/com.whatsapp and without root access it cannot be accessed or stolen unless someone connects your phone to a computer use ADB PULL method to fetch the key file. So, you must set up “desktop backup password” from developer options in settings and tick the “encrypt phone” as well. Have a pattern lock or password lock on your phone.

  14. 487 Ping/Trackbacks

Comments are closed.