Android Development

Steal WhatsApp update

When I wrote Steal WhatsApp database (PoC) I never expected it to go viral. I only wrote the article for myself and the few readers of my weblog. My brother and I started the research out of curiosity and ended with this Proof of Concept and blog post. But I’m happy with all the discussion it starts and the awareness it creates by users. My post was not meant to bash Android, WhatsApp or Facebook. I’m a happy consumer of all those products, but only question some design decisions.

However there is some room for some credits and some clarification.

First of all, I never ended up writing this article if my brother didn’t ask me the question and helped me investigating it. Also credits to the developers of WhatsApp Xtract for finding the encryption key. Secondly, I am not claiming I found something new. Whatsapp is saving these database backups on the SD card for ages, and the encryption key is known for some time now. All I did is combine these two things and wrote a Proof of Concept how this can be used to steal your chat conversations.

On TechCrunch WhatsApp responded on my post with the following text:
We are aware of the reports regarding a “security flaw”. Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.”

It is not clear if Whatsapp meant my post or the reports of the journalists covering the topic. Not all press coverage contained all details which might have given a wrong impression. However they are right that you still have to get the malicious application on someones device, but with some social engineering it should be possible. The original post already reflected this information, so there was no inaccuracy there.  Also in the past, these kind of apps have already been active in the Playstore, which should make clear this is not a far fetched approach.
Whatsapp however is right about the fact that the post was not accurate about the last version of Whatsapp. However, this version was released after the article was finished, the changes (or fixes) in that new version are described below.

In their newest update they changed their encryption scheme which saves the database to msgstore.db.crypt5 on the SD card. I claimed that my original PoC still works after the update, but after the first nightly backup I also had the crypt5 databases. They also stopped using a hardcoded key for all devices, and instead use the Account Name to create a device (account) unique encryption key. Which seems to be a big step forward, but it only means we also have to steal the Account Name and we can still read the WhatsApp chats.

Big credits to the guys in the Whatsapp Xtract thread on the XDA Developers Forum for reverse engineering the new encryption scheme and creating a Python script to decrypt the crypt5 databases. I love the comment separators in that Python script.

To get the crypt5 database and account name I made some changes to the original PoC. I updated the php script, so that it now saves the file with the account name as filename using $_GET[‘n’].

We also need an extra permission in the manifest file to read the Account Name.

And the updated source code contains a function to get the Username and use this in the request when uploading the database.

So with some changes to the original PoC and the new Python script we still can read these WhatsApp conversations. We tested above PoC on a limited amount of devices, if you obtain other results, please let us know (with some proof).

Also some answers to some frequently asked questions:

Did you contact WhatsApp about this?
No, I did not contact WhatsApp about this, since this is not a bug, but a design decision (Usability before Security). Also I didn’t find anything new, it was already known on the internet.

How can this happen?
I’m not a WhatsApp developer, but my best guess is:
WhatsApp is not secure by design, security wasn’t as important as usability. It is something which became more important along the way. They focused on usability and that’s why they are successful. WhatsApp grew so hard that there was never time to implement a good security model. Something which became harder along the way, cause you don’t want to interrupt usability.

How can this be solved?
Important is that WhatsApp shows that it cares about users security and privacy. Which they started to do in their latest update, but they can still improve their encryption. A random unique salt per device stored in /data for their encryption key will prevent that malicious people can decrypt the database this way. I have faith that they will find a good solution, especially with involvement from Facebook, they always were more focused on security.

What can a user do to prevent this?
Not much, a user has to trust the applications it installs. Just don’t install applications from unknown sources, and be careful when allowing rights. Not only to access the SD card, but all extra rights you give to an application and wonder if they really need it. And as a user always remember that these kind of attacks can happen, so be careful what you do on your mobile device.

Is this used in the wild?
Yes, this has  be done in the past. And with an application from the Playstore.

Do you notice anything as a user?
No, in my proof of concept you are displayed a loading screen. A user wouldn’t notice that they just uploaded their database.

How dangerous is this?
With all the information from my website you could create an Android application which steals someones WhatsApp database. The only thing you need to do is to get them to install the application. You can try to upload it in the Playstore (did work in the past, but doubt it will still work) or trick them to install it from unknown sources. Don’t underestimate the power of social engineering. See how effective banking malware can be.

Doesn’t this only work if you enable the backup?
Yes, but I don’t know if the backup is enabled by default. It seems it was enabled as default (in the past). What I do know is that you can’t turn it off, once enabled.

Does it still work with the new update?
No, the PoC doesn’t work with the new update. At this moment there is no known way of decrypting the database.

What about crypt5?
A newer version of WhatsApp uses a new encryption scheme which save files as msgstore.db.crypt5. The script in my original article can indeed not decrypt this file, but there is already a python script which works on these files. It only needs the account name as input. Which can also be obtained using above PoC.

What about crypt7?
The newest version of WhatsApp uses a new encryption scheme which save files as msgstore.db.crypt7. This time WhatsApp uses an unique server created salt, which means the database can’t be decrypted using above PoC. At this moment there is no known way to decrypt crypt7 database backups.

19 thoughts on “Steal WhatsApp update

  1. You have done the right thing by disclosing this.
    I am surprised why no one thought of doing this before, considering that the encryption key was known.

    1. It has.
      Even “All I did is combine these two things and wrote a Proof of Concept how this can be used to steal your chat conversations.” is not new. There are apps out there doing this since MONTHS – on purpose of the user though – e.g. SMS Backup+.

  2. Tested it. Works finde in phones with no SD card (Nexus-Devices) but it seems there’s a Problem with phones with an SD Card (Slot)(For example HTC Evo 3D).

  3. also there is a point that after the update there will be the old msgstore files too!

  4. This is not the only issue – try deleting account for example. You can delete account within app but try to install it again after couple of months and you will still get messages someone sent you meanwhile.

    That’s a proper fraud which show that’s actually quasi-disable and not a proper delete.

  5. I need to decrypt a msgstore… that was crypted when there was NO ACCOUNT in the mobile phone. It was an xperia x8 with a known issue that prevents you from adding a google account. does anyone know what the “no account” account is?

Comments are closed.