WARNING By Security Cunsults WhatsApp Messages May Not Actually Be Private

Users of the popular messaging platform WhatsApp — which was recently acquired by Facebook for $16 billion last month — may be facing a major security flaw.

According to security consultant Bas Bosschert (and reporters that first surfaced on Hacker News message forum), it's possible for others to access your private WhatsApp chats through downloaded Android apps.

When you use the app's built-in back-up mechanism — let's say to prevent losing messages after uninstalling/reinstalling the app or moving them to a new device — WhatsApp is allegedly using the same encryption code to protect you and everyone else (instead of creating a unique key for each user).

This means the back up is going to a database with insecure storage and the chats could potentially be read and stolen by another app. In theory, the developer behind another app could decrypt and ultimately gain access to those messages.

Bosschert notes on his website that the WhatsApp database is saved on your phone's SD card, which can be read by any Android app if a user gives it access to do so. This is a common practice in the app space (apps that want to store non-secure data would be interested), so if an app asks for SD card access many, in theory, would grant it.

WhatsApp has not yet responded to a request for comment.

Source