This is probably the most sensational text I've read all weekend. Yes, Android has security flaws (that have been previously covered in-depth).
The bar for "hacking WhatsApp" should be dramatically higher than installing an app on the very device that decrypts the message. Heck, you could probably just use the NotificationListenerService[0]. There, I hacked all messaging apps that use notifications. I didn't even need "servers deep in the remote mountains of Colorado".
For governments (the groups that ostensibly WhatsApp cares about the most) and "hackers" it is fairly trivial to get an install on both ends of a communications chain - especially if the target/mark is high enough priority. So that doesn't absolve them.
WhatsApp stops you from getting caught in dragnets and requires someone to explicitly target you, with an actual cost for the attacker - when the malicious app is detected, the vulnerabilities it uses will be patched, requiring new ones to be found or bought. The more people targeted, the greater the odds of detection. So, while every single person is pretty much as vulnerable as ever, as a population this is still a big improvement.
That's scary (the NotificationListenerService part). I had no idea security on Android was that bad. So any app can silently copy all notifications to a remote service? Mail subjects and body previews, facebook messages, etc etc etc?
Edit: Even though perhaps this hack isn't WhatsApp specific, the end result is the same - full compromise of WhatsApp privacy. Which is what matters to end users.
The user has to allow the app to listen to all notifications manually. It can't be done automatically / from within the app and is part of the Settings app on Android.
That said, this is quite useful for services like PushBullet for forwarding your notifications etc.
If I can use the carrier/hardware system to implement an attack, then the entire system is not secure. As a result you can't claim that {system{sub-system in question}} is secure because the system security is implied.
Very true. Which means it's an insecure platform. Which means any application claiming security on it is insecure - and thus they shouldn't claim security.
Looks like they installed a keylogger on Android without root. WhatsApp has absolutely nothing to do with this, it might as well have been notepad. Yay clickbait.
People are commenting that this isn't really a hack because it exploited Android, rather than WhatsApp.
That is exactly how exploits work in the wild, so the distinction is false. If I can get the info I need through a side-channel, no matter what it is, it's still a vulnerability. Full stop.
If it really is just an Android problem and doesn't carry over to iOS, then if WhatsApp is truly dedicated to security over everything, then they should disable on Android until the vulnerability is fixed on the Android side.
Given that that course of action would kill the vast majority of WhatsApp's base I don't foresee that happening.
edit: Also if you read the article again you'll see that the focus is on Android/Google vulnerabilities - and they used WhatsApp to demonstrate it as it's the widest distributed and used "secure" system on Android.
Well they said SnapChat is vulnerable to the same attack.
As a developer you generally have to assume that the end-user devices are trustworthy, since that is where you render the message into something the end user can see/read/use. You can assume the network is hostile, and that the sender may be hostile, but if your phone/PC is also hostile it's pretty much game over.
Related -- never check your email or bank accounts on a public kiosk.
As a developer you generally have to assume that the end-user devices are trustworthy
Absolutely not. If you are designing for security, literally nothing in the chain is assumed to be secure by default - including the BTS and carrier networks.
As someone who has designed these systems I ALWAYS take the device security into consideration, for this exact reason. As I mentioned elsewhere, the defense in depth model covers this in detail.
> Since WhatsApp added the Signal Protocol, it shows you which of your contacts who are unable to participate in end-to-end encryption because they are still on an old version of the app. Instead of disabling the app on Android, they could list all Android users this way.
The bar for "hacking WhatsApp" should be dramatically higher than installing an app on the very device that decrypts the message. Heck, you could probably just use the NotificationListenerService[0]. There, I hacked all messaging apps that use notifications. I didn't even need "servers deep in the remote mountains of Colorado".
[0]: https://developer.android.com/reference/android/service/noti...