27 January 2014

Whatsapp stores its messages and contact list in plain-text-sqlite database


Last night I was doing some app-forensics on my android device where I was investigating internal files for Whatsapp application 'com.whatsapp'. First I checked shared_preferences directory which I found interesting somehow, next I have checked databases directory where my shock exists !

Let me give you some ideas about the contents for whatsapp data dir:

├── app_sslcache
│   └── clients4.google.com.443
├── cache
│   └── dns_cache
├── databases
│   ├── msgstore.db
│   ├── wa.db
│   ├── wa.db-shm
│   └── wa.db-wal
├── files
│   ├── account_type
│   ├── com.google.android.gms.maps._m_u
│   ├── DATA_disk_creation_time_its
│   ├── DATA_disk_creation_time_its_ter
│   ├── DATA_disk_creation_time_vts_com.whatsapp
│   ├── DATA_disk_creation_time_vts_inaka_com.whatsapp
│   ├── DATA_disk_creation_time_vts_labl_com.whatsapp
│   ├── DATA_Preferences
│   ├── DATA_ServerControlledParametersManager.data
│   ├── emoji
│   ├── event_store_v2
│   ├── expiration_date
│   ├── fullsync.dat
│   ├── full_sync_wait
│   ├── Logs
│   │   ├── whatsapp-2013-0004-0030.1.log.gz
│   │   ├── whatsapp-2014-0001-07.1.log.gz
│   │   ├── whatsapp-2014-01-25.1.log.gz
│   │   ├── whatsapp-2014-01-27.1.log.gz
│   │   └── whatsapp.log
│   ├── me
│   ├── MessageService.pid
│   ├── _m_t
│   ├── NavigationParameters.data
│   ├── pw
│   ├── ssid_last_notification_log
│   ├── statistics
│   ├── status
│   ├── wallpaper.jpg
│   ├── wastats.log
│   ├── wastats.timestamp
│   └── ZoomTables.data
├── lib
│   ├── libframeconv.so
│   ├── libqcom.so
│   └── libwhatsapp.so
└── shared_prefs
    ├── com.whatsapp_preferences.xml
    ├── _has_set_default_values.xml
    ├── RegisterPhone.xml
    └── VerifySms.xml

7 directories, 44 files


Then I investigated the database dir and found 4 sqlite dbs

── databases
    ├── msgstore.db
    ├── wa.db
    ├── wa.db-shm
    └── wa.db-wal

Where wa.db* contains the contacts list associated with their whatsapp id, last_seen, path_to_display_picture.

Let us check for msgstore.db but first let us imagine that anyone had hands on that file !? You might think that all your chat logs are encrypted just like that connection to the server 'its known that your connection to whatsapp server is encrypted sing SSL'. But what if there was a malware with privilege escalation exploit that gained access to whatsapp directory and thus had your msgstore.db !?






Its was bad for Chrome and Firefox android apps that they store your passwords in plain text, so what if your whatsapp messeges contains your passwords, personal info, etc...

I think whatsapp team must take a forward step to manage to encrypt the msgstore *at least* to guarantee that your history is safe.

2 comments: