WhatsApp — the popular messaging app with 465 million users acquired by Facebook for $19 billion last month — came under fire earlier this week after tech consultant Bas Bosschert published a blog post explaining how malicious developers can access your messages via the microSD card, and the post went viral (yes, we wrote about it, too).
Now, WhatsApp has responded — perhaps unsurprisingly, to refute the weight of the information. A spokesperson tells us the reports “have not painted an accurate picture and are overstated.” He also notes that the latest version in Google Play was updated with further security protection.
Here’s the full statement from WhatsApp:
We are aware of the reports regarding a “security flaw”. Unfortunately, these reports have not painted an accurate picture and are overstated. Under normal circumstances the data on a microSD card is not exposed. However, if a device owner downloads malware or a virus, their phone will be at risk. As always, we recommend WhatsApp users apply all software updates to ensure they have the latest security fixes and we strongly encourage users to only download trusted software from reputable companies. The current version of WhatsApp in Google Play was updated to further protect our users against malicious apps.
In other words, WhatsApp is shifting the issue from being specifically about its own app, and points out that a phone will be at risk if you download malware, a virus or a dodgy app, some of which might expose data on the microSD card.
Also: this is not a new revelation about WhatsApp (note this app cited by Bosschert from December 2013), although clearly the $19 billion Facebook deal has people focused on the app, and its flaws, like never before.
The situation points to a couple of other, ongoing issues with apps and phone security: is it enough to expect smartphone consumers to do the right thing, or to know what the right thing is?
The other is a wider issue with Android: it has proven to be a magnet for malware. Some 98% of all mobile malware released in 2013 targeted the Android platform, according to the latest figures from Kaspersky, “confirming both the popularity of this mobile OS and the vulnerability of its architecture.”
We have reached out for more detail from WhatsApp about how the current version has been updated “to further protect our users against malicious apps,” and we’ll update as we learn more. (I’ve noticed a couple of suggestions in the comments here, for example, for how data can be stored away from the SD card).
In any case, Bosschert has confirmed that the method he described still works with the latest version of the app. The changelog for the app notes “new privacy settings for last seen, profile photo and status” but nothing regarding chat conversations.