Tuesday, March 11, 2014

How to Steal WhatsApp database

"Is it possible to upload and read the WhatsApp chats from another Android application?"

With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr answer is: "Yes, that is possible".

The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem.

So what do we need to steal someones Whatsapp database? First we need a place to store the database. I used this webserver with a simple php script.

Make sure you configure you php.ini so that you can upload (large) files.

Next thing we need is an Android application which uploads the WhatsApp database to the website. I created a new default project in Eclipse and made a couple of changes. First of all we need some extra rights to access the SD card and to upload to the internet. To do this I added some lines to the AndroidManifest.xml file.

For the layout I used the default layout which Eclipse creates, but I moved the TextView to the center and increased the text size. The upload magic happens before you see the layout, for this proof of concept this activity_main.xml is good enough.

So far, nothing exciting yet, the real excitement comes in the MainActivity.java file. We will try to upload 3 files:

  • /WhatsApp/Databases/msgstore.db
  • /WhatsApp/Databases/wa.db
  • /WhatsApp/Databases/msgstore.db.crypt

In newer versions WhatsApp decided to do some crypto magic on their database (msgstore.db.crypt), so it is more secure. It is still possible to read chats from this database, but more on that later. The msgstore.db and wa.db are the old unencrypted databases of WhatsApp.

During the upload of the WhatsApp database files we will display a simple Loading screen, so people think the application is doing something interesting in the background.

By doing the magic in the loading screen you can also add this code to a real application instead of the Hello World message you see now. Combine it with something like FlappyBird and a description how to install applications from unknown sources and you can harvest a lot of databases.

The WhatsAppp database is a SQLite3 database which can be converted to Excel for easier access. Lately WhatsApp is using encryption to encrypt the database, so it can no longer be opened by SQLite.  But we can simply decrypt this database using a simple python script. This script converts the crypted database to a plain SQLite3 database (got key from Whatsapp Xtract).

So, we can conclude that every application can read the WhatsApp database and it is also possible to read the chats from the encrypted databases. Facebook didn't need to buy WhatsApp to read your chats.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.