Messaging apps like WhatsApp and Telegram are popular because they encrypt messages and protect communications. However, new research from Symantec reveals these apps may not keep files safe once they arrive on your device.
According to researchers, apps on Android devices can choose to save media like images and audio files through either internal storage that’s only accessible through the app, or external storage which is more widely available to other apps. This doesn’t refer to using external storage like microSD cards, but instead to whether data is stored within the app’s files or on the device’s storage where other software can access it.
WhatsApp, for example, stores media through external storage by default, and Telegram does so as well if you enable its ‘Save to Gallery’ feature. This means that your phone’s gallery app, for example, can display all the photos you’ve received through WhatsApp.
The researchers say that this approach to storage use means malware with access to the external storage could access WhatsApp and Telegram media files, potentially even before a user sees them. In other words, a hacker could manipulate an image without anyone noticing, and theoretically change outgoing multimedia as well.
Researchers call this type of attack ‘Media File Jacking,’ but ultimately it’s a known issue and a trade-off between privacy and accessibility for messaging apps on Android. Using the external storage setting lets apps work better with others and also allows users to move pictures and data freely, at the cost of making it more accessible to attackers. Worse, this isn’t the first time these kinds of issues have popped up with Android phones, with researchers pointing out a similar problem last year.
However, WhatsApp told The Verge in a statement that changing its storage system would limit the app’s ability to share media files and would introduce new privacy problems.
Regardless, users view WhatsApp and Telegram as more than just messaging apps. Instead, they trust these platforms and their encryption with sensitive communications they may not entrust to other platforms. While the researchers say that “no code is immune to security vulnerabilities,” there’s more that WhatsApp, Telegram and Android can do to improve security around storage systems.
Source: The Verge