WhatsApp boasts end-to-end encryption, loads of privacy features, and more to label itself as a highly secure app, but that is far from the truth according to a new report from Mobile Security Framework (MobSF).
MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) for pen-testing, malware analysis, and security assessment framework that can perform static and dynamic analysis. Its latest report on WhatsApp shows how Meta’s chatting app is a high-risk platform, giving it a C grade in terms of security with a score of 39/100.
The analysis uncovered 25 high-risk issues and 94 medium-risk ones. Most of these had to do with the permissions WhatsApp requires and the amount of data it can read from your phone.
For instance, the messaging app can read your coarse location as well as your GPS location, which, according to the report, can be used by malicious apps to locate where you are and also drains battery power.
It can also read your phone’s status and identity, receive and process SMS, and display system-level alerts, which would allow malicious apps to take over the entire screen.
There is a long list of high-risk permissions down the list including the ability to collect your entire camera roll or read the phone’s external storage.
The report also says that the app’s launch mode activity should not be set to “singleTask/singleInstance”, since it allows other apps to read intent, putting sensitive data at risk.
An Activity should not be having the launch mode attribute set to “singleTask/singleInstance” as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the “standard” launch mode attribute when sensitive information is included in an Intent.
You can read the full report here.