It seems to me that if this is possible an OS software upgrade of some sort is urgently required, in addition to possible updates of WhatsApp. How come there isn’t coverage of this as Android and iOS vulnerabilities?
Gaining control of WhatsApp gains access to any API accessible to WhatsApp. Incompetent reporting may be at fault.
On Android, WhatsApp seeks a wide array of permission-controlled APIs. It does so on iOS as well. Once granted, the app has access to any data available through access-allowed APIs.
App code goes through an audit process to ensure that the app isn’t using accessible APIs inappropriately, and doesn’t permit unapproved code execution.
This vulnerability allows an attacker to execute unapproved code in the WhatsApp context. Any API that iOS or Android offer WhatsApp under normal circumstances is now attacker-controlled.
The two questions unanswered by the press to date are simple. On iOS and on Android, can the attacker’s code be terminated by force-quitting and uninstalling WhatsApp?
Either the attack is persistent only because it sets up shop inside the app, which may have OS-granted background and/or screen-off execution rights, and thus can be terminated simply by quitting and removing the app — or, the attack gains persistence beyond the confines of the app.
Media reports are unclear on this point. If the OS offers apps endpoints that an app executing attacker-controlled code can use to infect the OS with persistent attack code that executes outside the app’s boundaries and remains after app uninstallation, then that’s absolutely a flaw in the design of the OS. As you say, “Android and iOS vulnerabilities”.
Very interested to know what this means in practice, particularly for iOS.
AFAIK, there's no permissions which allow you to read SMS messages, take screenshots (unless jailbroken), access photos in the background, access the camera in the background etc etc
Does this just spy on the users Whatsapp activity, or spy on the user in a broader way?
How could the API's whatsapp does have access to be abused?
The app is infected, calls a 0-day using an illegal parameter that’s normally rejected by app store filters, and gains a permanent beachhead in your Android system services list.
> access photos in the background
Unclear. Apps can show thumbnail galleries of your photos within their native UI, so it may well be possible for them to continue directly to reading photos.
> access the camera in the background
Unclear. Does FaceTime continue transmitting video when the phone screen is turned off? Is it possible to capture stills or video when the screen is off on a jailbroken phone?
> or spy on the user in a broader way
Android WhatsApp seeks permission to read your SMSes, so that would be almost certainly correct as well there.
There's no possible way to read SMS messages programatically in iOS for example, the closest you get is reading one time passwords sent, and you can only do that when the user has the keyboard open when the SMS is received.
I know Android is slightly more lax in this (and some other) regards. I wonder if Android whatsapp users targeted by this exploit have had more data exposed than iOS users targeted by the same exploit?
Or there should simply not be background access to certain APIs, such as camera, video, and photo library.
Background audio access on iOS presents a bright red indicator on all non-app screens that can neither be hidden nor removed, as it’s baked into the OS. iOS may require a separate permission dialog for “capture video with sound” and “record sound with/out screen on”, I don’t know. I doubt Android bothers to do any of this.
