How can security be enhanced to the maximum in a messaging app storing messaging history on the device (like whatsapp)? I am specifically referring to methods to minimize the risk of the data being stolen in case the device is physically compromised or compromised using malware. I know that whatsapp encrypt the file containing the chat history, nevertheless when you transfer this file between devices you can still open it up with whatsapp and read the contents. So what risk is this protection meant to mitigate? I know that the filesystem restricts access so that only the application can access its files - that means that as long as the device isn't compromised, this information cannot be accessed by a malicious entity. Is this assumption correct? I've seen in another thread that there is an ability to use the SIM card as a means of providing security - Securing data on a mobile device (even from the user/owner)? Is this applicable in my scenario?
2 Answers
You would do it the same way you'd do it on a computer, but once the machine is compromised, all bets are off, and you're mostly wasting your time. You may check out this related question on which my answer suggests deriving a key from the hardware and using it to encrypt the sensitive data but even then, that only buys you more time until the attacker reverse-engineers how your app generates this key and generates the same one using his malware running on the same phone (thus having access to the same hardware).
An HSM may help in this case but if your app can get the data off the HSM, so can the attacker with root access to the machine. HSMs are only effective against data that isn't supposed to get off of them, like private keys (they're generated on the HSM, the HSM itself uses them to do crypto operations on data sent by the host machine but it never reveals the actual keys), but that isn't applicable in your case since you want to protect a message history which the user would want to read (ie, get back from the HSM).
I have read a post which clearly stated that Whatsapp messages can be easily retained. Whatsapp is not a secured messaging App. Follow these steps to secure your WhatsApp from getting hacked:
- WhatsApp doesn’t have a very secure server, so avoid using WhatsApp when on Wi-Fi.
- Never share your IMEI number
- Avoid keeping your phone out at places where it can be accessible to others.
