Hacker News new | ask | show | jobs
by Matthias247 338 days ago
How does it work technically?

Does Whatsapp expose these messages via an API? If yes, then it seems like this is not only on Google.

If no: Are they reading data from raw UI widgets? Are they intercepting input controls? Are they intercepting network traffic? That seems unlikely, given its probably end to end encrypted and the decryption happens within the scope of the Whatsapp process.
4 comments
netsharc 338 days ago
> If no: Are they reading data from raw UI widgets? Are they intercepting input controls?

Why not... they control the OS, it'd be trivial to add hooks to the "draw widget" command to intercept that it's about to draw a text widget for WhatsApp, and then ask it to log the text.

link
alok-g 338 days ago
My understanding (may be wrong):

WhatsApp data is encrypted, however, the keys are on the device itself and accessible on Android. There are many third-party apps that support transferring WhatsApp data from one phone to another, and some even claim so between Android and iOS devices. As I understand, the chats are in some usual database format. So anyone having access to the device can read the data even without WhatsApp being there itself (as far as the data is there).

link
Anamon 333 days ago
I don't think it's quite as simple as that. The keys are stored in a storage area that Android locks off as WhatsApp's alone; no other app can get to those keys.

At the very least you'd need to root your device, but even that might not be quite enough going by my memory of trying to export my chats once. I remember the only documented working path included something like installing a shady, modified APK of a legacy WhatsApp version with an outdated encryption method to a second device and then somehow getting the new app to write a backup in the legacy format, to then restore to the fake second device and decrypt. I quit there because the risk of actually losing my entire backup seemed too high. And that was about five years ago, so I'd assume if anything, it's even more difficult today.

link
hnburnsy 338 days ago
Maybe it uses Accessibility...

>When granted, an app with accessibility permission can:

  Read screen content (including text and buttons in other apps)
  Detect user interactions (like taps, swipes, or gestures)
  Navigate between apps and the system UI
  Monitor app launches and foreground/background changes
  Access and control other apps indirectly
  Perform gestures or clicks on behalf of the use
link
callmeal 338 days ago
>Does Whatsapp expose these messages via an API?

Whatsapp has dark patterns that "guide" you to "archive" your chats on google drive.

link
Anamon 333 days ago
No other app can get to that backup data though except the original one that made the backup. Not even the owner of the account is allowed access to it (which I'm almost sure is a GDPR violation)!

I'm not saying it's impossible that Google just grants their own app an (IMO indefensible) exception to this. But the potential shitstorm would be massive, so I assume they probably use some other way, such as screen recording or accessibility features.

link