Messaging apps like Telegram and Facebook-owned WhatsApp are known for using end-to-end encryption, which makes it difficult for anyone to read or tamper with messages while they’re in transit.
But once content is actually downloaded to your Android phone, it can prove more vulnerable to eavesdropping and even malicious changes if there is malware on the phone, security firm Symantec warns in a new report.
WhatsApp by default stores downloaded attachments, like images and audio clips, in what Android calls “external storage,” where it’s accessible by other apps with the right permissions, according to Symantec. Telegram will also do so if you enable a “Save to Gallery” option in the app, Symantec reports.
That means that other apps can read and modify those attachments, potentially even before you see them in the messaging tool or open them in another app. As Symantec points out, that could let malicious apps alter images or audio messages you receive or even, say, edit payment information in invoices to steal money.
Symantec reports that it advised WhatsApp and Telegram of the risks.
“WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem,” a WhatsApp spokesperson said in an email to Fast Company. “WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”
And, the spokesperson emphasized, a phone would have to have malware on it before this became a security risk.
Telegram didn’t immediately respond to an inquiry from Fast Company.
If you’re concerned, you can configure the apps to only store downloaded files in storage accessible through the app itself, although this may impact your ability to access files you receive through these apps in other programs on your phone. In WhatsApp, disable “Media Visibility” under “Settings -> Chats” and in Telegram, disable “Save to Gallery” under “Settings -> Chat Settings.”