CVE-2021-24027 Overview
A cache configuration vulnerability exists in WhatsApp for Android and WhatsApp Business for Android that allows unauthorized access to cached TLS material. The issue stems from improper handling of sensitive cryptographic data stored on external storage, which can be accessed by third-party applications with storage permissions on the device.
Critical Impact
A third party with access to the device's external storage can read cached TLS material, potentially compromising the confidentiality of encrypted communications.
Affected Products
- WhatsApp for Android versions prior to v2.21.4.18
- WhatsApp Business for Android versions prior to v2.21.4.18
Discovery Timeline
- April 6, 2021 - CVE-2021-24027 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-24027
Vulnerability Analysis
This vulnerability is classified under CWE-524 (Use of Cache Containing Sensitive Information), indicating that the application improperly stores sensitive cryptographic material in a location accessible to other applications. On Android devices, external storage is a shared resource that can be accessed by any application granted the READ_EXTERNAL_STORAGE permission.
The core issue lies in WhatsApp's cache configuration for TLS-related data. Rather than storing this sensitive information in the application's private internal storage directory (which is sandboxed and protected by Android's security model), the cached TLS material was placed on external storage where it could be read by malicious applications or users with physical device access.
Root Cause
The root cause is an insecure data storage configuration where TLS session data and related cryptographic material were cached to the device's external storage. Android's security architecture provides strong isolation for data stored in an application's internal data directory (/data/data/<package_name>/), but external storage (/sdcard/ or /storage/emulated/0/) is accessible to any application with appropriate storage permissions. This misconfiguration allowed sensitive TLS caching data to be exposed beyond the intended application boundary.
Attack Vector
The attack requires an adversary to either have physical access to the target device or deploy a malicious application that has been granted external storage read permissions. Once access is obtained, the attacker can navigate to WhatsApp's cache directory on external storage and extract the cached TLS material. This information could potentially be leveraged to:
- Decrypt previously captured TLS-encrypted traffic
- Perform session hijacking attacks
- Gain insights into the encryption mechanisms used by the application
- Facilitate man-in-the-middle attacks by understanding the TLS session parameters
The attack can be executed remotely through a malicious application installed on the victim's device, or locally by an attacker with physical access to an unlocked device or one with USB debugging enabled.
Detection Methods for CVE-2021-24027
Indicators of Compromise
- Unusual file access patterns to WhatsApp's external storage cache directories
- Applications with READ_EXTERNAL_STORAGE permission accessing WhatsApp-related files
- Suspicious processes reading from /storage/emulated/0/Android/data/com.whatsapp/ or similar paths
- Unexpected data exfiltration from mobile devices to external endpoints
Detection Strategies
- Monitor for applications requesting and using storage permissions to access other application directories
- Implement mobile threat detection solutions that identify apps attempting to read sensitive data from other application caches
- Use behavioral analysis to detect applications exhibiting reconnaissance behavior on external storage
- Deploy endpoint detection and response (EDR) solutions with mobile device visibility
Monitoring Recommendations
- Enable logging for file system access events on Android devices through mobile device management (MDM) solutions
- Implement network traffic analysis to detect potential exfiltration of cryptographic material
- Monitor for the installation of applications with suspicious storage permission requests
- Review application permission grants periodically on enterprise-managed devices
How to Mitigate CVE-2021-24027
Immediate Actions Required
- Update WhatsApp for Android to version 2.21.4.18 or later immediately
- Update WhatsApp Business for Android to version 2.21.4.18 or later
- Review installed applications on affected devices for suspicious storage permission grants
- Consider clearing WhatsApp cache data after updating to remove potentially exposed material
Patch Information
WhatsApp has addressed this vulnerability in version 2.21.4.18 for both WhatsApp and WhatsApp Business for Android. The fix ensures that sensitive TLS material is properly stored in the application's private internal storage directory, which is protected by Android's application sandbox security model. Users should update to the patched versions through the Google Play Store or official WhatsApp download channels.
For detailed information, refer to the WhatsApp Security Advisory.
Workarounds
- Restrict installation of untrusted applications that request storage permissions
- Implement enterprise mobile device management (MDM) policies to control application permissions
- Enable Android's scoped storage features on Android 10+ devices to limit application access to external storage
- Regularly clear application caches and external storage data
- Use device encryption to protect data at rest on external storage
# Verify WhatsApp version on Android (ADB command)
adb shell dumpsys package com.whatsapp | grep versionName
# Expected output for patched version: versionName=2.21.4.18 or higher
# Check WhatsApp Business version
adb shell dumpsys package com.whatsapp.w4b | grep versionName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
