Does Whatsapp expose these messages via an API? If yes, then it seems like this is not only on Google.
If no: Are they reading data from raw UI widgets? Are they intercepting input controls? Are they intercepting network traffic? That seems unlikely, given its probably end to end encrypted and the decryption happens within the scope of the Whatsapp process.
> If no: Are they reading data from raw UI widgets? Are they intercepting input controls?
Why not... they control the OS, it'd be trivial to add hooks to the "draw widget" command to intercept that it's about to draw a text widget for WhatsApp, and then ask it to log the text.
WhatsApp data is encrypted, however, the keys are on the device itself and accessible on Android. There are many third-party apps that support transferring WhatsApp data from one phone to another, and some even claim so between Android and iOS devices. As I understand, the chats are in some usual database format. So anyone having access to the device can read the data even without WhatsApp being there itself (as far as the data is there).
I don't think it's quite as simple as that. The keys are stored in a storage area that Android locks off as WhatsApp's alone; no other app can get to those keys.
At the very least you'd need to root your device, but even that might not be quite enough going by my memory of trying to export my chats once. I remember the only documented working path included something like installing a shady, modified APK of a legacy WhatsApp version with an outdated encryption method to a second device and then somehow getting the new app to write a backup in the legacy format, to then restore to the fake second device and decrypt. I quit there because the risk of actually losing my entire backup seemed too high. And that was about five years ago, so I'd assume if anything, it's even more difficult today.
>When granted, an app with accessibility permission can:
Read screen content (including text and buttons in other apps)
Detect user interactions (like taps, swipes, or gestures)
Navigate between apps and the system UI
Monitor app launches and foreground/background changes
Access and control other apps indirectly
Perform gestures or clicks on behalf of the use
No other app can get to that backup data though except the original one that made the backup. Not even the owner of the account is allowed access to it (which I'm almost sure is a GDPR violation)!
I'm not saying it's impossible that Google just grants their own app an (IMO indefensible) exception to this. But the potential shitstorm would be massive, so I assume they probably use some other way, such as screen recording or accessibility features.
Does Whatsapp expose these messages via an API? If yes, then it seems like this is not only on Google.
If no: Are they reading data from raw UI widgets? Are they intercepting input controls? Are they intercepting network traffic? That seems unlikely, given its probably end to end encrypted and the decryption happens within the scope of the Whatsapp process.