How to Hack WhatsApp Messenger | Build WhatsApp API Client

Desktop IMs have long been our favorite mode of communication. But with time, their significance has definitely come down.

Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM,  etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.

As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.

 

WhatsApp Encryption

You will be surprised to know that until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. That means if you were using Whatsapp on a public wifi, everything can be captured by anyone else sniffing ont he wireless network. The latest WhatsApp uses encryption but its this new encryption is broken. But still, phone number is sent out in plaintext.

The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report

WhatsApp API & Reverse Engineering

If you know XMPP, the same protocol used by facebook, GTalk, and several others, you can try your hands-on WhatsAPI, an API for WhatsApp messenger.

WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.

1. WhatsApp Authentication / Login Mechanism
Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.

Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.

On Android, the password is a md5 hash of the reversed IMEI number:

$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS, the password is generated from the devices WLAN MAC address:

$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.

The JID is a concatenation between your country’s code and mobile number.

Initial login uses Digest Access Authentication. You can try this for yourself:

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number (without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei))

The response you would receive would be in XML, containing messages designated for your phone.

2. Text Message communication

Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).

Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.

WhatsApp Privacy Leak

WhatsApp shares your contacts with the server, we all know that. But the way it is done is ridiculously insecure. It basically sends contact information as:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4
The server response looks like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>P</key>
<string>1234567890</string>
<key>T</key>
<integer>10817</integer>
<key>S</key>
<string>Some Status Message</string>
<key>JID</key>
<string>23xxxxxxxxx</string>
<key>NP</key>
<true/>
</dict>
</array>
</plist>

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” and “NP” yet – if you have smart guess let me know. All this information is public.

Verdict

WhatsApp is fastest growing IM service and yet, the most insecure. If you really care about your data privacy, stop using WhatsApp till its fixed. Rely on GTalk, facebook IM, which are proven to be secure by all means.

Related: Read, Extract WhatsApp Messages backup on Android, iPhone, Blackberry

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage

VN:F [1.9.22_1171]
Rating: 6.7/10 (35 votes cast)
VN:F [1.9.22_1171]
Rating: +9 (from 15 votes)
How to Hack WhatsApp Messenger | Build WhatsApp API Client, 6.7 out of 10 based on 35 ratings

Related Posts

Bookmark and Promote!

  • Rohit P. Tahiliani

    Awesome Information :)

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Rohit P. Tahiliani

    But i am getting
    “This XML file does not appear to have any style information associated with it. The document tree is shown below.”

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Baaam

    U have to insert something for the variables^^ But how can I send messages with this? :o

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • hawky

    does this still work?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Gxa

    is this tuff realy working?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • mike

    yup.
    But a little pointless

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Mo

    Need help! Can’t get it to work for my iPhone!
    How do I get it to work? How exactly are u supposed to key in the wlanMac and te area country code and mobile number does that includes 0 and do I have to put the $ sign and the •z
    Thanks

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • zorro

    what do you think about gwibber?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • pranav

    it returns me as bad cc=”country code”
    though i tried several times

    VA:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VA:F [1.9.22_1171]
    Rating: +1 (from 1 vote)
  • Azzoz

    do you think there is gonna be a way to activate whatsapp without sms verification by accessing these files

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • http://www.facebook.com/ranbuch Ran Buchnik

    You can see people’s status, so what??
    How can we “Build WhatsApp API Client”?
    How can I send a message?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • http://www.facebook.com/jochemstoel Jochem Stoel

    Geez, people are asking some seriously stupid questions. My browser says “there is no stylesheet related to the XML, so how do I send a message?”

    Useful article. Thanks, author!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • http://www.facebook.com/profile.php?id=1734386237 Андрей Москвичёв

    Thank you very much, for this useful information! :-)

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Ganesh

    This XML file does not appear to have any style information associated with it. The document tree is shown below.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • Eddie

    “Secure by all means” ??

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • 1024GBofRAM
    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  • karan

    what to do

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
© 6167 Geeknizer. All rights reserved. XHTML / CSS Valid.
Designed by taranfx.