Whatsapp is something you probably use right now, or atleast heard of its name. It is a cross platform IM application for smartphones. Along with messages, people can also send audio, video and images. It is available for all leading smartphone platforms like android, iOS, blackberry, Symbian, Windows etc. Whatsapp handles a few billion messages everyday. That is, approx. more than 50,000 messages are being sent every second! This signifies the popularity of this smartphone app. That is incredible success for a company which was started just a few years ago.
Indeed whatsapp is a great alternative to conventional texting, no doubt. But along with all the merits and successes, this app has got some drawbacks too. It has been heavily criticized for its security issues, mainly cryptographic standards and the way it handles user's personal data. Following paragraphs will elaborate on the security mechanisms this app uses.
As most of the popular instant messaging clients like yahoo and gtalk do, whatsapp uses XMPP i.e. eXtensible Messaging and Presence Protocol. Whatsapp implements a modified version of this standard. On installing this app, it creates an account on whatsapp's server.
Its username, or technically known as 'Jabber ID' is concatenation of the user's country code and their mobile number.
For example, 911234567890 where 91 is the country code followed by 10 digit mobile number.
username : <mobile no>@s.whatsapp.net
There's something interesting about the password. It is generated from the phone's IMEI number or MAC address.
For android devices, the password is md5 hash of the phone IMEI no reversed.
password : md5(strrev($imei))
For iOS devices, the password is md5 hash of the device's Wireless Interface card MAC address, written twice. Mac address is concatenated with itself and its md5 is found out.
password : md5(mac+mac)
Messages are sent as TCP packets. As whatsapp puts it, no messages are stored on their servers once they're delivered to the recipient. For sending of multimedia like audio, video or pictures, the data is first uploaded to the HTTP server. A link to the uploaded file is sent to the recepient's phone alongwith thumbnail file, if required.
Previously, till August 12, 2012, messages were being sent in cleartext. Anyone on the same wifi network was able to sniff the packets and read messages. This gave attackers ability to launch a session hijacking attack. However, currently messages are being sent encrypted for iOS and android. Whatsapp does not specify what encryption standard it implements for some undisclosed location. The encryption algorithm it uses currently has been reverse engineered, especially for iOS devices. Here's a link to the article:
http://pastebin.com/g9UPuviz
Overall verdict is that the current encryption mechanisms are not according to a standard.
This app uses phone's IMEI number or mac address as password. Something that is easily accessible to someone in physical contact with the phone. IMEI number can be found out with apps available in the market, also it is printed on the back side of the battery. Someone using the same wifi network as you, can easily find out the mac address of the iOS device, without being in physical contact, by sniffing. Therefore, anyone using a public wifi for whatsapp is at risk of getting their data sniffed and their account can be used to send and receive messages. All an attacker has to know is victim's mobile number (which is obviously known to him) and the phone's mac address or IMEI to enter into a script. Then they are able to send and receive messages from the compromised account.
Initial login at whatsapp's server uses digest access authentication. You can try this out yourself:
https://r.whatsapp.net/v1/exist.php?cc=<country code>&in=<mobile no>&udid=<password>
Here,
country code and mobile no are to be replaced by your country code and mobile no, and password is something you can get from md5 of IMEI or Mac, as explained earlier.
On successful request, it should give you a status response 'ok' meaning that you're valid over there on whatsapp.. :P
Although whatspp doesn't officially provide its API, there is an open source project called 'WhatsAPI'. Those guys have done a great job of creating whatsapp's API by reverse engineering. It has been very popular though some legal issues have been surrounding it recently.
https://github.com/venomous0x/WhatsAPI
This API is coded in both PHP and Python and can be used in integration with web apps. It can be used to send whatsapp messages to any number. Other such third party web-based API is available:
http://www.whatsapp-api.com/
The API itself is hosted on their site and can be accessed with HTTP requests. Although this service costs money to start using it.
One more thing we all know, whatsapp shares your contacts with their server to see which contacts are present. The way it is done is very insecure. The mobile numbers of your contacts are sent as an array through HTTP request parameter as follows:
https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4
Indeed whatsapp is a great alternative to conventional texting, no doubt. But along with all the merits and successes, this app has got some drawbacks too. It has been heavily criticized for its security issues, mainly cryptographic standards and the way it handles user's personal data. Following paragraphs will elaborate on the security mechanisms this app uses.
As most of the popular instant messaging clients like yahoo and gtalk do, whatsapp uses XMPP i.e. eXtensible Messaging and Presence Protocol. Whatsapp implements a modified version of this standard. On installing this app, it creates an account on whatsapp's server.
Its username, or technically known as 'Jabber ID' is concatenation of the user's country code and their mobile number.
For example, 911234567890 where 91 is the country code followed by 10 digit mobile number.
username : <mobile no>@s.whatsapp.net
There's something interesting about the password. It is generated from the phone's IMEI number or MAC address.
For android devices, the password is md5 hash of the phone IMEI no reversed.
password : md5(strrev($imei))
For iOS devices, the password is md5 hash of the device's Wireless Interface card MAC address, written twice. Mac address is concatenated with itself and its md5 is found out.
password : md5(mac+mac)
Messages are sent as TCP packets. As whatsapp puts it, no messages are stored on their servers once they're delivered to the recipient. For sending of multimedia like audio, video or pictures, the data is first uploaded to the HTTP server. A link to the uploaded file is sent to the recepient's phone alongwith thumbnail file, if required.
Previously, till August 12, 2012, messages were being sent in cleartext. Anyone on the same wifi network was able to sniff the packets and read messages. This gave attackers ability to launch a session hijacking attack. However, currently messages are being sent encrypted for iOS and android. Whatsapp does not specify what encryption standard it implements for some undisclosed location. The encryption algorithm it uses currently has been reverse engineered, especially for iOS devices. Here's a link to the article:
http://pastebin.com/g9UPuviz
Overall verdict is that the current encryption mechanisms are not according to a standard.
This app uses phone's IMEI number or mac address as password. Something that is easily accessible to someone in physical contact with the phone. IMEI number can be found out with apps available in the market, also it is printed on the back side of the battery. Someone using the same wifi network as you, can easily find out the mac address of the iOS device, without being in physical contact, by sniffing. Therefore, anyone using a public wifi for whatsapp is at risk of getting their data sniffed and their account can be used to send and receive messages. All an attacker has to know is victim's mobile number (which is obviously known to him) and the phone's mac address or IMEI to enter into a script. Then they are able to send and receive messages from the compromised account.
Initial login at whatsapp's server uses digest access authentication. You can try this out yourself:
https://r.whatsapp.net/v1/exist.php?cc=<country code>&in=<mobile no>&udid=<password>
Here,
country code and mobile no are to be replaced by your country code and mobile no, and password is something you can get from md5 of IMEI or Mac, as explained earlier.
On successful request, it should give you a status response 'ok' meaning that you're valid over there on whatsapp.. :P
Although whatspp doesn't officially provide its API, there is an open source project called 'WhatsAPI'. Those guys have done a great job of creating whatsapp's API by reverse engineering. It has been very popular though some legal issues have been surrounding it recently.
https://github.com/venomous0x/WhatsAPI
This API is coded in both PHP and Python and can be used in integration with web apps. It can be used to send whatsapp messages to any number. Other such third party web-based API is available:
http://www.whatsapp-api.com/
The API itself is hosted on their site and can be accessed with HTTP requests. Although this service costs money to start using it.
One more thing we all know, whatsapp shares your contacts with their server to see which contacts are present. The way it is done is very insecure. The mobile numbers of your contacts are sent as an array through HTTP request parameter as follows:
https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4
The verdict... as you can see, whatsapp has got so much to work on security. At the same time, its presence cannot be denied in our daily life. iOS users, do not use it on public wifi, 3G or your own wifi with no other users will do. If you are concerned about security, avoid giving your phone to people who you don't trust because that will be an easy way for them to know your IMEI. We hope that they come up with better alternative to current passwords and standard cryptography implementations to increase reputability with the security community too :)
Nice article
ReplyDeleteDude, your SQL injection article is old as anything. Ref: http://www.hackyeah.com/2010/05/hack-yeah-sql-injection-walkthrough-dvwa/ published in 2010.
ReplyDeleteI had tried to keep it as simple as possible. but thanx... next time I'll try to be more elaborative :)
ReplyDelete