2

How does WhatsApp identify a specific user in order to forward the messages to him?

Here is what I did:

  1. I backed up my iOS App from my old device
  2. Restored the backup to the new device
  3. Opened WhatsApp on new device

And it works without any need for SMS verification for new device.

So that's telling me WhatsApp does one of two things:

  1. WhatsApp embeds your phone number during verification process into the app itself
  2. WhatsApp embeds the verification code you get via SMS into the app itself and uses that as identifier to that phone number

The first method is stupid if it's true, because any smart guy can reverse engineering and modify WhatsApp code and embed any phone number he want to hack.

The second method seems smart since no one knows the SMS code except you, but this isn't secure either, because government or anyone who has a connection, for example, would have no problem getting all incoming SMS message for any phone and from there they can reverse engineer WhatsApp app and embed that as well.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Flexair Flexair
  • 21
  • 1
  • 3
  • Both approaches sound bad to me. I'd rather store a cryptogaphic key or token in the application's config and only use the SMS code as one-time activation of that key. – CodesInChaos Dec 17 '15 at 16:36
  • 1
    even that isn't secure , if you know the sms code then for some smart ass cracker it wouldn't be hard to find out how the cryptogaphic key mechanism works, whatsapp isn't smarter then big software company's who fail to protect they are software's , just few days ago Rad Studio get cracked and it's one of the hardest shit to crack – Flexair Flexair Dec 17 '15 at 16:41
  • Of course being able to receive SMS sent to that number gives you the ability to obtain an account for that number. But using a token as several advantages over storing the code. 1) The code has likely low entropy, so using as little as possible and limiting its lifetime is a good idea. 2) The code can be copied by a malicious network. When you store that code directly, this leads to silent impersonation, whereas activating a separate token means that the attacker has to register an additional device that can be listed in a device list. – CodesInChaos Dec 17 '15 at 16:47

1 Answers1

1

According to Wikipedia

Upon installation, it creates a user account using one's phone number as the username

...

A 2012 update now generates a random password on the server side.

...

WhatsApp follows a ‘store and forward’ mechanism for exchanging messages between two users. When a user sends a message, it first travels to the WhatsApp server where it is stored. Then the server repeatedly requests the receiver acknowledge receipt of the message.

The key is to notice that in all of this the App doesn't actually use telephony services, so it can't use your phone number in the traditional manner. Also note that when you install the app you're effectively just creating an account where your username happens to be your phone number. Think about it like if when you signed up for stack exchange they just assigned you a random number rather than letting you pick a name.

As to why you didn't have to reverify your account via SMS, if the iOS backup also backed up the app's data and configuration then the app would have everything it needs to connect as your account.

In terms of security - since account-password is the way just about every verified service works this method would be just as secure as your app's configuration files. One could argue it's more secure than other services since the user doesn't know their username/password and thus cant give them away (if you believe in security by obscurity that is).

tbernard
  • 501
  • 3
  • 3
  • 2
    actually its not so hard to get your whatsapp password , hackers already done that , tools like this can give you just that https://github.com/mgp25/WART i just test it now and all what you need is the SMS code to find out your pass – Flexair Flexair Dec 17 '15 at 20:13