6

I was wondering if its possible to obtain private keys for Whatsapp to be able to sniff traffic between two WhatsApp Android devices (both under my control). I understand that WhatsApp traffic is now end-to-end-encrypted, and I have read their technical paper where they describe the encryption used. But is the Message Key (used for encryption) stored somewhere on the client-side where I could obtain it? Can this key be later used to decrypt traffic going out from my device? So far I've tried to root one of the devices and installed "Shark For Root" to see what kind of traffic is passing through. However, I want to be able to see the application-level data that is traveling encrypted between the two devices, could anyone please suggest ways I could do this? I wanted to understand how WhatsApp works and what kind of data is being transferred through. Thanks.

QPTR
  • 257
  • 2
  • 7
  • Do you have physical access to both devices? – Rápli András Feb 06 '17 at 06:21
  • Yes, I do. But only one of them is rooted. – QPTR Feb 06 '17 at 06:24
  • Whatsapp uses some standard protocol, you should find out what is this protocol and try from there. – Aria Feb 06 '17 at 12:19
  • Yep, but the thing is I don't know which particular way to proceed. Should I decompile WhatsApp and go from there? Any recommendations? – QPTR Feb 09 '17 at 11:21
  • 1
    I remember a french team who presented a framework on the yearly CCC a few years back that could be used to view and manipulate all app variables during runtime on Android. This will help you find the symmetric encryption key. Surely, that key is stored in the system storage (not SD card), and you have a chance finding it, at least after disassembling the APK. – Anton Kaiser Feb 10 '17 at 22:20
  • Some of the links in this post may be useful: https://security.stackexchange.com/questions/108369/my-country-is-attempting-to-block-whatsapp-what-to-do/108370#108370 – Trey Blalock Mar 10 '17 at 06:01
  • Is it resolved ? Is there a way to watch the decrypted packets ? – ransh Dec 19 '18 at 19:10

1 Answers1

1

Take a look at this paper here. They also provide the PCAP file used in the research here.

The password file should be stored at /data/data/com.whatsapp/files/pw.

However, if you are not root, you may want to use this trick to access it:

  • Install Android SDK
  • Open cmd
  • Change your directory and go into 'Platform tools'
  • Type 'adb shell'
  • su
  • Press 'Allow' on device
  • chmod 777 /data /data/data /data/data/com.whatsapp /data/data/com.whatsapp/*

Also, you can use this application to retrieve the password (also needs root)

Filipe Rodrigues
  • 398
  • 3
  • 13