Since I was always interested in IT security related questions, I did some research in the last days about the current hot topic “Whatsapp security holes”. There are a lot of interviews with different security experts and they always confirm that WhatsApp has security issues, but they don’t give specific advises how to avoid them.
This is why I want to explain the basic issue and give you some advises how to prevent them.
The security problem
WhatsApp was originally developed to be used as easy as possible. I assume therefore they decided to push it to the market without any registration. For sure they did a registration in the background (else you woud just need to have the phonenumber), but this was just a mechanism in the background. This would be a nice solution, if they would give you the possiblity to change the password! As soon as someones got the combination between phonenumber (which is quite easy to get -> just ask the person) and this automatic generated password, they can read your messages and even send them in your name.
How the mechanism works:
On Android
Long time this mechanism was a secret. Till Sam Granger reverse engineered it for Android and published the result to his blog. Basically it just takes your IMEI (International Mobile Equipment Identitiy), reverses it and calculates the md5 checksum from the string:
md5(strrev(‘your-imei-goes-here’))
On iOS
Six days later, Eizo Amodio did the same for iOS. There it’s even worse (I explain you later why), since iOS doesn’t allow you to read the device IMEI number, they take the MAC (Media Access Control) address of the wifi adapter instead:
md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)
How to avoid the problem:
On Android
The Android guys are in the better situation than iPhone users. The IMEI is the unique device id, which is not published anywhere compared to the MAC address. Still, there are some things you should keep in mind:
- Avoid apps which requests the following permissions in combination:
- android.permission.READ_PHONE_STATE
- android.permission.INTERNET
- Don’t throw away your phone packaging, usually the IMEI number is printed on it.
- Scary fact: Your phone serviceprovider probably stores both information (phonenumber & IMEI) unencryptet in their system.
On iOS
- Be careful which apps you install, especially if you download apps from the cydia store
- Just connect to Wifi networks you can trust or where you are anonymous
Possible solutions:
The solution is quite easy, if the user would have the possiblity to change the password, Whatsapp would be way more secure than it is at the moment. The disatvantages for the WhatsApp company are obvious:
- The user experience is worse, the users have to go through a registration process first
- The API would be open for everyone (well it is already anyway
)
Opportunities
Well, we already did some experiments in the last weeks. Since the API is basically open to everyone, you can use it for whatever you want. For example you could build a Twitter to Whatsapp client or a webclient for WhatsApp (there are already some projects going into this direction). Maybe you can follow us on WhatsApp in the near future
Thank to this exploitable security hole, we’re able to provide a nice WhatsApp API
Dear Lukas, thanks for this article.
Pointed out to ‘scary fact’: The telecommunication company I work for as a J2EE Developer does in fact store IMEI and MSISDN unencrypted in the databases. So this ‘scary fact’ could be changed to not probably, but ‘most’.
I don’t think that its totally Based on IMEI number because WhatsApp also Work on PC (in Bluestack Application) where there is no actually IMEI number in Android OS!!