WhatsAppSniffer Shames WhatsApp’s Plaintext, Unprotected Chat Transfer Protocol

If you’re a Whatsapp user, you may want to read this. What’s important to note here is not that Whatsapp is alone in transmitting unencrypted data (up until recently, apps like Waze and UStream also used plain text transmission), but simply put, your contacts names and numbers are being transmitted, in human-readable form, over the network as you chat to them. Also note that:

1) If the article is correct, the Whatsapp team knew about this issue for close to a year. In addition, a string of security related issues (http://en.wikipedia.org/wiki/WhatsApp#Security_concerns) indicates that the organisation lacks either the competency or inclination to prioritise user’s security. Convenience > Security?

2) Even if your messages may not hold anything of interest, note that the Whatsapp application itself has access to information such your contact list, your precise location, your storage card, the ability to record audio/photos and call/receive phone calls and SMSs. It’s also the case that this information (in plain text) is viewable at a cellular level by somebody at your phone service provider.

If you’re using an iOS device, you may be oblivious to much of the above due to the patchy permissions model – to add insult to injury, it’s a paid app on iOS. Note that Whatsapp uses the XMPP protocol, otherwise known as Jabber, which other chat clients such as Google Talk uses, except Whatsapp don’t bother to encrypt it (Google Talk and nearly every other mainstream IM service utilises an SSL encryption layer properly for added security – Whatsapp uses port 443, but transmits in plain text, rendering it obselete).

You can also watch here a demonstration of what anybody with a network sniffer (in this case Wireshark – http://www.wireshark.org/, but also http://mitmproxy.org/) can do with an Whatsapp connection: Can you extract message and photo from Whatsapp?

So what can you do?

Option A) Be careful about what you type on Whatsapp, presume that everything can be intercepted and viewed (which it effectively can). Don’t type sensitive information.

Option B) Head to a local wifi hotspot and see what you can find. Chances are, with the number of people using Whatsapp, it wouldn’t take very long.

Option C) Clone a device’s normal hotspot and wait till their device automatically connects to it to launch a MITM attack. A fascinating video of this in action – http://partners.immunityinc.com/movies/Access_point_impersonation.mp4. Note that iOS devices readily broadcast the details of the last three access points they connected to, everywhere they go.

Option D) Use an alternative messaging service, at least until they have the inclination to patch the security holes. Perhaps a combination of push email and generous SMS allowances which everybody seems to have.

Option E) Ignore all of the above. Ignorance is bliss?

WhatsAppSniffer Shames WhatsApp’s Plaintext, Unprotected Chat Transfer Protocol, Shows Off Just How Much Can Be Sniffed


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s