I focus on this app not to pick on the lack of security (mainly integrity and confidentiality) but rather to show the instrumental role that reverse engineering and black box testing plays in assessing the security of web-based and now smartphone-based applications such as Whatsapp.
Reverse engineering the Whatsapp app and studying the packets that the app exchanges with the server (black box testing) are two ways to be able to understand how the app works and its security features.
In a python-enabled Ubuntu box, we download the Yowsup library including the command line interface named Yowsup-cli. As mentioned in reference , you need to construct a configuration file preferably with phone number and an IMEI code belonging to a mobile phone that, first, you own, and, second, that you didn't use before for Whatsapp.
The command lines that reference  proposes are:
- Requesting a code
./yowsup-cli -c [yourconfigfile] --requestcode sms
- Registering with the received code
./yowsup-cli -c [yourconfigfile] --register thecodeyourreceivedinyourphone
- Modifying the config file with the received password as shown in
- And you are ready to send Whatsapp messages
./yowsup-cli -c [yourconfigfile] -s [destination phone number] “message”
Now some security related questions:
- The config file uses an IMEI code and a phone number. As long as someone has access to those two pieces of information, what prevents them from following these steps and sending messages?
- Why instant messaging attract a myriad of users and secured or hardened systems are not so attractive?
- Would it be worthy to research the crossroad between user friendliness and information security? Certainly!
The sites I used as reference to build this post are:
- Whatsapp in Linux with Python by Alejandro Pernin.
- The python code by Tarek Galal hosted in github.
- The command line interface page by Tarek Galal hosted in github.
Happy (in)secure messaging!
|Photos also communicate|