WhatsApp allegedly creates overly simple passwords under iOS too
The iOS version of WhatsApp, the popular app-based alternative to texting, like the Android version of the application, is also using a primitive method to generate log-in passwords. According to a post on an Italian blog, the iOS client simply doubles the Wi-Fi interface's MAC address and generates an MD5 hash from it:
To prove this, the author provides an excerpt from the iPhone app's disassembled code. If the allegations turn out to be true, the author has found a serious security problem: WhatsApp only requires users' phone numbers and these automatically generated passwords for authentication. If the app is used over, for example, a public hotspot, this would easily allow other Wi-Fi network users to read this information – and potentially even to permanently take control of accounts.
The MAC address is publicly available on a network anyway and a test by The H's associates at heise Security has shown that transferred messages include a plain text version of the user's number – despite the recently introduced message encryption. Under Android, WhatsApp uses the smartphone's IMEI number, rather than the Wi-Fi MAC address, to generate the password.