WhatsApp takes the lazy route to authentication
WhatsApp, a popular app-based alternative to texting, has only recently introduced encryption. UK web developer Sam Granger has now posted information on how the app authenticates with the web interface under Android. The program generates a key by applying an easily reproducible algorithm to the device's unique ID (IMEI).
According to Granger, WhatsApp simply reverses the IMEI and uses this to generate an MD5 hash with no further salt. Since the device's phone number serves as the user name, an attacker can easily determine these details using standard Android interfaces. A program to determine the IMEI and phone number can be written and posted under false pretences to Google Play in no time at all.
According to Granger, this access data can then be used to utilise the WhatsApp service. Though no official API exists, software promising access to WhatsApp web services is available online. This could enable attackers to send messages that appear to come from a hacked account.
How WhatsApp carries out authentication on other platforms is unclear at present. Unlike Android, Apple's iOS does not provide an official interface for obtaining the IMEI. Despite the recent addition of encryption, the program continues to send phone numbers – the effective user names – in plain text. In common with many other instant messaging programs, WhatsApp uses a version of the XMPP protocol for exchanging messages. The app runs on all major mobile platforms.