WhatsApp

From Wikipedia, the free encyclopedia
Jump to: navigation, search
The lead section of this article may need to be rewritten. Please discuss this issue on the talk page and read the layout guide to make sure the section will be inclusive of all essential details. (April 2013)
WhatsApp Messenger
WhatsApp logo.svg
WhatsApp Messenger screenshot.jpg
WhatsApp Messenger 2.8.2 running on iOS
Developer(s) WhatsApp Inc.
Stable release

Android
2.9.5640 (April 19, 2013; 30 days ago (2013-04-19)) [±] [1][2]

BlackBerry OS
2.9.874 (January 25, 2013; 3 months ago (2013-01-25)) [±] [3][4]

BlackBerry 10
2.9.3733 (March 13, 2013; 2 months ago (2013-03-13)) [±] [3][5]

iOS
2.8.7 (December 7, 2012; 5 months ago (2012-12-07)) [±] [6]

Nokia Symbian (S60)
2.9.7108 (May 15, 2013; 4 days ago (2013-05-15)) [±] [7][8]

Nokia Series 40
2.4.21 (April 23, 2013; 26 days ago (2013-04-23)) [±] [9][10]

Windows Phone
2.9.4 (February 24, 2013; 2 months ago (2013-02-24)) [±] [11]
Development status Active
Operating system Android, BlackBerry OS, BlackBerry 10, iOS, Series 40, Symbian and Windows Phone
Type Instant Messaging
Licence Proprietary
Website whatsapp.com

WhatsApp Messenger is a proprietary, cross-platform instant messaging application for smartphones. In addition to text messaging, users can send each other images, video, and audio media messages. The client software is available for Android, BlackBerry OS, BlackBerry 10, iOS, Series 40, Symbian (S60), and Windows Phone. WhatsApp Inc. was founded in 2009 by Brian Acton and Jan Koum, both veterans of Yahoo!, and is based in Santa Clara, California.[12]

Competing with a number of Asian-based messaging services (like LINE, KakaoTalk, and WeChat), WhatsApp was handling ten billion messages per day as of August 2012,[13] growing from two billion in April 2012[14] and one billion the previous October.[15] According to the Financial Times, WhatsApp "has done to SMS on mobile phones what Skype did to international calling on landlines."[16]

Contents

Technical [edit]

WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP).[17] Upon installation, it creates a user account using one's phone number as username (Jabber ID: [phone number]@s.whatsapp.net). WhatsApp software automatically compares all phone numbers from the device's address book with its central database of WhatsApp users to automatically add contacts to the users WhatsApp contact list. Previously the Android and s40 versions used an MD5-hashed, reversed-version of the phone's IMEI as password,[18] while the iOS version used the phone's WiFi MAC address instead of IMEI.[19][20] A recent update now generates a random password on the server side.[21]

Multimedia messages are sent by uploading the image, audio or video to be sent to a HTTP server and then sending a link to the content along with its Base64 encoded thumbnail (if applicable).[22]

Until August 2012, messages were sent in unencrypted plain-text format, making the system vulnerable to session hijacking.[23] As of August 15, 2012, the WhatsApp Support Staff claims messages are encrypted in the "latest version" of the WhatsApp software for iOS and Android (not including BlackBerry, Windows Phone and Symbian), without specifying the implemented cryptographic method.[24]

Security [edit]

See also: Mobile security

In May 2011, a security hole was reported in WhatsApp which left user accounts open for hijacking.[25] Since May 2011, it has been reported that communications made by WhatsApp are not encrypted, and data is sent and received in plaintext, meaning messages can easily be read if packet traces are available.[26]

According to some sources, it is believed that the hijacking hack was performed, and later fixed by helping WhatsApp reproduce it on Android and Symbian, by Liroy van Hoewijk, CEO of CoreISP.net.[27][28] Then, in May 2012 security researchers noted that new updates of WhatsApp no longer sent messages as plaintext,[29][30][31] however, the cryptographic method implemented was subsequently described as "broken".[32]

In September 2011, a new version of the WhatsApp Messenger application for iPhones was released. In this new version, the developer has closed a number of critical security holes that allowed forged messages to be sent and messages from any WhatsApp user to be read.[33]

On January 6, 2012, an unknown hacker published a website (WhatsAppStatus.net) which made it possible to change the status of an arbitrary WhatsApp user, as long as the phone number was known. To let it work, it only required a restart of the app. According to the hacker, it is only one of the many security issues in WhatsApp. On January 9, WhatsApp reported to have solved the issue. In reality, the only measure that was taken was blocking the website's IP address. As a reaction, a Windows tool was made available for download providing the same functionality. This issue has since been resolved in the form of an IP check on currently logged in session.[34][35]

On January 13, 2012, WhatsApp was pulled from the iOS App Store. The reason was not disclosed. The app was added back to the App Store four days later.[36]

Using WhatsAPI, German Tech site The H demonstrated how to hijack any WhatsApp account on September 14, 2012.[37] Shortly after a legal threat to WhatsAPI's developers was alleged, characterized by The H as "an apparent reaction" to security reports, and WhatsAPI's source code was taken down.[38] The WhatsAPI team has since returned to active development.[39]

Privacy [edit]

See also: Internet privacy

Another issue was witnessed on November 28, 2012 and before (WA blog post about it is from January 12), though this is not a security concern at all but more a problem with "chain messages", when users got spam messages and ignorantly forwarded hoax messages to people on their contact lists.[40] The WhatsApp team clearly mentioned on its website that all such messages are fake.[41] This has not been the work of hackers, but simply the work of people randomly forwarding nonsense, a problem on any social media.

A major privacy and security issue has been the subject of a joint Canadian-Dutch government investigation. The primary concern was that WhatsApp required users to upload their entire mobile phone's address book to WhatsApp servers so that WhatsApp could discover who, among the users' existing contacts, is available via WhatsApp. While this is a fast and convenient way to quickly find and connect the user with contacts who are also using WhatsApp, it means that their address book was then mirrored on the WhatsApp servers, including contact information for contacts who are not using WhatsApp. However, this information was stored as a hash and without additional identifying information such as a name.[42][43][44][45]

On March 31, 2013, the governing body of telecommunications affairs in Saudi Arabia, the Communications and Information Technology Commission (CITC), issued a statement regarding possible measures against WhatsApp, among other applications, unless the service providers took serious steps in order to comply with monitoring and privacy regulations.[46]

API [edit]

Although WhatsApp Inc. does not provide an open application programming interface (API), a reverse-engineered library is made available on GitHub.[18]

See also [edit]

References [edit]

  1. ^ WhatsApp Inc. (February 1, 2013). "WhatsApp Messenger". Google Play. Google. Retrieved February 1, 2013. 
  2. ^ WhatsApp Inc. (February 13, 2013). "WhatsApp for Android". WhatsApp. Retrieved February 1, 2013. 
  3. ^ a b WhatsApp Inc. (January 25, 2013). "WhatsApp Messenger". BlackBerry App World. Research In Motion. Retrieved January 29, 2013p. 
  4. ^ WhatsApp Inc. (January 25, 2013). "WhatsApp for BlackBerrym". WhatsApp. Retrieved January 29, 2013. 
  5. ^ WhatsApp Inc. (March 13, 2013). "WhatsApp for BlackBerry 10". WhatsApp. Retrieved March 13, 2013. 
  6. ^ WhatsApp Inc. (December 7, 2012). "WhatsApp Messenger". Apple App Store. Apple. Retrieved January 29, 2013. 
  7. ^ WhatsApp Inc. "WhatsApp Messenger". Nokia. WhatsApp. Retrieved January 30, 2013. 
  8. ^ WhatsApp Inc. (January 30, 2013). "WhatsApp for Nokia S60". WhatsApp. Retrieved January 30, 2013. 
  9. ^ WhatsApp Inc. (December 7, 2012). "WhatsApp S40 Messenger". Nokia E63. Ovi_Store. Retrieved January 29, 2013. 
  10. ^ WhatsApp Inc. "WhatsApp for Nokia S40". WhatsApp. Retrieved January 29, 2013. 
  11. ^ WhatsApp Inc. (December 15, 2012). "WhatsApp for Windows Phone". Windows Phone. Microsoft. Retrieved January 29, 2013. 
  12. ^ Eric, Jackson (December 3, 2012). "Why Selling WhatsApp To Facebook Would Be The Biggest Mistake Of Jan Koum's And Brian Acton's Lives". Forbes. Retrieved 3 May 2013. 
  13. ^ Olanof, Drew (August 23, 2012). "WhatsApp hits new record with 10 billion total messages in one day". The Next Web. Retrieved January 29, 2013. 
  14. ^ Russell, Jon (April 4, 2012). "WhatsApp founder to operators: We're no SMS-killer, we get people hooked on data". The Next Web. Retrieved January 29, 2013. 
  15. ^ Olanoff, Drew (October 31, 2011). "WhatsApp users now send over one billion messages a day". TheNextWeb. Retrieved January 29, 2013. 
  16. ^ Bradshaw, Tim (November 14, 2011). "WhatsApp users get the message". Financial Times (London). Retrieved January 29, 2013. 
  17. ^ shakal (March 22, 2011). "WhatsApp? Nicht ohne Risiken." [WhatsApp? Not without risks.]. Retrieved January 29, 2013.  (original [1] translated from German at by Google Translate)
  18. ^ a b Team Venomous (venomous0x). "Interface to WhatsApp Messenger". GitHub (blog). Retrieved January 26, 2013. 
  19. ^ Amodio, Ezio (September 11, 2012). "Whatsapp – iOS password generation". ezioamodio.it. Retrieved January 29, 2013. 
  20. ^ Granger, Sam (September 5, 2012). "WhatsApp is using IMEI numbers as passwords". samgranger.com. Retrieved January 29, 2013. 
  21. ^ "Wassapp login issues". Lowlevel Studios Blog. December 11, 2012. Retrieved January 29, 2013. "Wassapp is a PC application developed to be a non-official client for WhatsApp Messenger." 
  22. ^ Team Venomous (venomous0x) (May 29, 2012). "WhatsAPI / README.md (updated November 28, 2012)". GitHub (blog). Retrieved January 29, 2013. 
  23. ^ {{Cite web | author = djwm | title = Sniffer tool displays other people's WhatsApp messages | url = http://www.h-online.com/security/news/item/Sniffer-tool-displays-other-people-s-WhatsApp-messages-1574382.html | publisher = Heinz Heise (h-online) | date = May 13, 2012 | accessdate = January 29, 2013 }}
  24. ^ WhatsApp Support (August 15, 2012). "WhatsApp FAQ: Are my messages secure?". WhatsApp Support. Zendesk. Retrieved January 29, 2013. 
  25. ^ McCarty, Brad (May 23, 2011). "Signup goof leaves WhatsApp users open to account hijacking". The Next Web. Retrieved January 29, 2013. 
  26. ^ Brookehoven, Corey (May 19, 2011). "Whatsapp leaks usernames, telephone numbers and messages". youdailymac.net. Retrieved July 18, 2011. [dead link]
  27. ^ van Hoewijk, Liroy. "LinkedIn profile". LinkedIn. Retrieved January 26, 2013. 
  28. ^ Liroy (December 20, 2012). "WhatsappHack". Tweakers.net. Retrieved January 29, 2013. "CEO of an internet business. Cracker of WhatsApp verification functions. (Linux / Android Cisco) security and operations expert." 
  29. ^ "Whatsapp ya cifra los mensajes". May 11, 2012. Retrieved May 31, 2012. 
  30. ^ "Tweet from @davidbb". May 8, 2012. Retrieved May 31, 2012. 
  31. ^ "Tweet from @sp0rkbomb". May 10, 2012. Retrieved May 31, 2012. 
  32. ^ fileperms.org (September 12, 2012). "WhatsApp is broken, really broken". Retrieved February 8, 2013. 
  33. ^ Kurtz, Andreas (September 8, 2011). "Shooting the Messenger". Retrieved September 11, 2011. 
  34. ^ Schellevis, Joost (January 12, 2012). "Second news item concerning the whatsapp status issue on the dutch website "Tweakers".". Retrieved January 12, 2012. 
  35. ^ rvdm (Janurary 12, 2012). "Article disecting whatsappstatus.net and subsequent updates". Retrieved April 7, 2013. 
  36. ^ Reventós, Laia (July 3, 2012). "Dentro de WhatsApp". El Pais (in Spanish) (Madrid). Retrieved January 26, 2013. 
  37. ^ fab (September 14, 2012). "WhatsApp accounts almost completely unprotected". Heinz Heise (h-online). Retrieved January 26, 2013. 
  38. ^ crve (September 25, 2012). "WhatsApp threatens legal action against API developers". Heinz Heise (h-online). Retrieved January 26, 2013. 
  39. ^ wnstnsmth (September 30, 2012). "WhatsAPI sources back online". Heinz Heise (h-online). Retrieved January 26, 2013. 
  40. ^ "WhatsApp gets bug, spammers make the most of it". FirstPost (Mumbai). November 29, 2012. Retrieved January 26, 2013. 
  41. ^ "It is a hoax. Really, it is.". WhatsApp Blog. January 16, 2012. Retrieved January 26, 2013. 
  42. ^ Wisniewski, Chester (January 29, 2013). "WhatsApp's privacy investigated by joint Canadian-Dutch probe". Sophos. Retrieved January 29, 2013. 
  43. ^ "Investigation into the personal information handling practices of WhatsApp Inc. (PIPEDA Report of Findings #2013-001)". Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA). Privacy Commissioner of Canada. January 15, 2013. Retrieved January 29, 2013. 
  44. ^ Williams, Martyn (January 28, 2013). "WhatsApp could face prosecution on poor privacy". IDG (CXO Media). Retrieved January 29, 2013. "Dutch and Canadian privacy commissioners conducted a yearlong investigation into the popular mobile app" 
  45. ^ "CITC warns Skype, Viber, WhatsApp". Saudi Gazette (Jeddah). March 31, 2013. 

External links [edit]

Wikimedia Commons has media related to: WhatsApp Messenger
Reviews
Protocols
(comparison)
Services
See also
Clients by protocol (comparison)
Single protocol
Multi-protocol
Retrieved from "http://en.wikipedia.org/w/index.php?title=WhatsApp&oldid=555466361"