How to Hack WhatsApp Messenger | Build WhatsApp API Client

Desktop IMs have long been our favorite mode of communication. But with time, their significance has definitely come down.

Smartphones taking large part of our daily life, IM services like Whatsapp, iMessage, BBM,  etc have emerged to be exchanging more messages every second. WhatsApp delivers more than 1 billion messages per day, but yet, its the most insecure way of communication.

As per a recent security analysis, WhatsApp is totally insecure way of communicating with friends.

 

WhatsApp Encryption

You will be surprised to know that until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext. That means if you were using Whatsapp on a public wifi, everything can be captured by anyone else sniffing ont he wireless network. The latest WhatsApp uses encryption but its this new encryption is broken. But still, phone number is sent out in plaintext.

The local storage isn’t any different, you can checkout WhatsApp Database Encryption Project Report

WhatsApp API & Reverse Engineering

If you know XMPP, the same protocol used by facebook, GTalk, and several others, you can try your hands-on WhatsAPI, an API for WhatsApp messenger.

WhatsApp uses customized XMPP server with proprietary extensions, named internally as FunXMPP.

1. WhatsApp Authentication / Login Mechanism
Just like any other XMPP, WhatsApp uses jabber id and password to login. The password is hashed, stored in servers upon account creation and used transparently everytime the client connects the server.

Its an incredibly horrible implementation. As researcher found out, the username is the user’s phone number – an attacker would probably already knows the victim’s number.

On Android, the password is a md5 hash of the reversed IMEI number:

$imei = "112222223333334"; // example IMEI
$androidWhatsAppPassword = md5(strrev($imei)); // reverse IMEI and calculate md5 hash

On iOS, the password is generated from the devices WLAN MAC address:

$wlanMAC = "AA:BB:CC:DD:EE:FF"; // example WLAN MAC address
$iphoneWhatsAppPassword = md5($wlanMAC.$wlanMAC); // calculate md5 hash using the MAC address twice

Both IMEI and MAC address are easily retrievable from devices if you have physical access to it. MAC address is much easier to capture as you can sniff on the wireless network to which iOS device is connected.

The JID is a concatenation between your country’s code and mobile number.

Initial login uses Digest Access Authentication. You can try this for yourself:

https://r.whatsapp.net/v1/exist.php?cc=$countrycode&in=$phonenumber&udid=$password

$countrycode = the country calling code
$phonenumber = the users phone number (without the country calling code)
$password = see above, for iPhone use md5($wlanMAC.$wlanMAC), for Android use md5(strrev($imei))

The response you would receive would be in XML, containing messages designated for your phone.

2. Text Message communication

Messages are basically sent as TCP packets, following WhatsApp’s own format (unlike what’s defined in XMPP RFCs).

Photos, Videos and Audio files shared with WhatsApp contacts are HTTP-uploaded to a server before being sent to the recipient(s) along with Base64 thumbnail of media file (if applicable) along with the generated HTTP link as the message body.

WhatsApp Privacy Leak

WhatsApp shares your contacts with the server, we all know that. But the way it is done is ridiculously insecure. It basically sends contact information as:

https://sro.whatsapp.net/client/iphone/iq.php?cd=1&cc=$countrycode&me=$yournumber&u[]=$friend1&u[]=$friend2&u[]=$friend3&u[]=$friend4
The server response looks like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>P</key>
<string>1234567890</string>
<key>T</key>
<integer>10817</integer>
<key>S</key>
<string>Some Status Message</string>
<key>JID</key>
<string>23xxxxxxxxx</string>
<key>NP</key>
<true/>
</dict>
</array>
</plist>

Key “P” is the users phone number, Key “T” seems to be the uptime(?), Key “S” is the users status message. Not sure about “JID” and “NP” yet – if you have smart guess let me know. All this information is public.

Verdict

WhatsApp is fastest growing IM service and yet, the most insecure. If you really care about your data privacy, stop using WhatsApp till its fixed. Rely on GTalk, facebook IM, which are proven to be secure by all means.

Related: Read, Extract WhatsApp Messages backup on Android, iPhone, Blackberry

We write latest and greatest in Tech GuidesAppleiPhoneTabletsAndroid,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR Google+ or on Facebook Fanpage

GD Star Rating
loading...
GD Star Rating
loading...
How to Hack WhatsApp Messenger | Build WhatsApp API Client, 6.9 out of 10 based on 46 ratings

28 thoughts on “How to Hack WhatsApp Messenger | Build WhatsApp API Client”

  1. But i am getting
    “This XML file does not appear to have any style information associated with it. The document tree is shown below.”

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  2. U have to insert something for the variables^^ But how can I send messages with this? 😮

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  3. Need help! Can’t get it to work for my iPhone!
    How do I get it to work? How exactly are u supposed to key in the wlanMac and te area country code and mobile number does that includes 0 and do I have to put the $ sign and the •z
    Thanks

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  4. do you think there is gonna be a way to activate whatsapp without sms verification by accessing these files

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  5. Geez, people are asking some seriously stupid questions. My browser says “there is no stylesheet related to the XML, so how do I send a message?”

    Useful article. Thanks, author!

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  6. This XML file does not appear to have any style information associated with it. The document tree is shown below.

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  7. Have you guys checked out Wayne Johnson, Contact wjitservices@gmail.com he’s just a cyber guru involved with cloning phones, hacked into my ex’s gmail and Facebook account, glad to know he ain’t right for me and also gave my nephew some really outstanding school scores which he upgraded himself. You could mail him as well if you got any cyber issue, he’s discreet and professional too. He’s kinda picky though so make mention of the reference. Tracy referred you.

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  8. HEY GUYS, MY NAME IS SEAN, I WANT TO USE THIS OPPORTUNITY TO RECOMMEND YOU TO A DUDE THAT HELP ME WHEN MY WIFE WAS CHEATING.. HIS EMAIL ADDRESS IS cyberappshacker@gmail.com HE DOES OTHER THINGS LIKE SCHOOL GRADES, TRACKING, CALL LOGS, PHONE CONVERSATION, EMAIL AND FACEBOOK HACKING, JUST NAME IT AND HE WILL HELP YOU… HE IS REAL AND GENUINE.. TELL HIM SEAN LINKED YOU….THANKS

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  9. I heard that, whatsapp is not using the phone number/IMEI code as user name and password. what is the new data fields it is using to uniquely identify the device. what is the new process? any inputs on this is much appreciated

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  10. Should you ever require the services of a hacker, i implore you to try your very best to hire only professionals. cyberphonehacker@gmail.com will increase your chances of getting your job completedd. i was able to hire the services of an elite, asides the fact that i was provided a permanent solution to the service he rendered me but he gave a very efficient customer experience. he carried me along with every process and didnt leave me in the dark.
    contact; cyberphonehacker@gmail.com or +1 916 302 2234

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  11. Cyberhackmanager is the real hacker out there, please be careful of imposters. they are somany hackers who claim to be what they are not. i have been ripped off twice by this so called hackers. please be careful. if you need an hacker mail (cyberhackmanager@gmail.com), they work effectively, i can testify to that mail them today and you will get your work done cyberhackmanager@gmail.com make no mistake on the email to aoid being scammed.thanks

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  12. Stop being scammed by fake hackers. Hire a Ethical Hacking group who are professional and real. You might be curious that what hacking group services can provide? .. If you hire a hacker, you always have worried of losing your money. We won’t keep a cent if can’t do our job. 100% refund if job is not completed. Hacking Services that you will find here at: hackethics008@gmail.com are custom to fit your hacking needs… A professional and experienced hacker providing hacking services for a variety of client needs. Specialize in many different Hacking Services some of my most popular hacking services are, Hack INTO ANY BANK WEBSITE Hack into any COMPANY WEBSITE HACK INTO ANY GOVERNMENT AGENCY WEBSITE HACK INTO SECURITY AGENCY WEBSITE AND ERASE CRIMINAL RECORDS Hack into CRAIGSLIST AND REMOVE FLAGGING HACK INTO ANY DATABASE SYSTEM HACK PAYPAL ACCOUNT HACK WORD-PRESS Blogs SERVER CRASHED hack HACK INTO ANY SCHOOL DATABASE AND CHANGE UNIVERSITY GRADES, no matter how secured HACK INTO CREDIT BUREAU DATABASE AND INCREASE YOUR CREDIT SCORE HACK ANY EMAIL OR SOCIAL NETWORK AND KNOW IF YOUR PARTNER IS CHEATING ON YOU HACK INTO YOUR PARTNER’S PHONE PICS, TEXT MESSAGE AND LISTEN TO CALLS TO KNOW IF HE IS CHEATING UNTRACEABLE INTERNET PROTOCOL HAVE YOU OR YOUR CHILD BEEN BULLIED ONLINE BEFORE AND WANT TO GET BACK AT THE PERSON, WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST TO THE PERSONS COMPUTER IS ANYONE BLACKMAILING YOU ONLINE AND YOU WANT US TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST YOU? If you need a hacking service that is not listed, feel free to contact me at: hackethics008@gmail.com or text only – +1 (630) 755-8868. Contact me today about any of my hacking services by fake hackers. Hire a Ethical Hacking group who are professional and real. You might be curious that what hacking group services can provide? .. If you hire a hacker, you always have worried of losing your money. We won’t keep a cent if can’t do our job. 100% refund if job is not completed. Hacking Services that you will find here at: hackethics008@gmail.com are custom to fit your hacking needs… A professional and experienced hacker providing hacking services for a variety of client needs. Specialize in many different Hacking Services some of my most popular hacking services are, Hack INTO ANY BANK WEBSITE Hack into any COMPANY WEBSITE HACK INTO ANY GOVERNMENT AGENCY WEBSITE HACK INTO SECURITY AGENCY WEBSITE AND ERASE CRIMINAL RECORDS Hack into CRAIGSLIST AND REMOVE FLAGGING HACK INTO ANY DATABASE SYSTEM HACK PAYPAL ACCOUNT HACK WORD-PRESS Blogs SERVER CRASHED hack HACK INTO ANY SCHOOL DATABASE AND CHANGE UNIVERSITY GRADES, no matter how secured HACK INTO CREDIT BUREAU DATABASE AND INCREASE YOUR CREDIT SCORE HACK ANY EMAIL OR SOCIAL NETWORK AND KNOW IF YOUR PARTNER IS CHEATING ON YOU HACK INTO YOUR PARTNER’S PHONE PICS, TEXT MESSAGE AND LISTEN TO CALLS TO KNOW IF HE IS CHEATING UNTRACEABLE INTERNET PROTOCOL HAVE YOU OR YOUR CHILD BEEN BULLIED ONLINE BEFORE AND WANT TO GET BACK AT THE PERSON, WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST TO THE PERSONS COMPUTER IS ANYONE BLACKMAILING YOU ONLINE AND YOU WANT US TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST YOU? If you need a hacking service that is not listed, feel free to contact me at: hackethics008@gmail.com or text only – +1 (630) 755-8868. Contact me today about any of my hacking services

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  13. Do you want to silently intercept SMS messages? Or listen to live calls in progress of your staff or children? Perhaps you suspect them of misusing your mobile phone or texting inappropriate people? Have you been curious about what your boyfriend, girlfriend, husband or wife is chatting about on his or her mobile phone? Now you could hear 100% completely undetected.
    Monitoring mobile phone text messages remotely in real-time without someone knowing is not difficult at Hack Ethics (hackethics008@gmail.com). Nationwide Employment Background Check includes

    • SSN Trace
    • Address History
    • 7-Year National Criminal Database Search
    • Courthouse Verification of Criminal Database Records (up to 3)
    • National Sex Offender Registry Check
    Online Dating Scams
    Have you been scammed because all you were looking for was love? We can help you in 2 ways.
    1. Verify the person’s identity before meeting the person and moving to the next step.
    2. If you have been scammed online and would like to track the person’s location so you can proceed with some type of action. you should contact me at hackethics008@gmail.com or text only – +1 (630) 755-8868

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply
  14. Hack Ethics is an experienced online Private Investigator/Ethical Hacker providing investigative solutions and related services to individuals. You may find my services of use, my areas of expertise include the following: fidelity check, mobile hack and access, social media hack, email, educational institutions, clearing criminal records, accounts recovery, websites, database etc. Have you been scammed because all you were looking for was love? We can help you in 2 ways.
    1. Verify the person’s identity before meeting the person and moving to the next step.
    2. If you have been scammed online and would like to track the person’s location so you can proceed with some type of action. Stop being scammed by fake hackers. Hire a Ethical Hacking game roup who are professional and real. You might be curious that what hacking group services can provide? .. If you want to hire a hacker, you should contact me at hackethics008@gmail.com or text only – +1 (630) 755-8868

    GD Star Rating
    loading...
    GD Star Rating
    loading...
    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.