Notices

I would not be that sure about that. Here you're interacting with someone's else servers and services (whatsapp's), so they could argue you're "misusing their computers".

Maybe i cut myself out of having access to the newest shiznit / gossip and that, but i refuse to install Whatsapp, EBuddy and related proprietary sh*te. No Facebook dito. Either plain XMPP, Email, SMS/MMS or nothing, so something open & standardized that you can connect to with whatever YOU decide. Even ICQ is somehow broken.

Problem is , while reading the source code of Whatsapp , every sent message is encrypted with a key . didn't have the time to look into the key generation class or the en/decryption algo .

but MITM attacks won't work for sure , but worths the try

Well, if we have the source, it's trivial to create a client which replicates the exact behaviour of a legitimate client. That way, they can't see the difference and can't block them. However, I believe that when new clients are released, older versions are blocked from connecting, so that is a problem. Since the client identification is, I believe, largely based on the version string the client sends, this should be easily avoidable but it will cause some downtime for all Maemo users until a new version is released.

It is possible, but reading the source code is easier, I think. Whatsapp uses XMPP as the underlying protocol, yes, but it uses some form of binary XML, the mapping from XML to binary should be in the source somewhere. Maybe a combination of both will yield some good results but I'd still go with the source code.

Are you sure? I sniffed WA traffic from Symbian, Android and Apple devices, all the messages are in the capture in plain text. Maybe you mean that the messages are signed? That could be possible, but encrypted... no. At least not when I checked, which was about two months ago.

Why wouldn't they work? Granted, it'll be a lot of work to RE the protocol from there but it's doable.


Anyway, I've been at this for a short while and stopped because I did not have more time to work on it. First off, I sniffed some traffic from a Symbian phone (not mine and with permission), I quickly found out that the traffic was not encrypted despite being sent over port 443. I also noticed the authentication procedure was the same as described in the XMPP RFC, so I started there. The only thing I really still required was the authentication password.

I then started out with the Android client, because that's the only thing I can run on my N900. My first efforts were at doing MITM, because it's usually not possible to just decompile code. I sniffed the entire registration procedure (which does happen over HTTPS, I set up a MITM with custom certificates and got the entire thing) in an attempt at figuring out the authentication credentials required to log in. I could not really find them in there and tried everything I could find in the configuration files. Still nothing

Then, I decided to try and disassemble the code. I managed to get the bytecode in a human-'readable' format and used JD-gui to make some sense of it. I quickly found out that JD-gui is far from accurate at decompiling code, which was to be expected. Also, I found out that WhatsApp was obfuscated, almost all important classes had their strings encrypted and variable/debug information stripped. With some help of the byte code I managed to decrypt all the strings and after some tedious work I found out where the password came from. (edit: looking at my logs again, it turns out that the 'password' is actually sent to whatsapp but I did not recognize it as such, also due to an error in my version of the authentication algorithm)

Given the amount of work I had to put into this and the fact that I did not have enough time to put into this, I decided to abandon this project, at least for now (then).

Needless to say, I was surprised to find out that the Symbian version is apparently not obfuscated. This will greatly simplify things In a few weeks, I will have more time to put into this so I guess I could lend a hand here and there.

have you checked the source code i posted in earlier messages ?
and yes the key was for signing the text not encryption so MITM would definetly work

and what was the issue with the password ?

and are u building it to work with the telepathy system ? or stand alone ?
if ur doing it within telepathy open a git and add some developers (start with me) we can togetjer set this thing to work and screw those companies who dosen't care for developing stuff for such a gr8 mobile !!!

Yes, that's why I saw that it wasn't obfuscated.

I'm not building anything yet, as I said I stopped working on it due to a lack of time and because the source was obfuscated. In a couple of weeks, when I have some spare time, I'll probably start (if nobody did so) or help.

Yeah same here i have 3 projects going on already !

Ok , anyone expert in Java ?
i got the password generation algo in WA

Ok , got everything figured out probably will start developing for n900-whatsapp this night wish me luck .

what do you all think , normal app or telepathy ???

the ones who wants it telepathy (i do) , to make things faster please someone search for a source code for a telepathy client (gtalk would be perfect) or just an empty template code !

Although I'd like it to be telepathy too, WhatsApp has features that the conversations UI won't support, examples are file sending and last offline features, as well as sending location etc.

If you need help with the client, ping me.