WhatsApp is broken, really broken | fileperms

Posted on 2012/09/19


WhatsApp is broken, really broken | fileperms.

This article explains in details many security problems of WhatsApp, the widely used instant messaging application.

To summarize:

  • The mobile number is sent in plain text over the network
  • The username of the account is the mobile number
  • The password can be derived either from the MAC address or from the IMEI, both not so secret numbers
  • You can ask WhatsApp for some information about arbitrary phone numbers registered with WhatsApp
  • The database in your smartphone is encrypted lousily and can be deciphered

I believe at least some of these problems derive from a compromise between security and usability that fell on the wrong side of the common sense. Others might be attributed to laziness or ineptitude.

In any case, you have been warned.

I hope that if enough uproar is generated from this, it will push the WhatsApp guys to rethink and redesign correctly their application.


Posted in: Security