Whatsapp – iOS password generation

A few days ago the Android developer Sam Granger published an article explaining how the log-in process works on WhatsApp for Android. In his article, Granger says that the password corresponds to MD5 hash of reversed IMEI number. Citing its notation

md5(strrev(‘your-imei-goes-here’))

Granger also asserts that the same method is not applicable in the case of iOS devices, and the algorithm is not yet known.
Thus, I decided to examine whatsapp for iPhone and how it generates the password. Well, the principle is the same, but this time the MD5 hash is calculated using the mac address of WiFi interface (en0) taken twice because Apple does not allows third-party applications to access IMEI number.

Using the notation of Granger

md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)

Below I reported a portion of the ARM code that handles the password generation

Disasm

The method is verifiable by simulating the log-in process from any browser. You have to compose the following request

hxxps://r.whatsapp.net/v1/exist.php?cc=COUNTRY_CODE&in=TELEPHONE_NUMBER&udid=MD5(MACMAC)

If everything is ok you should get something like this

Login

However the GET request just helps to inform the app that we are accessing from a device previously registered.
The authentication process starts after the GET request just viewed, using the X-WAWA protocol.

Paradoxically, because of the restrictions that Apple imposed(about retrieving of IMEI number), the authentication method for iOS devices is less secure than on Android devices. The MAC address can be easily achieved on a wifi network.

77 thoughts on “Whatsapp – iOS password generation

  1. Pingback: Sam Granger | WhatsApp is using IMEI numbers as passwords

  2. Pingback: WhatsApp - Für Firmen unsicher mit inakzeptablen Nutzungsbedingungen › Mobile Device Management (MDM) und viel mehr - Pretioso Blog

  3. Pingback: Whatsapp unsicher – Authentifizierungs-Lücke • Kuketz IT-Security Blog

  4. Pingback: WhatsApp is WhatSucks « Subversive Bytes

  5. Pingback: WhatsApp op iPhone eenvoudig af te luisteren via MAC-adres - iPhoneclub.nl

  6. Pingback: WhatsApp allegedly creates overly simple passwords under iOS too

  7. Pingback: Whatsapp unsicher – Authentifizierungs-Lücke « Scheibenkleister

  8. Pingback: WhatsApp, FaceBook, Twitter, FirstLoad… – nein Danke! « Scheibenkleister

  9. Pingback: Las contraseñas de WhatsApp en Android e iOS al descubierto

  10. Pingback: How to Hack WhatsApp Messenger | Build WhatsApp API Client

  11. Pingback: Mobile chat app used by activists has security flaws, say critics | Partners In Sublime

  12. Pingback: Chat app used by activists has security flaws, say critics « GuruSpot: Gadget

  13. Pingback: Chat app used by activists has security flaws, say critics | Security Digest

  14. Pingback: Chat app used by activists has security flaws say critics | HaLaPicHaLaPic

  15. Pingback: Chat app used by activists has security flaws, say critics | Brian L. Fontenot's Blog and Inspiration Site

  16. Pingback: Chat app used by activists has security flaws, say critics | WestPenn Journal

  17. Pingback: Privacy + Anonymity » WhatsApp Chat Application Insecure and Vulnerable To Simple Eavesdropping

  18. Pingback: Chat app used by activists has security flaws, say critics | Partners In Sublime

  19. Pingback: Chat app used by activists has security flaws, say critics | iPhone Developers

  20. Pingback: Chat app used by activists has security flaws, say critics | Android Developers

  21. My password is incorrect, or atleast that’s what the server gives back – I hope it means at least that they fixed it or it’s not 100% vulnerable after all ?

  22. Pingback: Chat app used by activists has security flaws, say critics | N.C.I.O.

  23. Pingback: Chat app used by activists has security flaws, say critics | Social Media, Gadget and Tech Tips and Guide

  24. Pingback: WhatsApp: Motivos para não utilizar. | Blog do Renê Barbosa

  25. Pingback: Seguridad usando Whatsapp: Lo estás haciendo mal | ResumenTecnologico.com

  26. Pingback: Seguridad usando Whatsapp: Lo estás haciendo mal | Blog Enfundate

  27. Pingback: WhatsApp: Spam, inundación y robo de cuentas | Desgobierno de Chile

  28. Pingback: [AGGIORNATO] WhatsApp Hacked - Impersoniamo un'altra persona | Over Security

  29. Pingback: [Offizielle App] WhatsApp Seite 127 - Windows Phone 7 Apps - Windows Phone Forum

  30. Pingback: TechMind #1: Whatsapp sotto attacco | EasyPodcast

  31. Pingback: WhatsApp - a Complete Security-Desaster « Nifelheim Tech-Blog

  32. Thank you for the sensible critique. Me and my neighbor were just preparing to do a little research about this. We got a grab a book from our local library but I think I learned more clear from this post. I am very glad to see such fantastic information being shared freely out there.

  33. You really make it seem so easy together with your presentation however I find this topic to be actually one thing which I think I’d by no means understand. It sort of feels too complicated and extremely wide for me. I am taking a look ahead on your next post, I will attempt to get the hang of it!

  34. Pingback: MojoWhatsup (a Whatsapp client for webos) - Page 20 - webOS Nation Forums

  35. It seems that the iOS password is still derived from the MAC or another iPhone identifier. If it was randomly generated you’d have to resend the sms code after reinstalling on the iPhone. This is not the case (i tested it). Someone with arm skillz has to decompile the newest iphone binary.

  36. It seems the password is now salted with the 6-digit code they send you. I’ve got 2 iphones which were using the same account. Once updated the first could login without problems while the 2nd did not work anymore. Now the interesting part :

    I’ve requested the another SMS code and entered it on the 2nd phone. After entering the 2nd could login but the 1st was unable to login again. So it appears the 6-digit code is now used in order to generate the password. I also got a decrypted 2.8.10 version but didnt analyze it yet through IDA. Will keep you guys updated.

  37. This isnt true bro… the operation you did with the two phones gived the same results over the past years… anyway thanks for your decrypted versions.. stay in touch

  38. And why did you give 2.6.10 ???? Why not 2.8.4 the most recent before Whatsapp changed the iOS password… Note: The last two versions of WhatsApp are 2.8.6 and 2.8.4. 2.8.6 is the one where the password changed occured… Please help us developpers and don’t forget that our force is unity!

  39. I’ve added the old one just for comparism. The old one also doesnt encrypt the connect so you can still analyze packets without cracking encryption on the old client.

  40. 1) On iOS it doesn’t work anymore.
    2) But what happen for fixed lines (for trusting the number, whatsapp makes a call: if the user answers the number is authorized/considered as verified)?
    Which is the algorithm for authentication?

  41. I DO NOT TRUST THE FACT that the digit code has to do with iOS password… anyway someone has a freeware rather than ida that reads idb files…?

  42. Is there a possibily to get a 3-digit verification code for Whatsapp 2.8.4 ipa for non upgradable IOS 4.2.1 (2G) and get it working? Can not get verfication code, have to install WhatsApp 2.8.7 , IOS 4.2.1 does not accept that. Thanks for your ideas!

  43. Pingback: Using Whatsapp from command line | Chumblog

  44. Pingback: Trienke

  45. Pingback: acekard 2i

Leave a Reply