Whatsapp & Windows Phone

Here we are. To complete the circle I insert how whatsapp geterates password on Windows Phone

windows phone

So, just the unique identifier. I haven’t a Windows Phone and I don’t know if it’s possible to retrieve the UID from some menu.

Whatsapp – iOS password generation

A few days ago the Android developer Sam Granger published an article explaining how the log-in process works on WhatsApp for Android. In his article, Granger says that the password corresponds to MD5 hash of reversed IMEI number. Citing its notation

md5(strrev(‘your-imei-goes-here’))

Granger also asserts that the same method is not applicable in the case of iOS devices, and the algorithm is not yet known.
Thus, I decided to examine whatsapp for iPhone and how it generates the password. Well, the principle is the same, but this time the MD5 hash is calculated using the mac address of WiFi interface (en0) taken twice because Apple does not allows third-party applications to access IMEI number.

Using the notation of Granger

md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)

Below I reported a portion of the ARM code that handles the password generation

Disasm

The method is verifiable by simulating the log-in process from any browser. You have to compose the following request

hxxps://r.whatsapp.net/v1/exist.php?cc=COUNTRY_CODE&in=TELEPHONE_NUMBER&udid=MD5(MACMAC)

If everything is ok you should get something like this

Login

However the GET request just helps to inform the app that we are accessing from a device previously registered.
The authentication process starts after the GET request just viewed, using the X-WAWA protocol.

Paradoxically, because of the restrictions that Apple imposed(about retrieving of IMEI number), the authentication method for iOS devices is less secure than on Android devices. The MAC address can be easily achieved on a wifi network.