back to article WhatsApp laid bare: Info-sucking app's innards probed

Users of WhatsApp need be aware that the popular messaging service collects phone numbers, call duration and other information, according to new research. A network forensic examination by computer scientists at the University of New Haven found that WhatsApp uses the FunXMPP protocol, a binary-efficient encoded Extensible …

  1. Christopher Reeve's Horse
    Big Brother

    Collects whats?

    Hold on, all this data and metadata it's collecting... Is it related to the app itself (it's own call making and messaging abilities etc.) or ALL types of calls (and other activities) made from the mobile?

    1. Valeyard

      Re: Collects whats?

      I was wondering that, from the article it seems like it's only collecting what it needs to function, but given that there's an actual article on it in the first place that can't be the right interpretation surely

    2. phuzz Silver badge

      Re: Collects whats?

      You can read the paper itself here, and from my quick read it does indeed look like the metadata all related to calls made by the Whatsapp program, which is a very different thing to slurping data about phone calls.

      1. Anonymous Coward
        Anonymous Coward

        Re: Collects whats?

        > You can read the paper itself here

        Thanks for the link. I don't understand why it wasn't provided in the article itself.

        1. Destroy All Monsters Silver badge
          Paris Hilton

          Re: Collects whats?

          Elsevier has a journal called "Digital Investigation"? An upmarket Phrack?

          Still, good work at analyzing the innards of the protocol, but it's about as "info-sucking" as SS7. Or not. It depends what is going over the protocol once it has been set up.

          But clearly the goal is to help the gumshoes:

          From its wide adoption, it is obvious how WhastApp communication exchanges may be used during an nvestigation, making the artifacts it produces of compelling forensic relevance. Therefore, we see a strong necessity for both researchers and practitioners to gain a comprehensive understanding of the networking protocol used in WhatsApp, as well as the type of forensically relevant data it contains. Most importantly, due to the newly introduced calling feature, it becomes essential to understand the signaling messages used in the establishment of calls between the WhatsApp clients and servers. The methods and tools used in this research could be relevant to investigations where proving that a call was made at a certain date and time is necessary.

    3. Bucky 2

      Re: Collects whats?

      In which case, what's the exact thrust of the article? That it's NOT, in fact, a spyware application?

    4. Martin-73 Silver badge

      Re: Collects whats?

      Indeed, so 'application for making phone calls, uses relevant phone numbers' would be more accurate, but less clickworthy.

  2. A Non e-mouse Silver badge
    Stop

    Decryption

    How did the researches work all this out. Did they break WhatsApp encryption, does WhatsApp not encrypt traffic on the wire?

    1. joeldillon

      Re: Decryption

      Whatsapp has to decrypt what it's sent at some point so it can actually show it to you, the user. So, if you have root on your phone, it's going to be possible to figure out how Whatsapp does it.

    2. Your alien overlord - fear me

      Re: Decryption

      That's what I thought, easpecially as it needed network traffic data as well.

  3. Frank Bitterlich
    WTF?

    What's the point?

    The article says:

    This data included WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, as well as WhatsApp phone call duration metadata and associated date-time stamps. They also were able to acquire WhatsApp's phone call voice codec (Opus) and WhatsApp's relay server IP addresses used during the calls.

    So, this "collecting" phone numbers, call duration and other stuff is clearly what WhatsApp needs to make the call.

    Don't know exactly what the article is about. Somebody has looked into WhatsApp traffic and fails to find someone with their hand in the cookie jar?

  4. Mage Silver badge
    Big Brother

    Collects stuff

    I thought everyone knew this was pointless spyware.

  5. GeorgeSherban

    From my reading of the paper

    the story isn't that WhatsApp is doing a nefarious data slurp, but that it's possible to decrypt its network traffic and extract forensically relevant metadata from it.

    (http://www.fit.vutbr.cz/research/pubs/index.php?file=%2Fpub%2F10979%2FWhatsApp.pdf&id=10979)

    1. DropBear

      Re: From my reading of the paper

      No, that's a paper. No argument there. Now where's the story?

  6. This post has been deleted by its author

  7. This post has been deleted by its author

  8. Anonymous Coward
    Anonymous Coward

    Aside, Whatsapp voice call quality...

    Is unbelievably good over wifi, for those who haven't tried it yet.

    1. This post has been deleted by its author

      1. Fibbles

        Re: Aside, Whatsapp voice call quality...

        Sure, but who are you going to call with it?

        1. Trigonoceps occipitalis

          Re: Aside, Whatsapp voice call quality...

          Ghostbusters!

        2. This post has been deleted by its author

    2. Stevie

      Re: Aside, Whatsapp voice call quality...

      Young people! Don't waste money on expensive smart phones running whatsapp. Simply stand next to those with whom you wish to communicate and experience crystal clear reception.

  9. Anonymous Coward
    Anonymous Coward

    I guess that's why smart people use secure messaging services (Threema, Wickr, etc.).

  10. tiln
    Boffin

    Decryption

    WhatsApp does not encrypt images, so it's easy to find them on your phone, if you need to. The text messages are saved as encrypted .db files using the .crypt8 extension. If you would like to read your backup of files you may follow these instructions:

    http://www.digitalinternals.com/security/decrypt-whatsapp-crypt8-database-messages/419/

    1. This post has been deleted by its author

  11. Anonymous Coward
    Anonymous Coward

    Bespoke

    I have bespoke created a bespoke tool to bespoke the inter net. Now bespoke to the rest of the bespoke world I would bespoke like to release bespoke it under the bespoke GPL.

    I have bespoken my bespoke piece.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bespoke

      Now listen here, dawg...

  12. Kbanwait

    So this is on Android only???

  13. Vadar

    Bottom line: this paper says WhatsApp does what it needs to do. I switched to WhatsApp and Line when a WeChat update (WeChat is used by all my Chinese friends and colleagues) required access to heart data from my wearable. At least it asked permission. I said no.

    1. dave 93

      WhatsApp asks for permission to see *everything* when you install it

      Which is why I declined at that point. Creepy, but quite upfront about it.

      It is a Facebook company after all, so creepiness is part of the business model.

      One day they will threaten to release all your data if you don't pay regular 'subscription' fees - you have been warned...

      1. Looper
        Black Helicopters

        Re: One day they will threaten to release all your data if you don't pay regular 'subscription' fees

        No. They won't. The freely given data is far too valuable to threaten slowing down the data warehousing. After all, they are in competition with Google, the arch data-theft criminal, to utilise and monetise behavioural AI.

    2. Anonymous Coward
      Anonymous Coward

      > I switched to WhatsApp and Line when a WeChat update [...] required access to heart data from my wearable.

      Well, it makes sense that you would want to terminate the call if one of the participants ceases to be responsive.

      1. tony2heads
        Terminator

        heart data

        It's to check that you are not an cyborg; hunting people down via WeChat.

    3. Destroy All Monsters Silver badge
      Paris Hilton

      > required access to heart data from my wearable

      I actually had to read it thrice until I got that "heart" is not a verb here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like