Whatsapp what's inside

In continuation of the direction of the publication of our company's research on the internal mechanisms of the world's largest messengers. Today we will look at WhatsApp in its current state. In fact, the insides have not changed much over the past three years, the changes there are more cosmetic.

In this article we will take a closer look at how you can study the protocol of the messenger, answer the question “can WhatsApp read our correspondence?” And attach all the necessary code in PHP.

general information

As a message format, WhatsApp uses a modified version of the XMPP protocol. All messages are compressed by replacing frequently used words with 1 or 2 byte tokens (for example, instead of “message” - we write byte 0x5f), which results in what is called FunXMPP.

Some packages can be further compressed with zlib. The received packet is encrypted with AES GCM 256-bit and transmitted to the server.
')
To obtain encryption keys, the client performs the noise protocol handshake. Here it is well described . For some reason, all developers of open implementations refused to embody the code and hung up the “end of support” plate, we will fix it.

At the first connection, a full handshake is performed. After successful connection to the server, each time a new key is issued for the next session, with the help of which a connection is made without key exchange.

WhatsApp supports end-to-end encryption using libaxolotl (Signal Protocol), the code implements two versions — first they just did encryption, and then they added alignment and called it v2. There is only one problem - because this is a centralized system, then the transfer of keys goes through WhatsApp servers, so technically there are no obstacles for the developers of the messenger to transfer the fake encryption keys and fully read the correspondence. But it does not have retroactive effect - backdating messages will not work.

By the way, when you receive a message from an unauthorized contact, the messenger displays the "Report Spam" button, by clicking on it, we will not only block the contact, but also send it via a secure channel (already open!) To the message text. Without studying the application code entirely, there is no way to guarantee that this functionality is not used in any other cases.

To check the authenticity of encryption keys in the WhatsApp application, you can go to the contact card, select the item “Encryption”, after which the application will offer to scan the QR code on the recipient's device. Thus, by the way, you can make a custom application based on the WhatsApp protocol, which will constantly monitor the status of encryption keys and give out nice dies “The NSA is watching you” or “You are safe”: taking into account the variety of messengers, replace one of them with The app will even be useful.

The work algorithm can be assumed as follows: a device displaying a QR code encodes its public key into it, a device that reads a QR code checks the key against the one available in its database. This is a safe way to verify the key, but only if there are no bookmarks in the application.

When sending multimedia files are uploaded to WhatsApp servers, we didn’t conduct additional research whether they are encrypted there. Most likely not encrypted, because the application developer trusts himself, and the link to the file is transmitted via a secure encrypted channel.

Account registration

Registration takes place in three https-requests for the domain v.whatsapp.net (they can be peeped by any known method, for example burp or mitmproxy, in the application certificate pinning is used, which is bypassed using an ssl kill switch).

v.whatsapp.net/v2/exists?cc=_&in=&id=id_&lg=en&lc=zz
does not do anything useful, before, most likely, served to check whether this number was already registered (most likely until someone started sorting through their base)

v.whatsapp.net/v2/code?method=sms&cc=_&in=&token=&sim_mcc=mcc&sim_mnc=mnc&id=id_&lg=en&lc=zz&__
Actually requests the sms activation code. A similar request can also be used to receive a call. The parameters of the end-to-end encryption are optional, they can be configured upon further connection. Token turns out like this:

  md5 ("0a1mLfGUIBVrMKF1RdvLI5lkRBvof6vn0fD2QRSM". md5 ("21752"). "phone") 

The first line is the encrypted string landscape, whatever that means. You can substitute any version of the application (21752) (the most curious can try to register with an unreleased version), in the application code itself, the hash of the version is sewn up ready, but something similar to the md5 hash is quickly selected.

v.whatsapp.net/v2/register?cc=_&in=&code=__&id=id_&lg=en&lc=zz
This request, respectively, confirms registration with the code received by SMS or call.

The queries use the User-Agent: WhatsApp/2.17.52 iPhone_OS/7.1.2 Device/iPhone_4 . The correct agent is most likely required for correct verification of the token.

Mitm

All this is not known the first day - there are several implementations of the WA16 protocol (Chat-API, Yowsup), the difference from the current WA20 is in essence only the Noise Protocol. With this information, we can develop a local MITM to view the decrypted application traffic. Since Initially, the XMPP application protocol - everything that happens there will be quite clear right away from the decoded traffic, so there is no special need to dive into the wilds of the disassembler.

To launch MITM, we will present ourselves as a real WhatsApp server, run a full handshake, after which our application will listen to the traffic by redirecting it to the original whatsapp server and back. For this we need to change the original application:

All operations are performed in the following configuration: iPhone 4, iOS 7.1.2, IDA 7, WhatsApp 2.17.52.

Patch application

1. We will perform a full handshake with each connection, it will greatly simplify our lives. In the method -[NoiseHandshakeManager initWithLoginPayload:clientStaticKeyPair:serverStaticPublicKey:] in the presence of serverStaticPublicKey is ResumeHandshake , and in the absence of FullHandshake .





In the R0 register, the serverStaticPublicKey is just stored and in its absence, the transition to FullHandshake is performed. And we will make this transition unconditional. To do this, replace two bytes



on



Result



In the decompiler we see that one of the branches of the condition has become unreachable and is not displayed.



2. We will disable server signature verification, since we do not have the private keys of the original server. Without this change, it will be impossible to listen to traffic. To do this, make changes to the method (bool) - [NoiseHandshakeManager validateNoiseCertificate:serverHandshakeStaticPublicKey:] .



We need the function to always return a unit. Now the result of checking the certificate from the register R6 is put in R0.



Let's make it so that the unit is written in R0



The result is



The application is compiled with all debugging information, so it is necessary to additionally perform renames, describe structures and generally perform the reversing process — in fact, it is not required to create a patch. The images are shown immediately after the launch of the decompiler, without additional processing.

iOS 7.1.2 does not verify the authenticity of binary application files, so all changes can be made directly in the application file. In later versions of iOS, you can make the same changes in the memory of a running application.

Writing code ...

Next, with the help of IDA and long and painstaking efforts, we prepare the code that successfully executes NoiseHandshake on WhatsApp servers. Then we implement the fake server - we do all the same encryption operations, but in reverse order (it sounds simple, but if you don’t do it every day - that’s still a headache). The ready code is here .

Download to the computer the MITM application obtained from the link above. Install PHP 5.6 (another version will work, this version was used in my configuration). You will also need two more libraries:
- first
- the second

We intercept connection

It remains only to make the application connect to our server, instead of the present. The application connects to one of the servers e% d.whatsapp.net (where% d is a number from 1 to 16, for example e5.whatsapp.net), each of which resolves to several IP addresses, each time different, in total more than 300 servers. The easiest way is to replace the server's DNS response and send it to our computer with MITM.

To do this, we place the phone and the computer in the same network (literally any wifi router will do), on the phone we set up DNS on our computer on which we install bind9 with the following host:

  $ TTL 86400
 @ IN SOA ns.whatsapp.net.  admin.whatsapp.net.  (
	 2017100500
	 28,800
	 7200
	 1209600
	 86400)
 @ IN NS @
 @ IN A YOUR_IP
 v IN A 184.173.136.86
 v IN A 174.37.243.85
 * IN CNAME @

Look traffic

Next, edit mitm.php - you need to substitute your phone number in the username field and the contents of the cck.dat file (located in the application directory) in the password field.
Run php mitm.php. Run the WhatsApp application and see the following image:



The screenshot shows two packages from the server - a message about successful authorization and some settings. Thus, all the traffic of the application looks absolutely all readable and, in most cases, the application is not required to disassemble the application.

The algorithm for turning FunXMPP into readable text is in all WhatsApp libraries. Inside the simplest state machine, I’ll not additionally paint it here.

findings

The application is made qualitatively, uses modern encryption protocols, but deep inside lies the XMPP left over from the originally used ejabberd. Using protobuf, judging by the current vector of application development, would be more logical, but the historical legacy is too expensive.

Service for a long time suffered greatly from mass mailings, - the code of open projects widely contributed to this. At the moment, no mailings have come in a long time, - the developers have introduced a limit on the number of messages sent to unauthorized contacts. It is this addition (technically fully implemented on the server side), in my opinion, resolutely put an end to the opposition of mailing fans and employees of the anti-mailing department (if they have one).

Technically, there is nothing difficult in this algorithm, for developers of other instant messengers (hello, Viber, - I receive spam at least once a month), - it is worth taking note of this technique.

Thanks for reading, I hope to read about it was just as fun and interesting as it was to do research.