02
May
thumb

Who uses WhatsApp Messenger? From The look of the Play Store listing, a damn lot of people. Considering it's so popular, it's probably a pretty secure app, right? Think again.

WhatsApp actually sends all chats in plaintext, so anyone on the same Wi-Fi network can easily pull your entire conversation - including pictures and videos - straight out of the air. And now, that process is even easier than ever thanks to a new app called WhatsAppSniffer. It's basically just a packet sniffer, but it makes the process of pulling WhatsApp chats out of the sky stupid-easy, and that's never a good thing. You might as well just shout your private conversations across the room.

WhatsAppSniffer is for rooted devices only.

1 2 3

While WhatsAppSniffer does work, I had a bit of an issue getting to work properly on a few of my devices, likely due to the WPA2 security on my network.

To add insult to injury here, the WhatsApp team has know about this issue for nearly a year, but still hasn't fixed it. In fact, word of this first popped up on YourDailyMac back in May of 2011, then again on Packet Storm in December of 2011, at which point it became clear that WhatsApp had been notified of this breach on several occasions and ignored them each time. And that's just the beginning of WhatsApp's security issues.

If you're a WhatsApp user with a rooted device, I urge you go download WAS and give it a shot. You'll find that your chat session is completely out in the open for anyone with even the slightest inkling of knowledge (read: anyone who can download an app) to see. This doesn't just affect Android, either; it also works on iOS and Symbian (there's no word if it works on Windows Phone yet). Since Blackberry uses its own servers instead of WhatsApp's, it's actually secure on that end.

Maybe this will finally get WhatsApp to fix the security issues within its app - only time will tell.

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, and musician. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6- or 7-string, or watching The Texas Chainsaw Massacre on repeat.

  • John Doe

    That's not the most annoying thing. The most annoying is to unreg your account. I have written to them several times but they but still haven't deleted my account (over a year now). My friends think that I'm jerk who doesn't reply to their Whatsapp messages. Well at least until they get to know that I don't have Whatsapp installed on my phone anymore. Horrible customer service and I would never pay for their fee.

    • http://www.androidpolice.com/ Cameron Summerson

      Not cool. I had to register for an account so I could test the sniffer. :/

    • Andrew

      WhatsApp updated their application recently to add a "Delete My Account" feature in the settings. Go into settings, then select "More" at the bottom. You'll find the feature there. 

  • fixxmyhead

    i have no idea what the hell whatsapp is. im guessing by the article i read its some sort of messaging app

    • http://twitter.com/r3drox Fred

      Yeah. Its cross platform across different device eco systems and if im not wrong the most poular. Im a heavy user. And this article made me think twice about using it. 

  • Yong Wen Chua

    I've been looking to replace Whatsapp  (which I have found increasingly unsatisfactory as of late). Still yet to find a cross-platform texting application that is as widely used.

    • http://www.androidradar.de/ Leif

      KakaoTalk. Better functionality, same workflow, same amount of users (more popular in korea) and it uses SSL encryption. Oh, and they do way more updates than Whatsapp.

    • Christoph Wagner

      Facebook Messenger works quite well for me.

      • http://twitter.com/sketaful Mikael Guggenheim

         It does? It sucks on my end. Sometimes forgetting to deliver messages.

    • Joris

      Take a look at "viber" amazing app! Crossplatform!

      • pmshah

        I have been using viber ion my Samsung Galaxy but can't find it for BB. Apparently no voip application exists for BB.  If it did it would be heaven. for me covering app 90 % of all the contacts I am interested in chatting with. I have viber, whatsapp and google chat on my android.

    • Christopher Orr

      How about SMS? It's definitely a cross-platform texting application that's even more popular than WhatsApp! ;)

      • Yong Wen Chua

        Not for cross country though and not cheap =/

    • pred2k

      i also look for an replacement, but haven't found one that does:

      * encrypted Message delivery (the best would be an End-to-End Encryption)
      * Groupchats
      * Multi-Platform (Android, iOS and Desktop OSs)

      Open source and with OTR-Encryption are Gibberbot for Android https://play.google.com/store/apps/details?id=info.guardianproject.otr.app.im
      or ChatSecure for iOS http://itunes.apple.com/app/chatsecure/id464200063?mt=8 which are compatible with Pidgin. BUT they dont have Groupchats :(

  • Mourinho

    I think a good replacement for WhatsApp could be SpotBros (http://www.spotbros.com/en).  Message encryption and they promise to remove the data from their servers in 30 days

    • http://www.facebook.com/greg.merrit Greg Merrit

      the good replacement and more feature chat appliation would be WeChat!

  • http://www.npike.net/ NPike

    Google Talk is a pretty decent and *mostly* cross platform messaging platform.

    • Amitc4d

      agree! 70% time i use Gtalk for colleagues and friends and never felt like using any other chat client, rest 30% is for BBM but that's other story...

  • Esteban

    ChatOn! by Samsung seems to do the trick...

    • http://www.androidpolice.com/ Artem Russakovskii

      Funny you mention them - ChatOn was actually passing messages in plaintext as well when it was released. But while we were researching it, they patched it.

  • Andrew

    I used to use a BlackBerry and I've found WhatsApp a pretty good replacement for BBM since switching to Android. Hopefully the availability of this app gets WhatsApp to finally switch to SSL encryption for their application!

  • Eliasmodeer-asdfg

    Itt will be fun to test it on the open wifi network in my university. You know, for scientific purposes.
    Protip: since you can't force developers to use https and you also can't easily check what kind of communication is going unencrypted, everyone should be using vpn. Whenever available, https over vpn seems a good idea.

  • Christopher Orr

    Nice that (one of) the security flaws in WhatsApp is being exposed in an easy-to-use, albeit basic fashion.

    Though the UI looks suspiciously similar to Droidsheep.  A probable GPL violation while also asking people to pay for the app isn't so nice.

  • tosheikh

    How did you get it to work on your network (as you mentioned you had issues)?

  • Baylink

    Well... you're not especially familiar with the universe of chat protocols, are you.  Lots of them are unencrypted, including... AIM and Yahoo.

    This is why Pidgin has a plugin to correct that problem, assuming both people in a chat are using it.

    And yup, insecure wifi network are prone to sniffing; *that* isn't news either.

    • http://www.androidpolice.com/ Artem Russakovskii

      Yeah, but WhatsApp designed their own protocol, and they're relatively new. They really have no excuse, especially after it was reported to them many months ago. They're in full control of their protocol.

  • Guardian56317

    It would seem that any type of communication over electronic means is open to being attacked and I still have a hard time understanding why people continue to ignore their own security !

    People take for granted that someone or something says "Your DATA is secure with us " is really NOT secure at all. 

    • Non-fool.

      Fool - Data isn't 'open' to being attacked if it's not sent in plain text, but is encrypted!

      "People take for granted that someone or something says "Your DATA is secure with us " is really NOT secure at all." < This doesn't even make sense!

  • falconator

    Interesting read....I wonder how many people downloaded it hoping that they'll grab a pic of a naked girl.

  • zoozie

    Dang I use what's app to communicate with a lot of people internationally as its most convenient even if they don't have an Android phone thus no Google Talk.

  • http://www.thednetworks.com Dhawal D

    wow @androidpolice:disqus  mind tell me the plugin used for converting links to QR code on hover?

    • http://www.androidpolice.com/ Artem Russakovskii

      There is no plugin, I wrote the code (utilizing the cluetip JS library http://plugins.learningjquery.com/cluetip).

      • http://www.thednetworks.com Dhawal D

        Great! Imma try and write it as well :)

  • scarmic

    The problem with whatsapp is that anyone who own a device (android,iphone,bb) has it. It doesn't require a google or fb account, just a phone number.

  • Mbehbehanii

    Its Is not support Arabic

  • Azri Rashid

    I could not intercept any more messages with the latest Whatsapp update. Can someone else confirms this? 

    I hope they encrypt it this time, instead of releasing a workaround to prevent Whatsapp Sniffer from intercepting the messages. Still shocked that they send them in plain text.

  • http://twitter.com/drakonen Drakonen

    This should not work at all when using a WPA/WPA2 encrypted network, and since most networks are, this is way overblown.

    You should never trust unencrypted wireless networks anyway!

    (app also seems to have been removed from market)

    • Azri Rashid

      it worked for me. There is an ARP-spoofing function that you have to enable if you want to use it over WPA/WPA2. Tried it on my university network and my home network. 

      The point of the article is that Whatsapp should have not left the messages unencrypted and send them in plain text, and the fact that it has been reported over a year ago, left a bad image on Whatsapp. A Viber rep told me that Viber has been encrypting their messages since they first started, but VOIP is still not. 

  • Acid_master

    Interesting,  I've tried it between my two android devices and sniffed the network data with Wireshark (sent a text message in WA). Here is a screenshot where you can see that the whole network traffic was in ssl packets (except the ACK's). I haven't tried the WA sniffer yet but the only way I can imagine that it uses man in the middle attack and if the Whatsapp doesn't verify the SSL certificate the sniffer device can scam with it.

  • DC

    I used to use whatsapp, then I uninstalled it. I was reading some comments about deleting the account. How would I do that now?

  • niks

    Does whats app has secure while transferring files???does anyone can hack the photos or videos?

  • Andy Glasspole

    Cameron, have you done any similar tests on the Samsung ChatON app? Do you know how safe it is to use?

  • Rose

    Is this app still around? If you have a blackberry, are people still able to see your conversations? I searched for this in the app store, and couldn't find it. Sure hope its gone.
    Btw, anyone with my number can see and save my profile picture. Is is possible to make that private?
    I'm in the Middle East, Dubai atm. Thnx.

  • Sniffer

    Whatsapp Sniffer
    http://whatsappsniffertool.blogspot.com/

    DIRECT LINK free download
    http://bit.ly/1mByKU1