In case of an iPhone if you open the Whatsapp application the following occurs:
- The application resolves sro.whatsapp.net.
- Gets the addresses 173.192.219.141, 173.192.219.149, 173.192.219.140 back from: ns1.softlayer.com
- An encrypted(!) connection is set up on port 443 with (in this case) 173.192.219.141.
Unfortunately I haven’t been able to perform a MITM attack to decrypt the data send between these two senders. So I don’t know what data is transported between them
- Through this encrypted(!) connection the ip-adres of the Whatsapp-chat servers is send, in this case: 50.22.227.220. Whatsapp uses the Extensible Messaging and Presence Protocol, but than it’s own version of it.
- From this moment on Whatsapp communicates via port 5222 met de Whatsapp XMPP-server 50.22.227.220. And simultaneously keeps the encrypted connection open. Remarkable about this is that al the messages send via the Whatsapp application are send without encryption over port 5222. In plaintext, as stated. The data transported contains sensitive data as names and corresponding telephone numbers are transported in plaintext as well.
For sending pictures Whatsapp uses mms.whatsapp.net and this time it does send the data encrypted.
The Android, Nokia and Blackberry way.
Above is the way the Whatsapp iPhone application works. The Android, Nokia and Blackberry applications work different. In their case Whatsapp does exactly the same, only difference is that instead of port 5222 it connects to port 443. People say this way Whatsapp suggests it uses an encrypted connection, since port 443 is mainly associated with encrypted HTTP traffic. If this is the case can be questioned, since they didn’t implement this way of connecting in the iPhone application it suggests that using port 443 on these devices has a good motivated reason.
We should not forget that encrypting your messages will make the application slower, the transport of the messages slower, and will eat your battery.
Despite that it is not necessary to transfer username and telephone numbers. Instead user-id’s and phone-id’s can be used.
Concerning these security weaknesses in Whatsapp, the application had another big flaw that allows account hijacking. For details on this subject see my previous blog: http://rickey-g.blogspot.com/2011/05/hijack-someone-elses-whatsapp-with-your.html
Since it possible to spoof sms messages, Whatsapp can fix this problem only by disabling all other verification methods other than sending a verification sms themselves.
