How does Whatsapp Authentication work?

thnew picture thnew · Apr 8, 2015 · Viewed 15.6k times · Source

I want to develop a mobile app and use a whatsapp like user registration. Now I remember the security problems that were discussed some years ago. Whatsapp used to authenticate users simply by their phone number and IMEI. Now of course this is not really safe but I don't really know how to do it more secure.

Now I didn't hear something about Whatsapp authentication problems anymore for a long time so I guess they have secure method now. Do you know how Whatsapp does it today?

Answer

Faris Sbahi picture Faris Sbahi · Aug 17, 2016

I'll take a stab at this question.

To my knowledge, Whatsapp still uses your phone number as the primary unique identifier. The first time you log-in to Whatsapp you verify the phone number to be your own.

However, the second time Whatsapp provides a secret key at log-in. This helps to avoid some of the attacks services like Telegram have seen, where an SMS can be called and intercepted at any point to access the account (take a look at how their web log-in works).

Indeed, this secret key they provide is your identifier, which is stored securely locally, that must be used in all proceeding requests. Of course, users switch phones. In such a case, the account must be re-activated via SMS where a new secret id will be produced, invalidating the previous one.

Hence, an attacker could attempt the SMS-intercept protocol I spoke of by means of re-activation. The problem with this is you'd realize someone is intercepting your traffic immediately because Whatsapp would be disabled on your own device. Therefore, this could only be successful if you didn't check Whatsapp for a while or were in the midst of an internet outage. Overall, this makes their method secure.

@Srinivas What you have observed is nothing more than Whatsapp storing that a particular phone number cannot be verified for the next two hours, irrespective of the origin of request, on their verification server.


EDIT: In response to @Srinivas's comment:

The last part of your answer is absolutely correct. I did few tests and it works as you said. Thanks. But i am not clear on the 1st time login and 2nd time login.

I apologize for not being thorough. I will attempt to re-explain.

As i see whatsapp, initial screen is registration(sms code request screen) and 2nd login is verify code(verify sms code). Can you provide some more info for my understanding please?

What I meant by first time login is the entire SMS verification process. Hence, I'll divide it up in two segments:

  1. First-time login: The user requests an SMS verification code. They are required to enter the code correctly if from another device, or alternatively have Whatsapp recognize the SIM and complete verification automatically. They are then logged in and have access to their undelivered or backed up messages if it's a previously existing account.

  2. Second-time login: Immediately following this verification process Whatsapp delivers a secret access token which is stored locally on the device. Thus, any time they open the app and attempt to connect to the server they are required to use this access key. As I explained, if they'd like to re-activate their account on another device, they'll have to complete step 1 again from the new device, which will then generate a new secret key--invalidating the previous one and making it only possible to login with the new device.

Here's some documentation i found who has created similar api : github.com/mgp25/Chat-API/wiki/WhatsApp-Registration-Flow. please provide your valuable input

I reviewed the documentation and they follow the same pattern precisely. What may have confused you is the initial "code request token". This is simply a key that verifies the validity of the device that is making a request to complete step 1. This ensures the legitimacy of the origin of the user who's attempting to register their device.

Here's how that works:

The user would like to complete step one. Therefore, they send a request token to the server along with their identity (phone number). This is a code that was delivered upon load to the application.

This still isn't sufficient to stopping an SMS-intercept during step 1. Given that the origin of the request is a legitimate Whatsapp installation, the SMS verification code can give an attacker access to the user's account. However, as I previously noted this invalidates the previously generated secret key from step 2. Therefore, the user will notice that they've been logged out locally as long as they're actively using Whatsapp and connected to Internet.

Let me know if there's any more confusion.