Targeting whatsapp with wireshark

Why would I want to snoop WhatsApp traffic?

I’m aiming at the moment is to create a “whatsapp alarm” that will inform me and keep a log of when someone I’m stalking comes on and off of whatsapp. An app that used to do this for me what WhatsDog (http://www.appszoom.com/android-app/whatsdog-whatsapps-watchdog-kgyke-download.html) but for whatever reason this doesn’t work anymore. *update, it seems to be working now, might be worth a gander at the code to see how they’re doing this.

Creating a test-bed

I managed to get Android running on a VirtualBox instance using this great guide: http://www.fixedbyvonnie.com/2014/02/install-android-4-4-kitkat-windows-using-virtualbox/. If you’re using that guide make sure you enable virtualization at the BIOS level on your machine else you’ll get a kernel panic, as I did.

I quickly discovered that Whatsapp is using some combination of xmpp and encryption to transmit, so I’ll need to pull some shenanigans to be able to interpret the messages I catch going across the wire. I began with the ill-advised route of attempting to peek at their code and seeing what I could learn from it. In short, not much, but I learned a lot about other things along the way.

Decompiling and re-compiling apks

Using APKTool (https://code.google.com/p/android-apktool/) I was able to decompile their APK into smali and Java, which is great! Sadly though, the good bits of the decompiled code are heavily obfuscated and I’ve wasted a few hours trying to decipher it with no gains. Just looking at the code isn’t enough. If only I could debug it?

Debugging decompiled smali

It seems that this is possible, and there’s a nice link from the apktool page that talks about setting up smali debugging (https://code.google.com/p/android-apktool/wiki/SmaliDebugging). I followed this lead and looked around a bit to get it working with my VirtualBox machine. Specifically, a page from MatD gave me a solution that hooks my VirtualBox machine to my Windows PC:  http://www.mat-d.com/site/developing-android-apps-with-android-x86-and-virtual-box/. Hint: Use a bridged adapter for debugging! Hint 2: For those of us who aren’t native to linux, netcfg is the linux equivalent to winipcfg.

Based on the fact that I hadn’t found anyone who’d been successful in deciphering this madness, I moved on to attempting to MITM their https traffic. I’m just dicking around at this point.
Sadly, I lost patience trying to get my smali debugging doing something usefull, so moved on to look for other options.
  • A bit of googling taught me that whatsapp communications are encrypted via SSL. What a pain. To find this traffic with wireshark I can make a simple filter: (http contains whatsapp)
  • Other sources: This interesting article from 2012 authored by Wolf (http://werew01f.blogspot.com/2012/05/can-you-extract-message-and-photo-from.html) that describes an exploit that could be used to snatch images in the past.

MITM SSL Traffic

It turns out that this is pretty fucking difficult. I’m going to spend some time researching around the web because *surely* someone has managed to pull this off already. I know my job is doing it. Grabbing the Session ID First I need to find whatsapp traffic through wireshark. After a bit of trial-and-error I did track down some communications between my droid box and some whatsapp and whatsapp-related servers. The whatsapp servers that any one phone communicates with sure can bounce around a lot though. Why does this happen?

DNS Lookups

First of all, the randomness of the servers utilized by the whatsapp application is a result of the DNS lookups constantly shifting to create load balancing. I didn’t even know it was done like this in the real world, not a bad idea. They submit a name table so that when someone queries for one of their named boxes they may or may not get a different box.

More on SSL

Apparently, SSL connections are based on a session that gets cached on the server and can be handed back over to the client when they log back in. This explains why it’s hard to monitor someone’s whatsapp messages remotely. I might look into that later. Other interesting notes If you restore whatsapp via titanium and include the app data from a previously working instance, the whatsapp servers appear to be none the wiser. You may receive some message overlap, but eventually they figure out two devices are getting the same messages and your new device controls the account, knocking off your old one. If you try to use the old device it will work but knock the new one offline. This was interesting to me because it seems to invalidate various rumours that I’ve read around the net that the app somehow fixates on your MAC or device ID to validate your connection. I’ve backed up several different phone numbers into a spare real phone I have, as well as the emulator box and watch them trade control of my account all day.

something to add?