For months, free smartphone instant messaging service WhatsApp has been topping the download charts. It is a favorite application for both iPhone and Android users. To the annoyance of cell phone providers, WhatsApp has become a kind of quasi replacement for the old fee-based SMS. According to WhatsApp developers, their servers handle over 10 billion messages per day.
However the service, which is run by small San Francisco start-up WhatsApp Inc., is neither as secure nor as failure-resistant as one would expect from a market leader. In his blog British web developer Sam Granger writes that any relatively ambitious hacker could get into WhatsApp accounts without a problem, either to intercept messages or send messages from their victim’s account.
This is because WhatsApp is set up to make the service friendly to new users who don’t have to provide their own combination of user name and password – they just use the existing info relating to their phone as login data. Telephone numbers are simply and clearly the basis for user names, and WhatsApp passwords — at least on Android phones — are clearly based on a phone’s IMEI serial number.
Granger discovered that to generate a password out of the IMEI number the app just changes the order of the digits – “your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it.” What that means is that anybody who knows a phone’s IMEI number can figure out the password.
Many apps use IMEI numbers to identify phones, and any installed program can access that information and pass it on to an external database. In the event that what happened to iPhone this week (a hacker group released one million Apple UDIDs) happens to WhatsApp, and a database generated from the phone serial numbers were to be made public, WhatsApp user accounts would be compromised and become targets for spammers. Not that hackers have lost any time — on gray market sites, databases of Android phone serial numbers and corresponding cell phone numbers are sold under the keyword WhatsApp.
WhatsApp has been criticized many times for its security loopholes. Until recently the app carried unencrypted messages through the net, and a simple program made it possible for them to be accessed from a Wi-Fi network. The app also stores message history unencrypted on the SD memory card of Android phones.
Another issue is that WhatsApp can be completely cut off from the mobile phone network. As this article goes to print, T-Mobile users cannot access WhatsApp after a T-Mobile update blocked the relevant network port. T-Mobile says this was accidental and service would be resumed as fast as possible.