WhatsApp Messenger is a proprietary, cross-platform instant messaging application for smartphones.
In addition to text messaging, users can send each other images, video,
and audio media messages. The client software is available for Android, BlackBerry OS, BlackBerry 10, iOS, Series 40, Symbian (S60), and Windows Phone. WhatsApp Inc. was founded in 2009 by Brian Acton and Jan Koum (also the current CEO ), both veterans of Yahoo!, and is based in Santa Clara, California.[5]
Competing with a number of Asian-based messaging services (like LINE, KakaoTalk, and WeChat), WhatsApp was handling ten billion messages per day as of August 2012,[6] growing from two billion in April 2012[7] and one billion the previous October.[8] According to the Financial Times, WhatsApp "has done to SMS on mobile phones what Skype did to international calling on landlines."[9] This service is free for the first year then costs $0.99/Yr.
As of August 6, 2013, WhatsApp has over 300 million active users, and 325 million photos shared each day.
Technical
WhatsApp uses a customized version of the open standard Extensible Messaging and Presence Protocol (XMPP).[11] Upon installation, it creates a user account using one's phone number as username (Jabber ID:
[phone number]@s.whatsapp.net).
WhatsApp software automatically compares all the phone numbers from the
device's address book with its central database of WhatsApp users to
automatically add contacts to the user's WhatsApp contact list.
Previously the Android and S40 versions used an MD5-hashed, reversed-version of the phone's IMEI as password,[12] while the iOS version used the phone's Wi-Fi MAC address instead of IMEI.[13][14] A recent update now generates a random password on the server side.[15]
Multimedia messages are sent by uploading the image, audio or video to be sent to a HTTP server and then sending a link to the content along with its Base64 encoded thumbnail (if applicable).[16]
Until August 2012, messages were sent in unencrypted plain-text format, making the system vulnerable to session hijacking.[17]
As of August 15, 2012, the WhatsApp support staff claim messages are
encrypted in the "latest version" of the WhatsApp software for iOS and
Android (not including BlackBerry, Windows Phone and Symbian), without specifying the implemented cryptographic method.[18]
Security
See also: Mobile security
In May 2011, a security hole reportedly left WhatsApp user accounts open for hijacking.[19]
Since May 2011, WhatsApp communications are reportedly not encrypted,
and data is sent and received in plaintext, meaning messages can easily
be read if packet traces are available.[20]
According to some sources, the hijacking hack was performed and later
fixed by helping WhatsApp reproduce it on Android and Symbian, by Liroy
van Hoewijk, CEO of CoreISP.net.[21][22] Then, in May 2012, security researchers noticed that new updates of WhatsApp no longer sent messages as plaintext,[23][24][25] however, the cryptographic method implemented was subsequently described as "broken".[26]
In September 2011, WhatsApp released a new version of the Messenger
application for iPhones, closing critical security holes that allowed
forged messages to be sent and messages from any WhatsApp user to be
read.[27]
On January 6, 2012, an unknown hacker published a website
(WhatsAppStatus.net) that made it possible to change the status of an
arbitrary WhatsApp user, as long as the phone number was known. To make
it work, it only required a restart of the app. According to the hacker,
it is only one of the many security issues in WhatsApp. On January 9,
WhatsApp reported that it had resolved the issue, although the only
measure actually taken was to block the website's IP address. As a
reaction, a Windows tool was made available for download providing the
same functionality. This issue has since been resolved in the form of an
IP check on currently logged in session.[28][29]
On January 13, 2012, WhatsApp was pulled from the iOS App Store, and
the reason was not disclosed. The app was added back to the App Store
four days later.[30]
German Tech site The H demonstrated how to use WhatsAPI to hijack any WhatsApp account on September 14, 2012.[31] Shortly after a legal threat to WhatsAPI's developers was alleged, characterized by The H as "an apparent reaction" to security reports, and WhatsAPI's source code was taken down.[32] The WhatsAPI team has since returned to active development.[33]
Privacy
See also: Internet privacy
Another issue was witnessed on November 28, 2012 and before (WA blog
post about it is from January 12), though this is not a security concern
at all but more a problem with "chain messages", when users got spam messages and ignorantly forwarded hoax messages to people on their contact lists.[34] The WhatsApp team clearly mentioned on its website that all such messages are fake.[35]
This has not been the work of hackers, but simply the work of people
randomly forwarding nonsense, a problem on any social media.
A major privacy and security issue has been the subject of a joint
Canadian-Dutch government investigation. The primary concern was that
WhatsApp required users to upload their entire mobile phone's address
book to WhatsApp servers so that WhatsApp could discover who, among the
users' existing contacts, is available via WhatsApp. While this is a
fast and convenient way to quickly find and connect the user with
contacts who are also using WhatsApp, it means that their address book
was then mirrored on the WhatsApp servers, including contact information
for contacts who are not using WhatsApp. However, this information was
stored as a hash and without additional identifying information such as a
name.[36][37][38][39]
On March 31, 2013, the governing body of telecommunications affairs in Saudi Arabia, the Communications and Information Technology Commission
(CITC), issued a statement regarding possible measures against
WhatsApp, among other applications, unless the service providers took
serious steps in order to comply with monitoring and privacy
regulations.
No comments:
Post a Comment