09 junio 2011

What WhatsApp doesn't tell you...


It is the 'top' app in the mobile world, almost immediately followed the ' give me your mobile number' request comes the following question 'Do you have WhatsApp?'. Clearly this application is changing the concept of free SMS messaging.

Alberto warned about insecurity issues in how WhatsApp transmits data in plain text and what this means in shared environments.

Today we have to talk about the inside, the way in which WhatsApp stores and manages its data. Looking from within the file structure of the application we have two files called msgstore.db and wa.db (locations vary, of course, between Android and iPhone). These files are in SQLite format.

Once we import these files with a tool to browse inside their content (eg SQLite Manager), here comes the first surprise: none of the information contained is encrypted. Contacts are stored in wa.db and EVERY sent messages are in msgstore.db.



Wait a sec, did I say EVERY? Absolutely, every sent and received messages are there. And why "EVERY" is in uppercase?, simply because although theoretically WhatsApp give us the opportunity through its graphical interface to delete conversations, the reality is that they still remain in the database ad infinitum.

And the issue is even more fun if we sent or received messages at a time which GPS was enabled, because WhatsApp also stores coordinates in msgstore.db


In the case of Android there are even more important things stored that might be of interest to a forensic investigator - or maybe a jealous boyfriend/girlfriend. Apparently WhatsApp is configured by default with a very 'verbose' level of logging and store, within the directory / files / Logs, files with this appearance:

# pwd
/data/data/com.whatsapp/files/Logs
# ls
whatsapp-2011-06-06.1.log.gz  whatsapp-2011-06-09.1.log.gz
whatsapp-2011-06-07.1.log.gz  whatsapp.log
whatsapp-2011-06-08.1.log.gz
#

In these files are recorded every XMPP transactions made by the application with a very high verbose (debug) level, with the timestamp of when it receives or sends a message (among other things).

011-06-09 00:47:21.799 xmpp/reader/read/message 346XXXXXXX@s.whatsapp.net 1307XXXXXX-30 0 false false

These files are easily "parseable" to extract the ratio of mobile numbers which has maintained some kind of conversation with us. I created a small script that parses the file and pulls out this list of numbers:

import re
import sys


logfile = sys.argv[1]
logdata = open(logfile,"r")
dump = logdata.readlines()

numerosin = []
numerosout = []

for line in dump:

        m = re.search('(?<=xmpp/reader/read/message )\d+', line)

       if m:

                if not numerosin.count(m.group(0)):

                        numerosin.append(m.group(0))


        m = re.search('(?<=xmpp/writer/write/message/receipt )\d+', line)

        if m:

                if not numerosout.count(m.group(0)):

                        numerosout.append(m.group(0))

print "Messages received from\n"
print "\n".join(numerosin)
print "\nMessages sent to\n"
print "\n".join(numerosout) 

Executing the script, it will ouput the information as follows:

$ python whatsnumbers.py whatsapp-2011-06-08.1.log
Messages received form

34611111111
34622222222

Messages sent to

34611111111
34622222222

15 comments :

Juan Aguilera dijo...

Buff, vaya apaño que es el whatsapp en cuanto a la privacidad. Una cosa que no me ha quedado clara es qué pasa con los mensajes supuestamente borrados. ¿Tiene un flag en la bbdd para marcado como eliminado?

PD: ¿Te has dado cuenta que se te ha quedado la tecla de "lock english" pulsada? ;)

Wasesores dijo...

Pos menos mal que no lo tengo...ayer mismo me dijeron que era una maravilla, y hoy con esto...

Saludos desde Wasesores.com

Juan Aguilera dijo...

Upss! qué torpe soy. No me había dado cuenta que también estaba en español. Bueno, aprovecho para decirte que se te han colado dos frases en español al final de todo. ;)

Security By Default dijo...

Cierto Juan, corregido queda ¡gracias!

CC dijo...

para nokia donde encuentra uno los archivos para los logs? los he buscado con esos mismos nombres pero no los encuentro

Hcdragons dijo...

This might be obvious but I don't know this. Where can i find the files wa.db and msgstore.db on an iPhone 3GS / Windows 7?

q8phantom dijo...

So can someone create an unofficial whatsapp ?

http://forum.meego.com/showthread.php?t=3758&page=7

Fik_de_borg dijo...

Pues yo acabo de descargar SQLite Manager y buscar las bases de datos de mi celular, y se llama msgstore.db.crypt y no encontré wa.db. Como me temía por el ".crypt", SQLite Manager me pide la contraseña...
Android gingerbread 2.6.35.7
Whatsapp 2.6.8990

Ridaa_shahid dijo...

Hey, I've been trying to extract my messages from the whatsApp .db file and SQLite tells me the message seems to be encrypted and asks me for a key =S

Lshdennis2001 dijo...

me,too.

I find the file but it names ""xxxxx.db.crypt"".
it seems can't open with the software like SQlite,etc.
could u tell me how to open it and real it!(I try to open it but it shows unreadable character...)

THANKS!

Unknown dijo...

Cual es la contraseña para desencriptar los mensajes??

Emi dijo...

Muy interesante, pero ¿cuál es la contraseña para entrar al abrir el archivo de base de datos?
Si no escribo esto se convierte en inútil

Sarah mae dijo...

So where do I start? I download SQLite on my laptop... Then what? I need to view messages on my boyfriends phone so do I type in his number? Bit confused!

Alejandro dijo...

Hola, te hago una consulta: puede ser que actualmente hayan modificado Whatsapp para que no guarde los mensajes borrados? Probe con la db de mi telefono y los mensajes que borre no quedaron guardados en msgstore.db
Muchas gracias

mario alberto dijo...

no entiendo mucho de todos los terminos que manejan pero esos mensajes y fotografias que se guardan se pueden borrar haciendolo con alguna aplicacion o que se puede hacer para borrarlos de donde los guardan?