Menu
I want to develop a mobile app and use a whatsapp like user registration. Now I remember the security problems that were discussed some years ago. Whatsapp used to authenticate users simply by their phone number and IMEI. Now of course this is not really safe but I don't really know how to do it more secure.
Now I didn't hear something about Whatsapp authentication problems anymore for a long time so I guess they have secure method now. Do you know how Whatsapp does it today?
305
The update, which is currently only available on WhatsApp beta for Android, is completely automatic. WhatsApp will use flash calls to automatically log into the accounts of users. Usually WhatsApp sends out a six-digit OTP on the user's phone via SMS or call.
The new layer of security, which is called the Code Verify, is a browser extension that verifies the authenticity of the WhatsApp Web code being served to the browser. The code checks whether your WhatsApp web code hasn't been tampered with or altered.
Two-step verification is an optional feature that adds more security to your WhatsApp account. When enabling this feature, you create and confirm a unique PIN that's required to access your account. The two-step verification PIN is different from the 6-digit registration code you receive via SMS or phone call.
After you enter your phone number, please wait for an SMS to be delivered to your phone. The SMS will contain a 6-digit verification code, which you can enter on the verification screen in WhatsApp. The verification code is unique and changes each time you verify a new phone number or device.
I'll take a stab at this question.
To my knowledge, Whatsapp still uses your phone number as the primary unique identifier. The first time you log-in to Whatsapp you verify the phone number to be your own.
However, the second time Whatsapp provides a secret key at log-in. This helps to avoid some of the attacks services like Telegram have seen, where an SMS can be called and intercepted at any point to access the account (take a look at how their web log-in works).
Indeed, this secret key they provide is your identifier, which is stored securely locally, that must be used in all proceeding requests. Of course, users switch phones. In such a case, the account must be re-activated via SMS where a new secret id will be produced, invalidating the previous one.
Hence, an attacker could attempt the SMS-intercept protocol I spoke of by means of re-activation. The problem with this is you'd realize someone is intercepting your traffic immediately because Whatsapp would be disabled on your own device. Therefore, this could only be successful if you didn't check Whatsapp for a while or were in the midst of an internet outage. Overall, this makes their method secure.
@Srinivas What you have observed is nothing more than Whatsapp storing that a particular phone number cannot be verified for the next two hours, irrespective of the origin of request, on their verification server.
EDIT: In response to @Srinivas's comment:
The last part of your answer is absolutely correct. I did few tests and it works as you said. Thanks. But i am not clear on the 1st time login and 2nd time login.
I apologize for not being thorough. I will attempt to re-explain.
As i see whatsapp, initial screen is registration(sms code request screen) and 2nd login is verify code(verify sms code). Can you provide some more info for my understanding please?
What I meant by first time login is the entire SMS verification process. Hence, I'll divide it up in two segments:
First-time login: The user requests an SMS verification code. They are required to enter the code correctly if from another device, or alternatively have Whatsapp recognize the SIM and complete verification automatically. They are then logged in and have access to their undelivered or backed up messages if it's a previously existing account.
Second-time login: Immediately following this verification process Whatsapp delivers a secret access token which is stored locally on the device. Thus, any time they open the app and attempt to connect to the server they are required to use this access key. As I explained, if they'd like to re-activate their account on another device, they'll have to complete step 1 again from the new device, which will then generate a new secret key--invalidating the previous one and making it only possible to login with the new device.
Here's some documentation i found who has created similar api : github.com/mgp25/Chat-API/wiki/WhatsApp-Registration-Flow. please provide your valuable input
I reviewed the documentation and they follow the same pattern precisely. What may have confused you is the initial "code request token". This is simply a key that verifies the validity of the device that is making a request to complete step 1. This ensures the legitimacy of the origin of the user who's attempting to register their device.
Here's how that works:
The user would like to complete step one. Therefore, they send a request token to the server along with their identity (phone number). This is a code that was delivered upon load to the application.
This still isn't sufficient to stopping an SMS-intercept during step 1. Given that the origin of the request is a legitimate Whatsapp installation, the SMS verification code can give an attacker access to the user's account. However, as I previously noted this invalidates the previously generated secret key from step 2. Therefore, the user will notice that they've been logged out locally as long as they're actively using Whatsapp and connected to Internet.
Let me know if there's any more confusion.
81
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
