WhatsApp

- Reading time: 8 minutes / whole rubric: 34 Minuten -

General information

WhatsApp is a closed system, only uses telephone numbers for registration and is based in the United States of America (USA).

Advantages/disadvantages in brief:

  • positive: extremely widespread - especially in Europe and the USA
    • positive: Terms of use (external) and Privacy policy (external) in German
    • negative: central service - no interoperability
    • negative: data protection concerns and as a result prohibition of use in many areas (in companies, educational institutions, administration, …)
    • negative: server software is based on a public standard that has been modified and adapted internally for the company’s own purposes
    • negative: Encryption based only on program code with public license (unclear legal situation (external))
      License of WhatsApp (company property) is not compatible with the GPLv3 license of the program library ‘libsignal-protocol-java’ -> it is secret and not verifiable what and how is actually encrypted.
    • negative: Minimum age 13 years (may differ per country)
    • negative: Maximum number of participants in groups: 256
    • negative: File size restriction to max. 100 MB for Android and iOS, 64 MB when using the web client on the desktop
    • negative: only phone number as identifier (no matter if with/without hash)
    • negative: in group chats, your own phone number is displayed to the others
    • negative: no stand-alone desktop client (no login/use without smartphone)
    • negative: no multi-device capability (use one chat account on several independent devices)
    • negative: can only be used on desktop via web client - no independent desktop client

Although WhatsApp is very popular in the private sphere, it is still rightly controversial because it falls short on issues such as privacy, data protection, freedom and independence:

Case law

Decision of the Hersfeld District Court from 15.05.2017:

“Anyone who uses the messenger service “WhatsApp” continuously transmits data in clear data form from all contact persons entered in their own smartphone address book to the company behind the service in accordance with the technical specifications of the service.
Anyone who allows this continuous transfer of data through their use of WhatsApp without first obtaining permission from their contacts in their own phone address book is committing a criminal offense against these people and runs the risk of being warned by the people concerned for a fee.”

Translated from source: https://www.lareda.hessenrecht.hessen.de/bshe/document/LARE190000030 (external)

Ban on WhatsApp in schools

The use of WhatsApp in schools is clearly regulated: WhatsApp is prohibited.

For good reason, there are therefore corresponding guidelines and instructions from the state school authorities responsible for education, such as

However, the state data protection officers also have a clear position on this:

Prohibition of WhatsApp in companies or the administration

As a rule, its use is also officially prohibited here. In many areas, however, it is used intensively and without permission due to the lack of known alternatives. In some cases, this is even tolerated by superiors, which is a clear lack of leadership. This problem must therefore be addressed openly and, if necessary, escalated via the data protection officer.

Open WhatsApp

The Federal Minister of Justice is right to call for the opening of WhatsApp (German).

Action #DeleteWhatsApp

Brian Acton (WhatsApp co-founder), who left the Facebook group (now “Meta”), is calling for delete WhatsApp.

But: Data collection continues even without an account:
“To gain access to your data, WhatsApp does not need hidden backdoors, but simply accesses the digital phone books of your contacts. For example, if your best friend has saved your birthday, your place of residence, your email address, your phone number(s), the names and details of your family, your website, your Twitter name and various other data under your name and Whatsapp grants access to the phone book, the messenger will also read all this data.
So if you really want to make sure that Whatsapp and Facebook know as little as possible about you, you need to tell all your contacts to delete your data that goes beyond the bare minimum from their phones.”_
Translated from source: (businessinsider](https://www.businessinsider.de/tech/whatsapp-sammelt-eure-daten-selbst-wenn-ihr-den-messenger-nicht-benutzt) (external)

Surveillance with WhatsApp

The question “Can and may WhatsApp be used for surveillance purposes?” is an exciting one.
Answers can be found >> here <<.

Tips

Blocking

In some cases, it may be necessary to block the app’s access to the internet. There are several very interesting sources on this:

  • Anatomy of WhatsApp Messenger (external; Somanathan Gohulan; status 11.03.2018)
    Quotation:
    “If we needs to block WhatsApp fully, try to block e.whatsapp.net — e5.whatsapp.net, because this is for the initial handshake which never allows to use WhatsApp.”
  • HOWTO-blocking-WhatsApp (external; afwall; status 04.03.2019) addresses, ports and the encryption of WhatsApp.
    Quote also here:
    “It’s normally more then enough to block e.whatsapp.net - e5.whatsapp.net, because this is for the initial handshake which means if that fails you can’t receive/send any message. You should try this first.”

Registration without a mobile number

To register, it is not necessary to enter the mobile number you actually use. You can use an extra SIM card with a different mobile number - or an unused landline number (also works with the telephone number of a public telephone box!). In this case, you will receive the confirmation text message with the verification code over the phone.

Sources:

WhatsDeleted

The WhatsDeleted app can be used to save messages before the sender deletes them. The messages and media are copied to a local backup so that they can still be accessed even if the sender has deleted the original message.

Project page: https://f-droid.org/packages/com.gmail.anubhavdas54.whatsdeleted (external)

Decrypting the database

The private key for the WhatsApp (and also Signal) db is stored in plain text on the device (/data/data/com.whatsapp/files/key), can be read out via ADB and the data can then be decrypted with TriCrypt/OmniCrypt. Everything you need is available as an app at XDA or online at whatcrypt.com (external)

Project page: https://github.com/EliteAndroidApps/WhatsApp-Key-DB-Extractor (external)

Backup-Popup

If you select “never” when asked about the backups to be created, you are bothered every few weeks with a pop-up asking when the backup should be made (including to the cloud). This cannot be switched off and comes up again and again - until you accidentally or annoyedly click on “daily”, “weekly” or “monthly” … very annoying, so be careful!

Special knowledge

WhatsApp, what’s inside?

WhatsApp uses a modified version of the XMPP protocol as the message format. All messages are compressed by replacing frequently used words with 1- or 2-byte tokens (e.g. a byte 0x5f is written instead of “message”), resulting in the so-called “Functional XMPP” / FunXMPP (official name: chatd). You can get a very interesting and in-depth look at the internals at umumble.com (external; English).

Here is another nice (shorter) piece of information: https://git.triangulation.nl/koenk/whatspoke/blob/master/doc/funxmpp.md (external)

Network settings such as protocols, ports, IP addresses, host names: https://developers.facebook.com/docs/whatsapp/guides/network-requirements (external)

Which ports does WhatsApp use? (external)
WhatsApp currently uses various ports. These include not only port TCP 443 (HTTPS) and TCP 80 (HTTP) but also port numbers 4244, 5222, 5223, 5228 and 5242 (all TCP). The latter ports are mostly used when using voice or video calls from the instant messenger on Android or iOS (iPhone). For the most part, however, WhatsApp usually uses ports 443, 80 and 5222 for normal use.

Information on Wikipedia: https://de.wikipedia.org/wiki/WhatsApp#Protokollkanäle (external)

Useless knowledge

The legacy can still be found in WhatsApp today - the term “jid” has been retained in msgstore.db as “jid_row_id” and the Jabber identification number (JID) of a WhatsApp group is “[phone-number]-[creation-timestamp]@g.us”

Answer to the question whether WhatsApp also stores the contact names locally: Yes - in the wa.db, wa_contacts table, field display_name and given_name

Miscellaneous

Not everyone can/wants to delete WhatsApp (or another stand-alone solution) - and sometimes has a question about this. That’s why there’s even a public chat room for this:

„WhatsApp & other proprietary messengers“
The main topics in this public chat room (=group/conference) are proprietary messengers (isolated solutions). In particular WhatsApp, but also Signal, Threema, Telegram, …
Address: xmpp:whatsapp@conference.trashserver.net

Why use provider-independent chat? Because it simply works with free messengers ;-)


If you love WhatsApp, you’d better not read the following blog article - or perhaps precisely for that reason, because as we all know, love is often blind …
https://blog.pohlers-web.de/wie-du-bist-nicht-bei-whatsapp/ (external)