
Reverse Engineering WhatsApp Web - wjh_
https://github.com/sigalor/whatsapp-web-reveng/blob/master/README.md
======
gustavmarwin
I'm very hopeful this reverse engineering effort will enable the creation of a
tool to export my conversations (WhatsApp can do email export, which let's be
real, doesn't cut it for most cases).

A point to those that support migrating to alternatives such as Signal. Signal
is good, but far from great for a single reason: you need a phone number. This
is very bad in necsec and reliability terms, my case:

Reliability: like more and more people, I travel all the time between
countries and live out of Airbnbs. Hence my pre-paid phone numbers changes
very regularly. If I lose my phone, I lose the phone number, I also lose my
Whatsapp/Signal key associated with my phone number.

Netsec: A phone number is associated with your physical identity, you might
not care, but more and more people do care about this stuff. Yes there are
ways around that, but nothing straightforward and actually practical.

I'm patiently, but eagerly, looking forward to status.im .

~~~
dingo_bat
Just use telegram. Open source, native clients for every platform. No phone
number necessary.

~~~
tomcooks
Open source client, as far as i know the server is still closed source.

I suggest using Riot, preferrably self-hosted.

~~~
mgliwka
Not even that. They only dump the source code over the fence once in a while.
Try to find the source code for the latest release of any one of the Telegram
mobile clients. Good luck!

------
firefoxd
I see a lot of "just use X instead."

Unfortunately, unlike the old chat protocols, switching to any other platform
means convincing your contacts to use a new platform. They like you and all,
but that means they also have to use a special app just to talk with you now.

~~~
spronkey
It _astounds_ me that something as simple as talking to people is in some ways
objectively more difficult now than it was in 1990.

What the hell are we doing?

------
salqadri
Wow that's impressive. But I would imagine WhatsApp/Facebook can just change
their protocol at any time since it is easy to redeploy a new version of the
WhatsApp Web client, thus breaking any 3p clients built on the original
protocol. That would require yet another reverse engineering effort that can
take a while. And by the time its reverse engineered again, they can yet again
change the protocol. So the only reliable way to create 3p clients would be if
WhatsApp itself publicly publishes its protocol.

~~~
hazelnut
they still have to support older clients. so it is not that easy to just
change the protocol.

~~~
saurik
No, because it is a website.

~~~
paxy
They also have native apps on most mobile platforms (including Windows Phone,
Blackberry and even Nokia Series 40). It isn't as easy to update all of them
as one would think.

~~~
detuur
But those are the apps themselves. This is about the WhatsApp _Web_ protocol
which allows you to use WhatsApp from a browser window by pairing it with a
live session on your phone. Since the API endpoint are their own servers and
the client is literally just a website, they can update whenever they want
however much they want.

------
0x0
Curious to know why they chose to require python in addition to node, wouldn't
node with npmjs/yarn be sufficient and require less setup? Does python/pip
provide any benefits here?

~~~
sigalor
Hi, I'm sigalor, the original creator of the project. Actually, now I also
regret using Python in addition to NodeJS. When I started all of this back in
November, I originally chose Python, because it's, well, "quick and dirty".
Especially trimming arrays and working with byte strings requires a lot more
code in JS than it does in Python. I even wrote a reimplementation of the
decryption routines in JavaScript, but it's not working entirely (the HMAC
authentication of received messages fails, though login works).

------
ktosobcy
Wouldn't it be better to simply start convincing your friends to use something
more open, where you have choice of the client? It feels like solving the
problem from the wrong angle…

~~~
StavrosK
Better? Yes. Easier? No.

Besides, what's more open, as usable and secure?

~~~
aylons
Signal. It is at least as secure as Whats App by design, has pratically the
same interface and also a Chrome-based desktop app that works untethered from
the phone app.

~~~
lxglv
Out of curiosity: I’ve noticed a long-term sceptical attitude to telegram in
HN audience and have seen multiple arguments against it. Something like that
their crypto can’t be trusted, that it’s not time-proven. Don’t you know any
good source with some sort of domain expert explanation, why shouldn’t it be
used or trusted? No intention to start any flame against Signal, only
curiosity regarding telegram flaws. Personal point of view is also
appreciated.

~~~
Analemma_
> Don’t you know any good source with some sort of domain expert explanation,
> why shouldn’t it be used or trusted?

People like tptacek have talked here at length about why Telegram is not
trustworthy, you can see a history of his comments with a simple search:
[https://hn.algolia.com/?query=tptacek%20telegram&sort=byPopu...](https://hn.algolia.com/?query=tptacek%20telegram&sort=byPopularity&prefix&page=0&dateRange=all&type=comment).
Moxie Marlinspike has also pointed out a bunch of problems with Telegram, and
even if you don't consider him a trustworthy source because he runs a
competing service, the technical reasoning behind his opinions is sound.

If you want a personal POV, here are three reasons why Telegram is a bad idea:

1) The large number of unsound technical decisions. See Thomas and Moxie's
many comments for details, or the "Security" section on its Wikipedia page.

2) Within _days_ of launching, they had a critical security vulnerability:
[https://news.ycombinator.com/item?id=6948742](https://news.ycombinator.com/item?id=6948742).
Frankly, this alone should have discredited them forever, especially
considering how much boasting they were doing beforehand, but people are
stupid.

3) They have a consistent pattern of responding to criticism not with
technical defenses, but with ad hominem attacks and conspiracy theories
("You're paid by the US Government!")

~~~
gsich
Some years ago all you needed for Whatsapp was the phone number and MAC
address to login and view all messages. Nobody gives a shit about this today.
Should have discredited WA forever too.

------
anonu
Impressive work.

Obviously, WhatsApp/Facebook would want to avoid a bunch of third party apps
connecting to their service. How long until they make changes to make this
more difficult/impossible?

~~~
Thaxll
If you have a web API it's impossible to secure it, especially when you have
many platforms that access it ( web / mobile ect ... )

~~~
detaro
You can change it often enough to be really annoying though. And Whatsapp bans
users of third-party clients it can detect. At least the users I know stopped
trying these things after a while.

------
alpb
FWIW Repos like these that reverse engineer a proprietary API that post stuff
on GitHub are usually taken down with a DMCA enforcement. The same thing
happened multiple times when folks reverse engineered and documented the
Snapchat API.
[https://news.ycombinator.com/item?id=6083812](https://news.ycombinator.com/item?id=6083812)

~~~
gsich
yowsup has been online for years.

------
Jaruzel
From the GitHub readme:

> _An UI that is not that technical, but rather starts to emulate the actual
> WhatsApp Web UI._

No, no, no. This trend of 'Phone UI' chat interfaces on desktop/laptop screens
needs to stop. If you are going to all this effort to reverse engineer the
protocol, at least make your front end customisable or at the very least
IRCish in style.

------
andjd
I'm missing why this needs both a python and a node backend.

~~~
sigalor
Hi, please refer to my answer to a similar comment:
[https://news.ycombinator.com/item?id=16796791](https://news.ycombinator.com/item?id=16796791)

------
mratzloff
Many of the vendors we partner with (tourism industry) live in countries where
the main communication channel is WhatsApp. There's a lot of communication we
want to automate in the near future—eagerly looking forward to seeing this
progress!

------
mikkelam
Were you inspired by this repository
[https://github.com/mukulhase/WebWhatsAPI](https://github.com/mukulhase/WebWhatsAPI)?

Do you need a phone running to use this project?

------
letslightafire
I'm wondering how they actually reverse engineered WhatsApp in the first
place. Is there a specific type of software that does this or was it just
built from scratch using already available information?

~~~
sigalor
Hi, I'm sigalor, the original creator of the project. The reverse engineering
was almost entirely done using the Chrome debugging tools. That is, pretty-
printing the JS source files, setting breakpoints and stepping through the
code for hours. When I started, all of this was incredibly difficult, but the
longer you do it, the more you get used to it. Additionally, the debugging
tools also provide you with looking at what is sent through websockets, which
makes it rather easy to see which JSON data is sent (e.g. for login).

~~~
letslightafire
That must've taken forever. Do you have any plans to reverse engineer other
apps? I know people like you are in short supply and high demand.

~~~
sigalor
It certainly did, but after all it was just a fun spare time project. I guess
there would be a lot of interesting software to reverse engineer; I am always
open to suggestions that are able to extend my knowledge. And well, if you
mean it in context of a job... I don't have any experience regarding the job
market yet, but that also sounds quite striking :)

~~~
letslightafire
I don't know much about the job market, I was talking about the internet in
general. Too many applications are locked black boxes and reverse engineering
them basically keeps them alive after their demise. However, not a lot of
people actually put in the effort to reverse engineer this stuff, so keep up
the good work for this stuff!

------
ape4
A pidgin plugin would be nice. Oh there seems to be one already -
[https://github.com/davidgfnet/whatsapp-
purple/](https://github.com/davidgfnet/whatsapp-purple/)

~~~
severine
There's also a Python library:
[https://github.com/tgalal/yowsup](https://github.com/tgalal/yowsup)

~~~
mikkelam
Don't even bother with yowsup, you will be banned after wasting a lot of time
setting it up

------
quantized1
Let's bring some more misery to Zuckerberg

------
pankajdoharey
Why did they not write the backend server for Whatsapp web in Erlang, which
the original Whatsapp was mostly written in?

~~~
sigalor
Well, I don't know Erlang (yet) and AFAIK, Erlang is rather focused on fail
tolerance, high availability etc., which wasn't really a concern when I
started the project. Python and NodeJS are quite good for quickly trying out
ideas though.

------
Turm
Noob question: Is traffic going through the websocket-servers properly end-to-
end encrypted? That's what always held me back about using Whatsapp Web

~~~
sigalor
Hi, that's definitely not a noob question. I'm already having plans on
investigating this, but this topic is even more difficult than WhatsApp Web
itself (see [https://github.com/sigalor/whatsapp-web-
reveng/issues/10#iss...](https://github.com/sigalor/whatsapp-web-
reveng/issues/10#issuecomment-377193932) ). Thus, at this time, I am not able
to give you a definite answer, though, to put it informally, "it looks good"
(at least on the surface).

