
WhatsApp is broken, really broken - espinchi
http://fileperms.org/whatsapp-is-broken-really-broken/
======
zachalexander
OT, but I'm intrigued by their business model.

I don't know the history, but currently, the Android app is free, and it says
the use of the service is free for the first year, then will be $0.99 per year
after that.

Meanwhile, the iOS app is $0.99 straight up.

Thoughts:

(a) "Free for a year, $1/year after that" seems like an awful long time to
wait for a payday, but _if_ it works, and you get lots of free users, I bet
you get more conversions in the long run than with a normal free/pro app
business model.

(b) "Free in one store, paid in the other" is an interesting idea. If you can
build up a large userbase of free Android users, and it's an inherently social
app, your free Android users will tell their friends on iOS devices to get the
app so they can communicate. They probably don't even know it's not free. It's
like unintentional affiliate marketing.

(c) I realize (b) might not be an intentional choice by the developers, but a
necessity due to the App Store perhaps not supporting pricing schemes like the
one in (a).

~~~
jrajav
Even more OT, but Angry Birds is $0.99 on iOS and free (with ads) on Android
to this day:
[https://www.google.com/search?&q=angry+birds+android+OR+...](https://www.google.com/search?&q=angry+birds+android+OR+itunes)

Just the nature of the different app ecosystems, really.

~~~
norswap
Could the fact that Apple pretty much force you to enter your credit card
number in their system play a role ?

You used to be able to create an account without it, but not it seems
impossible (or if it is, you have to do some devious thing 99% of the
population could not figure out, even after solid googling).

~~~
shinratdr
> or if it is, you have to do some devious thing 99% of the population could
> not figure out, even after solid googling

That "devious thing" is "attempt to download a free app without an account".
Then it will present you with the credit card-free option.

------
lnanek2
This app has ridiculously penetration, however. I've met people who use this
and no other app not out of the box before. In foreign countries it is easier
to get someone to WhatsApp me than it is to get them to text my strange US
number.

Sure they solved a pain that's very common, replacing expensive text
messaging, but part of their success is how easy it is for users without
annoying username/password hoops to step through. They should fix the
security, although I don't do anything important over it anyway, but I can't
say they went wrong by avoiding a classic username/password setup that might
have been more secure from the start.

------
fruscando
We should all start using our regular XMPP accounts now! Most of us already
have one. If you have a Gmail, Fastmail, Lavabit, GMX, Ovi.com, Yandex email
address, you are ready to go. All that's left to do: Install Xabber or IM+ on
your smartphone! Btw, both support OTR end2end encryption!

If you also want to instant message on your laptop: The latest Thunderbird
comes with XMPP support! Or give Jitsi, which supports end2end encryption, or
one of the many alternatives a try! Enjoy!

------
gsibble
I've been seriously considering creating a highly secure text messaging
replacement. I'm aware of TextSecure but find it lacking (and only available
on Android). I'd love to hear if you guys think it would be a worthwhile
project.

~~~
UnoriginalGuy
You could make one but the audience would have almost no cross-over with
WhatsApp.

Your app would have a nice geeky audience of tech nerds who would drool over
how secure it is and how smart they are.

WhatsApp on the other hand "just works." It requires zero setup, zero
technical understanding, and is available on almost every platform (at least
the "biggies" anyway).

I would say its audience is teenagers, and the less tech savvy consumer in
general. I cannot see them wanting to switch to something else unless you make
come up with a USP which appeals to them (i.e. security is not a USP that
they're interested in).

~~~
gsibble
Those are basically the same thoughts that I had. Security is not enough of a
concern for most of the market. I wouldn't built it as a commercial product,
but basically as art for those of us who value privacy.

That said, I think the number of people concerned with message privacy is on
the rise around the world. Over a few years, the market may grow significantly
as privacy receives more attention.

------
GauntletWizard
How do apps like WhatsApp get popular? They offer inferior service in every
way to builtins, and require that both parties have installed something. SMS
is in every way better unless you don't have a texting plan, in that case,
GTalk and iMessage are in every way better (And GTalk is even cross platform
with several fairly simple XMPP clients on IOS). Who uses this shit?

I encountered the same thing recently with Raidcall. It's a shitty voice
service that's in every way inferior to Skype, but trying to position itself
as a competitor to Teamspeak (Which itself has been eclipsed on features and
price by Mumble). Yet, somehow people will argue with you about it and
evangelize it, without any sort of benefit comparison.

~~~
yen223
WhatsApp was there first. Network effects cemented their position.

iMessage doesn't work for non-iOS phones. Annoyingly, GTalk doesn't have an
official client on iOS. SMSes can get expensive.

~~~
hboon
No, there was an app Ping, which was around earlier than WhatsApp. It was ugly
and didn't work well. WhatsApp is easy to set up, easy to use, and have
relatively good functionality.

------
koski
I'm a "open source guy". Very picky to pay of Anything.

I use the mentioned app with my Lady every day because it works so well on her
iPhone too. The easy of sending photoes is just pure awesome. Never failed
(during one year). It works so well I don't hesitate a second to pay a dollar
of it when it asks for it.

Ps. Drunk in a bar and a regular guy next me agrees who did not agree on punch
of other stuff.

~~~
koski
Pps. yes. Ofcourse the dude next to me did not know about the possible
problems the auther mentions. Which ofcourse is an issue.

How to explain to a "regular dude" anyone can listen your phone call if they
want to?

In my world everyone "normal I know" loves the mentioned app. How do I explain
them everyone can read their messages if they want to? They answer me,
everyone can steal my "normal" mail too if "they want to".

Ppps. I modified the typo i think i created after 8 pints.

------
ZoFreX
Yes, it's insecure by the standards we would normally apply to software. But
let's be honest - this is competing against SMS, not XMPP, Skype, et al. How
hard do you think it is for someone to sniff an SMS?

~~~
revelation
Compared to this? Ridiculously hard. A5/1, while severely compromised, still
requires heavy IOPS and computing power to break quickly with rainbow tables
(see Kraken).

Even worse: this allows for trivial spoofing. You're far, far away from doing
that with SMS.

~~~
ZoFreX
Actually, SMS spoofing is arguably easier than WhatsApp spoofing.

------
ollysb
I'd have thought a large majority of what's app users use it for chatting. I
can't imagine they're particularly fussed about people sniffing their plans
for meeting up that night. There are varying requirements for security...

~~~
mikeash
I suggest you go find some nearby open wifi in use, spy on some people, then
tell them what you've found and see how they react to it. Report back when
you're done... If you can....

~~~
ollysb
If the table next door was having an obviously private discussion they'd
probably be a bit put out if you started offering your opinion. People know
their conversations often aren't secure, but then there are certain social
expectations. Sometimes it's just expected that other people will politely
ignore their conversation. If you told people that you had been spying on them
I guarantee you that they would not blame their tech. They would place the
blame squarely at your door for having listened in on something you shouldn't
have.

------
aw3c2
Sadly, normal free Jabber/XMPP does not seem to be a viable alternative. On
Android, sure (though the clients are not too great at reconnecting/noticing-
connection-loss/reporting-message-reception) but on iOS apparently you cannot
run such things in the background. At least the situation was dire when I
tried to convince some iOS friends to use XMPP instead of SMS last winter.
<http://monal.im/> looked most promising but turned out to crash or only work
when active, I don't fully remember. Maybe it got better.

~~~
morsch
You could run the real XMPP client on a server and use the native push
messaging system to wake up the mobile client. This would also enable
receiving "offline" messages while the mobile device is not on a network or
turned off.

Of course, this would let the person operating the "real" XMPP client read
your messages; but the person operating the XMPP server can do that already,
so there isn't any real change -- either way you should be using OTR messaging
at all times.

In the peer to peer spirit of XMPP, such a project should make it really easy
to run this virtual client yourself locally or on a cheap cloud server. Maybe
something like that exists already? Anybody wanna build it?

~~~
guruz
We've been trying to build something supporting that, but so far with far less
than full steam. Too busy with client projects right now :)

<http://woboq.im/>

------
morsch
No mention of this on their blog (in fact, no new posts since July). And no
quick patch that pops up a box asking the user to assign a password. Since
it's tied to a phone number/SIM card anyway, you could easily offer a password
retrieval option via SMS.

I wonder what happens if a phone number (the login) is tied to a different
IMEI (the password). This can happen when you transfer a phone number from one
provider to another.

~~~
truncate
> I wonder what happens if a phone number (the login) is tied to a different
> IMEI

I think they send verification code to the phone via SMS or ask your
permission to make a call and speak the verification code.

~~~
hwatson
Yep. You'll normally see this happen if you restore an iPhone backup onto
another iPhone then try to launch WhatsApp. Login will fail and you'll be
asked to type in the SMS received.

------
alpeb
Like Oscar Wilde once said, everything popular is wrong. Quality is well down
in the list of things that matter to have a successful product.

------
bvdbijl
I was working on a better whatsapp api than the mess that is whatsapi, do not
have enough time though. It's based in wazapp which has an actual
implementation of the binary packed xmpp transfer mechanism they use. Might
upload it if someone's interested, it seems broken right now though

~~~
HarshaThota
Do it. It may be possible for someone to create a third-party client for
WhatsApp instead of relying on the official version.

~~~
bvdbijl
Look up wazapp, it's a third party client for Nokie N9

------
grk
So, what's the best alternative?

~~~
denzil_correa
Viber [1] may be a good alternative. It s free on all ecosystems - iOS,
Android, WP, Blackberry, Nokia and Bada.

[1] <http://www.viber.com/>

~~~
tijs
Like WhatsApp, Viber is free to use and has no advertising model. If they are
not making money off me directly i have to wonder how safe my data actually is
with this service.

~~~
denzil_correa
WhatsApp is not free to use. iOS users are charged a flat 99c fee while
Android users are charged 1$ a year from the second year onwards.

I do not know how secure Viber is but they have been steadilu acquiring good
user base. If I was Viber, I would cash on this opportunity to write a blog or
advertise their security models.

~~~
mverwijs
I' ve been using WhatsApp well over a year on Android. I got a free renewal in
june. Never paid a cent.

~~~
denzil_correa
Sure, you may have but are you the exception or the rule?

------
antirez
It's worse than that, in iOS devices the mac address is easy to predict. For
instance my phone and my wife phone have the first _four_ bytes the same.

Example:

F0:AB:C7:11:xx:yy

So you can easily crack this by brute force without sniffing the device
address at all.

~~~
mmcnickle
This is by design[1]. The first 3 bytes are the same for the same
manufacturer. The last 3 bytes can be assigned as they wish. Apple probably
assign the 4th byte as a product identifier, so would be consistent across
iPhones. I wonder what the 4th byte is for other iOS devices, or if it's the
same?

[1][http://en.wikipedia.org/wiki/Organizationally_Unique_Identif...](http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier)

~~~
ot
That's very unlikely: an address space of just 65K numbers would be left,
which is orders of magnitude less than the number of iPhones produced.

Considering that each phone has at least two MACs (wifi and bluetooth), even
the 16 millions that would be given by using the full 3 bytes look scarce.

I think that Apple has several OUIs. In fact, my iPhone's MAC doesn't have a
single byte in common with the parent's.

~~~
mmcnickle
You're right, I didn't do the maths. This list[1] from 2010 shows that Apple
has dozens of OUIs and I imagine the list is much, much longer now.

[1]<http://www.scribd.com/doc/42074577/Apple-OUI-List>

~~~
antirez
But maybe given products use a small subset of their available addresses...

Ok, there is a simple way, let's collectively compile a list of the HN users
reading this thread having an iPhone. I'll start with:

    
    
       4s - F0:CB:A1:xx:yy:zz (me)
       4s - F0:CB:A1:xx:yy:zz (wife)
       4s - F0:CB:A1:xx:yy:zz (friend)
    

Please reply with your first three bytes.

~~~
antirez
Another friend of mine:

4s - 0C:77:1A:xx:yy:zz

------
FuzzyDunlop
> "On iOS devices the password is generated from the devices WLAN MAC address"

On what planet is using this data a valid form of security? Anyone can get
hold of a MAC address.

------
denzil_correa
Just received an update on the iOS app stating "Full encryption for messages
over mobile and WiFI".

------
norrs
Anyone know if deleting message history is enough to kill the history on their
servers?

~~~
willrax
On their website it says that they don't store messages on the server. Once
yet are delivered, they get removed.

------
pheraph
Does anybody know if the latest update changed anything on the security side?

------
rjzzleep
seriously though, why does it have to send the whole contact list EVERY time?

you close whatsapp remove the contact list permission, open it again,
surprise, it won't work. -_-

~~~
UnoriginalGuy
I presume because the list of potential people who you could connect to might
change.

I guess they could re-scan it on a schedule but that wouldn't solve your issue
and might annoy their user base who are using it because it "just works."

Plus removing a permission isn't something any app supports that I am aware
of. It isn't even something you're meant to be able to do on Android.

~~~
rjzzleep
point being, it's a stupid idea. every half decent programmer would just
update the diff.

~~~
UnoriginalGuy
Nope, I wouldn't even consider that. Firstly because K.I.S.S. and secondly
because you've exchanged a relatively small data "cost" with a much larger
storage and processing "cost."

You've had to have a database of everyone's contacts and then be comparing X
with Y every few connections...

------
irfan
New version of whatsapp for iOS is there.

------
andrewljohnson
Did the author email the WhatsApp team to give them any chance to fix this
before they splashed it across the internet for anyone to abuse? The article
makes no mention of it, so I assume not.

In my opinion, the obscurity peeled off by this expose did more to endanger
WhatsApp users than the bad programming. So, I can only conclude this post's
main goal is page views. OP could easily warn them, and at least wait until
they didn't do anything before publishing.

~~~
jneal
My opinion - something so trivial as private data sent in plaintext isn't a
bug or a security hole, it's bad by design. You shouldn't have to notify
someone they've designed their app poorly. If he was taking advantage of a
security hole, or something of that nature that wouldn't already be known to
the developers, then I could see notifying them before publishing.

~~~
danso
This is an excellent point. Fixing a design flaw this inherent is going to
take more than a weekend of frantic dev time. It could conceivably take weeks
to implement an overhaul to their framework, all the while the users are
vulnerable.

~~~
andrewljohnson
They could theoretically take the app down, or issue a warning to users.

On the other hand, this article does little to alert users, while blithely
informing techies, some of whom are likely to be hackers of some order.

