A new research conducted by forensic researchers at the University of New Haven (F. Karpisek of Brno University of Technology in the Czech Republic, and Ibrahim Baggili and Frank Breitinger, co-directors of the Cyber Forensics Research & Education Group) is worrying the large community of WhatsApp users. The experts demonstrated that the popular messaging service WhatsApp collects data on phone calls, including in numbers, call duration and other information.
“Our research demonstrates the type of data that can be gathered through the forensic study of WhatsApp and provides a path for others to conduct additional studies into the network forensics of messaging apps,” said Baggili.
The experts discovered that WhatsApp implements the FunXMPP protocol, a binary-efficient encoded Extensible Messaging and Presence Protocol (XMPP) for the near-real-time exchange of structured data.
The group of researchers decrypted the connection between the WhatsApp client and servers, then they were able to view exchanged messages using a custom-made command-line tool they have created for the analysis.
According to the boffins, this is the first time a research group has probed how WhatsApp uses signalling messages to establish voice calls.
The team has focused its analysis on the signalling messages exchanged during a WhatsApp call established with an Android device, the experts have studied the authentication process implemented by the WhatsApp clients and uncovered the codec used by WhatsApp for voice media streams, the Opus at 8 or 16 kHz sampling rates.
The analysis of the traffic allowed to discover which data the client sends to the servers while establishing a call. Data includes WhatsApp phone numbers, WhatsApp phone call establishment metadata, date-time stamps, and WhatsApp phone call duration metadata.
The researcher discovered much more, they examined how relay servers are announced and the relay election mechanism, and how WhatsApp clients announce their endpoint addresses to use for the media streaming, along with the relay server IP addresses used during the calls.
The experts published a paper entitled WhatsApp Network Forensics: Decrypting and Understanding WhatsApp Call Signaling Messages that includes details of their study.
(Security Affairs – WhatsApp, mobile)