Examining Information Sharing During WhatsApp Web Setup

Gabriel Martim

Saturday, July 20, 2024 at 11:43:41 AM

Understanding WhatsApp Web Initialization
In the digital age, understanding device communication is critical, particularly for applications like WhatsApp Web. When you scan the QR code to start WhatsApp Web, the Android device and the browser exchange a number of parameters. This technique uses encrypted traffic, which can be difficult to evaluate.
Despite using tools such as tpacketcapture and Burp Suite with the certificate installed on the device, the traffic remained encrypted, raising issues about WhatsApp's protocols. This paper dives into the mechanisms underlying this process and proposes potential approaches for assessing the parameters transmitted during WhatsApp Web sessions.

Command Description

mitmproxy.http.HTTPFlow In mitmproxy, this represents a single HTTP flow, which includes both the request and the response.

ctx.log.info() Logs data to the mitmproxy console for debugging reasons.

tshark -i wlan0 -w Starts a network traffic capture on interface wlan0 and saves it to a file.

tshark -r -Y -T json Reads a capture file, applies a display filter, and returns the results in JSON format.

jq '.[] | select(.layers.http2)' Filters JSON output for elements that contain HTTP/2 traffic.

cat whatsapp_filtered.json Displays the contents of the filtered JSON file comprising WhatsApp web traffic.

Command	Description
mitmproxy.http.HTTPFlow	In mitmproxy, this represents a single HTTP flow, which includes both the request and the response.
ctx.log.info()	Logs data to the mitmproxy console for debugging reasons.
tshark -i wlan0 -w	Starts a network traffic capture on interface wlan0 and saves it to a file.
tshark -r -Y -T json	Reads a capture file, applies a display filter, and returns the results in JSON format.
jq '.[] \| select(.layers.http2)'	Filters JSON output for elements that contain HTTP/2 traffic.
cat whatsapp_filtered.json	Displays the contents of the filtered JSON file comprising WhatsApp web traffic.

Detailed explanation of the traffic analysis scripts.

The first script uses , a sophisticated tool for intercepting HTTP and HTTPS traffic. The method is called for each HTTP request that goes through the proxy. If a request is made to , we increment a counter and log the request URL with ctx.log.info. This enables us to monitor and log all communication between the Android device and WhatsApp Web, providing information about the data transferred throughout the QR code scanning process. The list registers our own addon with mitmproxy, allowing the script to operate smoothly whenever mitmproxy is launched.

The second script uses , the command-line version of Wireshark, to capture and analyze network data. The command starts a capture on the wireless interface and saves the results to a file. The file is then read and filtered to display only the traffic connected to the Android device's IP address, using . The JSON output is further processed with jq, a command-line JSON processor, and filtered for HTTP/2 traffic using . The filtered traffic is kept and shown using to provide a detailed perspective of the WhatsApp Web communication. These scripts, when combined, provide a powerful way for analyzing encrypted communication, assisting in determining the parameters transmitted during WhatsApp Web startup.

Intercepting and analyzing WhatsApp Web Traffic

Using Python and mitmproxy to analyze traffic

import mitmproxy.http
from mitmproxy import ctx

class WhatsAppWebAnalyzer:
    def __init__(self):
        self.num_requests = 0

    def request(self, flow: mitmproxy.http.HTTPFlow) -> None:
        if "web.whatsapp.com" in flow.request.pretty_host:
            self.num_requests += 1
            ctx.log.info(f"Request {self.num_requests}: {flow.request.pretty_url}")

addons = [WhatsAppWebAnalyzer()]

Decrypting WhatsApp Web Traffic for Analysis.

Using Wireshark and Tshark to decrypt network traffic

#!/bin/bash

# Start tshark to capture traffic from the Android device
tshark -i wlan0 -w whatsapp_traffic.pcapng

# Decrypt the captured traffic
tshark -r whatsapp_traffic.pcapng -Y 'ip.addr == <ANDROID_DEVICE_IP>' -T json > whatsapp_traffic.json

# Filter for WhatsApp Web traffic
cat whatsapp_traffic.json | jq '.[] | select(.layers.http2)' > whatsapp_filtered.json

# Print the filtered traffic
cat whatsapp_filtered.json

Exploring Advanced Techniques for WhatsApp Web Traffic Analysis.

Understanding the encryption techniques utilized is crucial when examining WhatsApp Web traffic. WhatsApp uses end-to-end encryption, which means that messages are encrypted on the sender's smartphone and then decoded on the recipient's device. This makes intercepting and decrypting traffic a difficult operation. Understanding the key exchange mechanism, as well as the roles of public and private keys, will help you identify potential vulnerabilities and techniques for legitimate interception. Furthermore, studying the first handshake between the device and the server might provide useful information about the encryption process and any metadata that may be transferred.

Another technique is to utilize specialist gear or software capable of deep packet inspection (DPI). DPI technologies may examine the contents of data packets as they travel over a network, which is valuable for identifying certain apps or protocols even when the communication is encrypted. For example, utilizing Wireshark in conjunction with WhatsApp traffic plugins can help examine communication patterns and determine the types of messages being sent. Understanding the underlying WebSocket protocol utilized by WhatsApp Web can also provide valuable information, as this protocol is critical for real-time communication between the browser and the WhatsApp servers.

What are the best tools for capturing WhatsApp web traffic?
Tools like and are frequently used for capturing and analyzing network traffic.
How does WhatsApp secure its web traffic?
WhatsApp employs end-to-end encryption, which means that messages are encrypted on the sender's device and only decoded on the recipient's.
Can traffic be decrypted once it has been encrypted?
Decryption is highly difficult due to the usage of end-to-end encryption, however understanding key exchange processes can help.
What is deep packet inspection?
Deep packet inspection (DPI) is a type of data processing that thoroughly examines data being transmitted over a network in order to detect protocols or applications.
How do WebSockets contribute to WhatsApp's web communication?
WebSockets provide real-time communication between browsers and WhatsApp servers, which is critical for message delivery.
Are there any legal considerations while eavesdropping WhatsApp traffic?
Yes, intercepting traffic can have legal consequences and must be done in accordance with local laws and regulations.
Can public and private keys be exploited?
Exploiting public and private keys is extremely difficult and often unfeasible without large computational resources or vulnerabilities.
What are the limits to utilizing mitmproxy for this purpose?
Mitmproxy can capture communication but may be unable to decrypt it due to WhatsApp's strong encryption mechanisms.
How can metadata be used in traffic analysis?
Metadata, such as message timestamps and user interactions, can provide insights into communication patterns while keeping message content private.

Because of the tight encryption used during WhatsApp Web startup, understanding the parameter exchange requires advanced tools and approaches. While typical approaches such as tpacketcapture and Burp Suite may fall short, using deep packet inspection and specialist tools can provide more information. Although difficult, these methods can help interpret encrypted communication, offering a more complete view of the data transferred between the Android smartphone and the browser during the QR code scanning process.