Adversarial interoperability for Whatsapp

WhatsApp is a widely popular application with zero interoperability. The WhatsApp do not provide APIs and documentation to build alternative clients.

We have to go for Adversarial interoperability. In this post, I describe a working solution to use WhatsApp on a laptop, without running it on a mobile phone. It is based on anbox.

Background

Whatsapp uses powerful crypto, taken from Signal. In short, only your phone can decrypt the messages you receive, and the keys are only located in the phone.

Whatsapp provides two APIs:

• an API for the phone app, partially reverse engineered by yowsup
• an API for the web client, the Whatsapp web API. It works by sending the messages to your phone, which first decrypts them and then your phone sends the message to the final recipient. The Whatsapp web API gets a crypto key from your phone through a QR code scanned with the phone camera.

Physically, you have “WhatsAppWeb <-> WhatsAppWeb server <-> your phone <-> WhatsApp server <-> your recipient”

Cryptographically, you have “WhatsAppWeb <-> your phone <-> your recipient”

In this post I explain how to replace your phone by a standard Linux server.

Prerequisites

• a Linux server where Anbox is installed, see https://docs.anbox.io/userguide/install.html
• a rooted Android phone with a working camera (the camera is needed to attach a WhatsApp web client)

Actions

1. install Whatsapp on your rooted Android phone, register your phone number. This creates the phone Whatsapp cryptographic keys
2. connect your browser with your phone, by visiting https://web.whatsapp.com/ and scanning the QR code. This creates the browser Whatsapp cryptographic keys, to talk to your phone. The keys are stored both in the browser and in the phone.
3. close Whatsapp on your phone
4. save the full whatsapp configuration folder /data/data/com.whatsapp in whatsapp.zip
5. transfer whatsapp.zip to your server, for Anbox. Unzip it on the server on /var/lib/anbox/rootfs/data/data. This transfers both the keys to discuss with the Whatsapp server, and the keys to discuss with your browser.
6. start whatsapp on Anbox
7. use https://web.whatsapp.com/ without any phone in the loop.

See also

• https://github.com/tgalal/yowsup python library with low level API
• https://github.com/sigalor/whatsapp-web-reveng/
• African WhatsApp Modders are the Masters of Worldwide Adversarial Interoperability (Cory Doctorow)

Open questions

Yowsup: It is possible to receive messages with yowsup, by transferring the info from keystore.xml. How to register a WhatsappWeb client with YowSup?

Troubleshooting

If your server does not have a monitor, you need to run anbox in a fake X server, for instance, Xvnc from TigerVNC. In this case, note that anbox only uses touch events and not mouse events, which means that the XVnc client does not support anbox, you have to use the xdb shell input commands, eg input tap 280 280.