More and more users are looking to spy on WhatsApp: often for fear of betrayal by the partner, other times for simple curiosity. The Internet has allowed us to do things that were unimaginable 10 years ago, but at the same time it has opened the door to more advanced types of attacks and techniques aimed at stealing data, information and damaging target devices.
Working at 360 ° in the technology sector, we realize that the fear of being constantly spied on by someone, also thanks to a bad understanding of some news spread through the network, is much more widespread than is believed: every day many people there they ask if it is possible that our cell phone activity is observed by malicious users, the most common question is whether it is possible to spy on WhatsApp.
Dry answer: yes but no. In theory, you just need to be connected to the Internet to potentially give prying eyes access to your WhatsApp conversations, however the thing is much more complex than we think and in almost all cases it is essential that those who want to spy on you have your phone in their hands.
So back to us, don't expect your threatening friend who calls himself "advanced hacker" to snap his fingers, spy on WhatsApp from your phone and share everything he found on Facebook to put you at the center of countless barbine figures, because - even if you've seen it in the best science fiction movies - in a real world it's really complicated.
In the next few lines we will try to explain why in the simplest way possible.
Spying on WhatsApp: let's be clear
Bad luck (for me) wanted that just by collecting material to dismantle this kind of computer hoax I came across a series of contents, in multiple languages of the world - I know who you are thinking about and no, he is not the only one to have done so, far from it - reciting the same poem: WhatsApp can be spied on using “advanced but feasible” techniques.
Before believing it, whether you are afraid of being a victim or are trying to become potential executioners (which we do NOT hope), it is good to shed some light on how these methods, so acclaimed by the net, actually work.
app to spy on WhatsApp
It happens to catch on the network websites, programs or apps for smartphones and tablets with more “original” names, for example WhatsApp Spy or Spy WhatsApp or even Spy on WhatsApp Software and similar. If you are looking for something like this to harm someone, besides being aware that your intentions are absolutely to be condemned, know that such software, sites or apps cannot materially do what they promise. Indeed, in all likelihood they will end up harming yourself.
If, on the other hand, you are afraid of becoming victims of such programs then rest assured: the only victims here will be the chickens who will use them to try to harm you.
Let's start with a fairly simple assumption: this method would only work if you use WhatsApp over a Wi-Fi connection and it would make absolutely no sense if, on the other hand, we are talking about a connection via a 2G / 3G / LTE network; therefore in the following lines we will assume that we are talking about the first case.
Mainly sniff a WiFi connection means, armed with a computer, a receiver, a large dose of computer skills and a victim who does not know what a network key is, to stand "on guard" and intercept the packets that pass on the poor victim's network, in the attempt to read the content in clear text.
Already after this sentence and without further ado, we can loudly affirm that it is not possible to spy on WhatsApp by sniffing network packets. Reason? Starting from the end of last year WhatsApp encrypts its messages end-to-end with TextSecure technology. This means, in very simple terms (conceptually correct but technically questionable) that:
- write a message;
- immediately before leaving your phone, this is "masked" with TextSecure by WhatsApp and made unreadable to external eyes;
- the message travels "masked" (and therefore illegible even for those who try to sniff) through the network, is stored on the server (always "masked") and then leaves again for the recipient;
- immediately after arriving at the recipient's phone, WhatsApp takes care of "unmasking it" and thus making it legible in the eyes of the recipient.
The only way this security could fail is to find a vulnerability in the encryption applied by TextSecure but it is a very, very, very remote hypothesis.
However, it must be emphasized that, being a closed source program, it is known with certainty that the TextSecure technology is used only on Android, while all other platforms are in doubt; in all cases, the messages however, they are encrypted with the RC4 algorithm using a unique key based on the user's personal parameters - so, although RC4 is considered weak, decrypting even one such message is extremely complex.
Spy on WhatsApp by cloning the MAC address
Perhaps this is the "method" whose reading made me smile the most. First of all, let's explain what a MAC address is: it is simply the “tax code” of the component or components that allow devices to connect to the Internet, and it is unique for each device. Thanks to the MAC Address WhatsApp is able to make sure that one and only one mobile device at a time (there is a separate speech for WhatsApp web, but we will talk about it in due course) can use the app.
According to this reasoning, two devices with identical MAC Address can connect to WhatsApp at the same time and, if this is not theoretically possible, there are some software that allow you to "change" the MAC Address of your device with another of your choice. Put simply: if someone knows your MAC Address, following a method they are potentially able to "pretend" you in the eyes of WhatsApp and, armed with chips, enjoy the show.
It's really like this?
I have read the "suggested" procedure to spy on WhatsApp using the MAC Address cloning procedure and there is one, or rather two small points that make this trick almost completely impractical. Here's how it would work in principle:
- un fool Pippo takes your phone without you noticing it e reads the associated MAC Address;
- Pippo change the MAC Address of your device with yours;
- Pippo install WhatsApp and begins the configuration procedure, using however your registration number;
- Pippo concludes the configuration procedure manually entering the verification code via SMS arrived on your phone;
- Pippo completes the setup and can enjoy the show.
I forgot: Pippo must be equipped with fairly advanced computer skills, must be very fast and must have all the tools at hand (rooted / jailbroken smartphone, active emulator, Internet connection) to carry out the diabolical plan.
In addition to not being so easy to put something like this into practice, look at point 1, point 2 and point 4: Goofy must necessarily have physical access to your phone to do damage. If you are careful enough not to leave your phone unattended and to use authentication methods for the lockscreen, this method has also applicability 0.
Even this "suggested" method can make people smile enough: if it is true that there are applications capable of "diverting" a large part of the data in transit to and from a smartphone to a destination unknown to the victims, it is also true that these applications are not that easy to find and they must be consciously installed by the victim himself for them to work.
So, if you are not chicken enough to install everything they suggest and you are smart enough not to leave your smartphone unattended and to periodically check the apps installed on it, you can sleep peacefully.
The same goes for the above, with the difference that Malware can easily be caught in disguise even on the web and not just "suggested" by those who want to spy on WhatsApp.
Keep in mind that falling victim to malware does not mean that your worst enemy can spy on you on WhatsApp but that potentially - even if the ultimate goal of malware is to have access to financial information such as credit card numbers, PINs and so on - someone who does not know you is able to do it.
Even this method though takes effect close to 0 if you are be careful what you install on your device and if you rely exclusively on the stores offered by your operating system (or at least from reliable publishers).
WhatsApp is a service based on a closed source app, which is why we cannot know precisely what are the exact mechanics "hidden" behind WhatsApp web; according to a valid reasoning of RM Nugrahra on Quora, it is plausible that everything centers on a unique token (i.e. a small non-duplicable cookie) obtained upon association through the classic procedure via QR Code.
It is highly unlikely that anyone has physical access to that cookie and can use it to spy on WhatsApp via the web interface, because
- the attacker should have physical access to the computer to copy the token and know exactly what it is, which is extremely complicated;
- the token could not work on other machines.
In all cases, if you really don't want to take any risks, you can always remove the check mark from "Stay connected" during the association phase - so that token will not be saved at all and the association will be "forgotten" when you close the browser….
... or, if you are afraid of having left WhatsApp web active somewhere too many and fear that your conversations are at risk, all you have to do is log in from the app on your phone to Settings> WhatsApp Web and select "Disconnect from all computers".
Also, recently WhatsApp sends a notification to the phone when Web WhatsApp is active: so you will be notified if you have left your PC on with WhatsApp Web or if someone is trying to sneak into your account.
In recent times, unfortunately, a weakness has been discovered in the handling of operators' answering machines that could lead to unauthorized access in WhatsApp. A sort of "half spy WhatsApp", since the messages prior to access will not be able to be viewed. However, it is sufficient to deactivate the answering machine to prevent this from happening.
You can read more information in our in-depth study:
On the net it is said that you can spy on WhatsApp because it stores information on servers !!!
Ok, this is a separate discussion and it can be said that it is practically the only one to have a grain of truth but the meaning of such a statement goes far beyond the problem we are facing.
In the recent period, the term "spying" is increasingly used for understand the access of government agencies, police and authorities to the data stored on the servers of the services we rely on on a daily basis, without obtaining the user's consent.
The "WhatsApp spying" that the big sites in the sector talk about they allude to exactly this: in some States, unfortunately or fortunately, in order to vanquish acts of terrorism, crimes and so on, very often government agencies can access user data stored on servers without the users themselves being aware of it and, in particular in the USA, without the need for a warrant.
For example, recently the news has spread that since the WhatsApp server stores (obviously) the duration of the calls and the number of the recipient, someone - read “government agencies” - could spy on it. However, this does not necessarily mean that government agencies can read messages in transit since, as we told you before, these travel encrypted between sender, server and recipient.
This is neither the place nor the context to talk about whether or not such a practice is right, however the fact is that to function you need a server and the data in transit irremediably leave traces of itself; and if a legislation allows access to such data by Intelligence or otherwise without the user's prior consent, no one can do anything about it.
It is however necessary to be aware that, unless you are criminals, terrorists, pedophiles, rapists and other figures with a legal profile that is anything but crystalline, i data belonging to you will in all likelihood remain confined in internal controls and that your neighbor, your enemy, your partner, your lover and company singer it will never have them this way.
If you are afraid that your partner has put a private investigator behind you because he is terrified that you will betray him, know that he will never have access to the data stored on the WhatsApp servers - we talked about Intelligence and government agencies, not Pizza & Fichi.
However, this is not only true for WhatsApp but for any service - even the Internet service provider itself - having to do with your network.