Recent years have seen a pervasive usage of mobile-based instant messaging apps, which are popularly known as chat apps. On users' mobile devices, chat logs are usually stored encrypted. This paper is concerned with discovering the decryption key of chat-log database files as they are used by popular chat apps like WhatsApp and WeChat. We propose a systematic and generalized information-flow based approach to recovering the decryption key by taking advantage of both static and dynamic analyses. We show that, despite the employed code obfuscation techniques, we can perform the key discovery process on relevant code portions. Furthermore, to the best of our knowledge, we are the first to detail the employed string de-obfuscation, encrypted database file structure, and decryption-key formulation of the latest WhatsApp with crypt12 database. We also demonstrate how our key-extraction techniques can decrypt encrypted WhatsApp and WeChat database files that originate from a target device. Additionally, we show how we can construct a version of WhatsApp or WeChat that simulates the key generation processes of a remote target device, and recover the keys. Lastly, we analyze why our technique can work on widely-popular chat apps, and mention measures that can be adopted by chat-app developers to better protect the privacy of billions of their users.
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
Tel.: +1 703 830 6300
Fax: +1 703 830 2300 firstname.lastname@example.org
(Corporate matters and books only) IOS Press c/o Accucoms US, Inc.
For North America Sales and Customer Service
West Point Commons
Lansdale PA 19446
Tel.: +1 866 855 8967
Fax: +1 215 660 5042 email@example.com