With the popularity of smart phones, various mobile social tools have appeared on the market. Among them, social tools that used to share pictures and videos as the core have also been implanted with mobile chat functions to increase user stickiness and use time. Among these tools, the ultimate feature of WhatsApp is simple and easy to use, and it also provides encryption of chat messages between users.
Two years ago, WhatsApp started to develop comprehensive end-to-end encryption technology and used software provided by the non-profit security organization Open Whisper Systems. This chat application has enabled this technology by default for plain text communication between two users in 2014, but group chat messages and rich media messages are not fully encrypted. Now WhatsApp has improved its default encryption settings, allowing only senders and recipients to view messages. All current WhatsApp messages will receive end-to-end encryption support. In other words, even if law enforcement agencies forcefully intervene, the company cannot read user information.
Mobile Phone Spy App
Although there have been several information security incidents, WhatsApp is still one of the most popular instant messaging tools. WhatsApp has more than 1.5 billion users and approximately 500 million daily active users, sending more than 100 billion messages every day. The security of WhatsApp benefits from end-to-end encryption, making intercepted messages impossible to decrypt. While this is good news for consumers, it is also bad news for law enforcement agencies. Unless the company agrees to provide a backdoor that allows them to access the suspect's WhatsApp communication records, law enforcement officials will face encryption issues.
So besides using the backdoor and password, are there other options to access the WhatsApp conversation? Currently, we know at least two. The first option is to capture the message database directly from any party's device, and the other option is to use cloud services. WhatsApp does not have its own local cloud service like Telegram. It has only one messaging relay service, and its storage time will not exceed the time required to deliver the message. In other words, any message sent through the WhatsApp server will be deleted immediately (due to end-to-end encryption). It should be noted that WhatsApp accounts cannot be used on multiple devices.
Let's review the WhatApp recovery or decryption options for Android and iOS and see what new features Elcomsoft eXplorer for WhatsApp (EXWA) has.
Run WhatsApp in Android environment
On Android smartphones, WhatsApp saves the chat database in a sandbox. The database is not included in the ADB backup, and the database can be accessed only when the device has root privileges. To access the WhatsApp database on a non-rooted device, the only way is to operate WhatsApp in sideload mode (a flashing mode of Android) and force it to return the original unencrypted database to the host. We can use EXWA to achieve, but note that it can only be implemented on the old version of Android 4.0 to 6.0.1. If you use this method on Android 7.0 and later versions, it will not work. The reason is that the process is more complicated, but we are still working hard and looking forward to implementing a similar method in the latest Android version. In other words, if you are buying a newest Android phone, you are unlikely to use this method.
WhatsApp can also create independent backups for Android shared storage or SD cards, but these backups are usually encrypted. The name of the encrypted WhatsApp backup file ends with .cryptNN, where NN represents a set of numbers. To decrypt the database, you need the encryption key stored in the WhatsApp sandbox, so that we can return to root or non-root situations, because you can only access the sandbox if you have super user rights. If you do this according to the above method, then I suggest you better take the original WhatsApp database out of the application sandbox, unless you need the data in that particular backup. The set of numbers in .cryptNN represents the revised version of the encryption algorithm used to protect the backup. These are minor changes in the encryption algorithm and do not actually affect security. Although open source code can decrypt these files (reference 1 and reference 2), you still need the encryption key.
Is it possible to just calculate or generate the encryption key without extracting it? Before we try, first we have to look at the WhatsApp backup on Google Drive. When creating a WhatsApp backup in the app, there are options. You can choose daily, weekly or monthly backup, so when you press the "Backup" button, the program will back up according to your option settings. However, you can also completely disable the backup. It should be noted that the backup will always contain relevant chat information and pictures (video is optional), but not contact information. For the Android version of WhatsApp (and backups on Google Drive), chat history is always encrypted, while media files are not.
New method to decrypt WhatsApp backup
For a long time, EXWA has been able to download WhatsApp backups from Google Drive, but only if you have the user's Google login credentials.
Extract and decrypt Android
When doing WhatsApp backup, we need to use the same method as WhatsApp message generation. For example, the user needs to obtain a security code via SMS (you need to access the phone number to receive it). The only problem is that once the code is generated on the server, WhatsApp will be deactivated on the user's device. Of course, the user can activate it again, but the encryption key we generated can only be used for previously saved backups, not for any future backups.
WhatsApp in iOS
For iOS devices, the easiest way to access WhatsApp sessions is to analyze backups with local iTunes attributes. Although the WhatsApp data in the iOS device backup does not have additional encryption, if a backup password is set, you must enter the password, restore the password or reset the password on the iPhone.
So can iCloud backups be cracked? They are essentially the same because WhatsApp chats and media files are also stored there without any additional encryption. Forensics personnel need to have the user's iCloud credentials (password plus the second verification factor, or authentication token) to download the device backup. Once the WhatsApp backup is downloaded, decrypting it is a matter of course.
Just like the Android environment, WhatsApp in the iOS environment can also be backed up independently, and they are all stored in the iCloud drive. Standalone WhatsApp backups in iCloud Drive are also encrypted, and this protection is similar to backups in Google Drive.
Decrypt WhatsApp backup using Elcomsoft eXplorer tool
Above we learned how to get the encryption key directly from the iPhone, and now we can decrypt the standalone WhatsApp iCloud drive backup without the need for a security code. At this point, the user's WhatsApp installation will be running.
Technically speaking, the encryption key is stored in the keychain. Using Elcomsoft Phone Breaker can easily access most of the keychain items. Since the WhatsApp encryption key is for a higher security level, it can only be obtained through iOS Forensic Toolkit 4.0 with physical keychain extraction. Once you obtain the encryption key and open the WhatsApp backup downloaded from the iCloud drive, you will be prompted to decrypt it. But now you don't need to use the WhatsApp server for authentication (get the security code), instead you can specify the path to the keychain file extracted using the iOS Forensic Toolkit (keychaindump.xml by default).
The above is the old method, here I will introduce a new method: you only need to jailbreak the iPhone to get the keychain file. This method is rude but has many advantages. First, you will no longer need to obtain a security code via SMS or mobile phone, and WhatsApp will keep running on the user's iPhone. If you cannot access the user's SIM card, this may be the only extraction method available. In addition, the decryption key will be used for all past and future backups.
If the device is available, the backup may contain chat history that has been deleted on the device, and you do not need to use an iCloud drive to back up at this time. Although it is sometimes possible to recover deleted records from the SQLite database, this will only be done under special circumstances. Elcomsoft eXplorer is the most powerful WhatsApp recovery and decryption tool on the market. It supports both iOS and Android versions of WhatsApp and decrypts all types of backups.
How to unblock WhatsApp after being blocked?
- The IP address is unstable during operation. The reason for this may be that the IP address used for registration and login is different.
- The mobile phone number and email account used for registration have low stability, so use some information with a high safety factor and stability factor to register as much as possible.
- Just register an account, add a lot of friends, and send messages to many people.
- Send information containing advertisements, or send a large number of links and advertising content.
If your account is blocked, then recall whether the above points have been violated. Perhaps in the process of using it, you accidentally touched the prohibited behavior, then don't worry, there are several solutions below.
Uninstall and reinstall WhatsApp, then appeal
The advantage of using this method is that there is no charge, but there are also drawbacks. Even if you receive the reply from the other party, you cannot reply to it immediately. Another is that the software side will check your behavior. If you really are If you are banned for violating the regulations, it is impossible to unblock the ban, so you must be true during the appeal process. Many people are willing to use this method, but you should not rush in the process. There are several steps to pay attention to:
- Uninstall WhatsApp completely and clean up related cached data.
- Re-download and install the latest version of the software in the application store.
- To re-register with the previously bound number, you may receive a series of prompts during this process, just click "Agree".
- Enter the appeal page and fill in the problems you have encountered in detail. For example: the number is disabled and you can't register for WhatsApp. There have been no malicious or illegal operations before. You can add a screenshot here. Don't forget to write your mobile number and add the country code before the number, otherwise the other party won't know you are. Which country.
- Jump to the problem feedback interface, where you can describe your problem in more detail and ensure that you will strictly follow the rules in the future.
- Send the email to the designated mailbox, and then you can wait for the result of the appeal. Generally, you will reply within 24 hours.
Register with a virtual number on the same mobile phone to unblock
- Because all accounts need to use a mobile phone number to register, if the account is blocked, you can change to a mobile phone number to register. However, if you want to change a new phone number, you need to re-apply, not only a waste of time, but also a waste of money. Now that there are many virtual numbers on the Internet, you can buy a virtual number and register again. If you want to keep the previous address book information, then register When you can click to allow WhatsApp to get the address book.
- It should be noted that the previous WhatsApp must be completely uninstalled to prevent the new account from being affected.
- The advantage of using this method is that it is safe and convenient, but the disadvantage is that it is not completely free, and it costs money to purchase a virtual account.
Use GB WhatsApp
- Using this cracking software, even if your account is blocked, you can still use it as usual. Its advantage is that the cracked version has a variety of interesting emoticons, but the disadvantage is that it can only be applied to Android phones. Apple users cannot use this method to crack, and this method will also leak personal information, which is not the best solution .