I wish Whatsapp would make their system more secure, remove that one-device at a time non-sense and then provide a nice official API and voice chat for it.

And.. just as a reminder. You know that they say that your messages are encrypted on the wire? Well, http://pastebin.com/g9UPuviz ; Or that they are encrypted when stored on the phone? http://forum.xda-developers.com/showthread.php?p=24569917

A great idea indeed! My only concern is privacy. I shudder at the thought of sharing my phone number/IMEA number online.

Actually this is not a real tool that you should use every day. I just created that to clarify and demonstrate the insecure authentication and message transmission methods of WhatsApp.

Still you'd be able to save the number-imei then post on our behalf to Whatsapp.

Rightfully scary ... Why would you eschew the well defined protections of XMPP in the first place? You could still place your "proprietary control characters" inside the Jabber messages.

I'll stay well clear of WhatsApp until they get this fixed!

To reduce round trips and ease of use for the ultimate consumer. A typical whatsapp consumer is decidedly not the geek/hipster hanging out on HN. Out of the 100+ million installs they have, I doubt any more than about 0.1% care about encrypted messages et. al. Most of them do care about a large existing user-base (network effect), ease of startup (no registration/login required), ease of connecting to other users (scan phone contact list) etc. All of those things rile up the crowd that gathers here but provides real, tangible value to the ultimate users. That's the reason they have the userbase that they do despite repeated breast-beating by the crowd here about their lax security etc.

Sure, absolutely. But those things are no reason to be lax on security. All those people are going to care if rampant spoofing, account hijacking, etc. starts.

The security holes seem to fit that nasty sweet spot where they are easy enough for someone to do, if they target you, but hard to do on a massive scale (matching IMEI/MAC to ph. no.), so it seems unlikely to me that users will actually experience problems. Unless it gets a reputation with users as hackable, this wont actually effect their success.

aka: how dumb things become wildly successful.

That said, what will effect success, and what is "right" are not always the same thing.

The basic decision to not require account creation (and hence no login/password) is a key design decision that makes the app onboarding experience so pleasant. Now given that as a product requirement, what exactly would you use as encryption key other than information you can glean from the phone itself (IMEI, UDID etc.). These are numbers tied to the hardware and possible but not trivial to spoof (as you pointed out). It seems like a reasonably enough compromise for a consumer great chat sapp.

Also, for what it's worth, their biggest competitors in the field (viber, kakao etc.) picked up on that successful tactic and also don't require account creation at startup. Wonder if they've found some better ways to provide secure chat.

Why scary? I can login with Gmail on a website too; it's not like your IMEI is public data. And yes, you can also forge gmail's website when you can wiretap a network (ok it's probably hard with https, but on most sites you can), so don't claim you can wiretap the MAC address or IMEI to hack your Whatsapp.

No, it IS scary. First, even if an attacker can wiretap my network, and I assume that at least my ISP and government always can, I want my main means of communication to be secure: I PRETEND HTTPS on mail, Twitter, Facebook and so also on WhatsApp before using it. (Also, with https it's not hard, it must not be possible, if it is, is a bug) Second, if you try airodump-ng in a public place you will realize that you don't wiretap a Wi-Fi MAC address, it is screamed in every direction by every device that have Wi-Fi turned on, and note, not associated to an AP, simply turned on. Because this is how the network works, your device keeps yelling "I am /MAC address/ and know these APs, is there anyone near?" So, if a service authenticates me based on a broadcasted value or on a easily retrievable value (I usually don't think that the guy that asked me to make a phone call might obtain some password of mine) I would not call that password-based authentication.

The IMEI can be obtained dialing *#06# on most phones, so anyone that has physical access to your phone once can use it to access your whatsapp account anytime.

which would make WhatsApp about as easy to spoof as SMS. Oh no!

It's public to every app on your phone. Imagine if every app on your phone could listen and log as you entered passwords in your web browser?

Here's a python API that I made but didn't upload till now https://github.com/boukevanderbijl/python-whatsapi

How does WhatsApp deal when you change your SIM card into a new phone? I mean, how does it know it's you on your new phone?

I have tried some of the cases:

1. Re-install whatsapp on the same phone and same SIM : you have to go through the entire setup process again. You're asked for your phone number, whatsapp sends a sms to that number to confirm. If you had previous backup of chats, it restores that.

2. Insert SIM into a new phone, without whatsapp previously installed: Same as 1.

3. Change SIM in the same phone and whatsapp previously installed: Nothing changes. Whatsapp runs using your previous number and that is displayed to all the contacts. On re-installing, 1. is repeated.

When you install you make a new password by sending an SMS to your phone to verify that you actually own the number.

If you change a SIM card in a phone it will keep using the same Whatsapp number

I like the use of the word "password". If they would at least implement a password, the whole thing would be a lot more secure.

They should have made the password random, it's saved anyways.

I don't have a smart phone. How I can request a activation code?

Bluestacks, the project bringing Android to desktop and currently on Windows and Mac has Whatsapp. Could try that.

Sort of related, is there any way to get an activation code without a proper mobile number? I know I should try Twilio and other options first, but I did just try Google Voice and it didn't seem to work. I could be wrong though. So might as well try asking.

Thanks! I've activated my number. However I cannot get the IMEI. It has very poor UI. There is no UI for dialing.

Edit: there is apps to download which shows your IMEI.

BlueStacks developer here: Glad it worked for you :)

Would love to see Emoji support in there ;)

are you willing to open source that api port?

Look at this if you want an unofficial implementation of the Whatsapp API: https://github.com/tgalal/wazapp

..and here is JavaScript WhatsApp web client https://github.com/waalt/webclient

The index.htm page crashes in Chrome (Version 21.0.1180.89) with the "Aw, Snap!" error. The issue seems to be the direct manipulation of the ".class" attribute of some object in JS.

Not until the PHP API on Github is back on. They had to remove it due to legal issues.

Well, technically it's still there, just checkout 476bb7a.