堆栈内存溢出
  简体   繁体   English

Whatsapp身份验证如何工作?

[英]How does Whatsapp Authentication work?

 原文  2015-04-08 12:49:30       android/ security/ authentication/ mobile/ whatsapp

问题描述

I want to develop a mobile app and use a whatsapp like user registration. 我想开发一个移动应用程序并使用像用户注册的whatsapp。 Now I remember the security problems that were discussed some years ago. 现在我记得几年前讨论过的安全问题。 Whatsapp used to authenticate users simply by their phone number and IMEI. Whatsapp用于通过电话号码和IMEI对用户进行身份验证。 Now of course this is not really safe but I don't really know how to do it more secure. 现在当然这不是很安全,但我真的不知道如何更安全。

Now I didn't hear something about Whatsapp authentication problems anymore for a long time so I guess they have secure method now. 现在我已经很久没有听到有关Whatsapp身份验证问题的消息,所以我猜他们现在已经有了安全的方法。 Do you know how Whatsapp does it today? 你知道Whatsapp今天是怎么做到的吗?

2 个解决方案

解决方案1
 14  2016-08-17 00:47:33

I'll take a stab at this question. 我会抓住这个问题。

To my knowledge, Whatsapp still uses your phone number as the primary unique identifier. 据我所知,Whatsapp仍然使用您的电话号码作为主要的唯一标识符。 The first time you log-in to Whatsapp you verify the phone number to be your own. 第一次登录Whatsapp时,您可以验证自己的电话号码。

However, the second time Whatsapp provides a secret key at log-in. 但是,Whatsapp第二次在登录时提供密钥。 This helps to avoid some of the attacks services like Telegram have seen, where an SMS can be called and intercepted at any point to access the account (take a look at how their web log-in works). 这有助于避免一些像Telegram这样的攻击服务,其中可以在任何时刻调用和拦截SMS来访问该帐户(看看他们的Web登录是如何工作的)。

Indeed, this secret key they provide is your identifier, which is stored securely locally, that must be used in all proceeding requests. 实际上,他们提供的这个密钥是您的标识符,它在本地安全存储,必须在所有进行中的请求中使用。 Of course, users switch phones. 当然,用户可以切换手机。 In such a case, the account must be re-activated via SMS where a new secret id will be produced, invalidating the previous one. 在这种情况下,必须通过SMS重新激活帐户,其中将产生新的秘密ID,使前一个密码无效。

Hence, an attacker could attempt the SMS-intercept protocol I spoke of by means of re-activation. 因此,攻击者可以通过重新激活来尝试我所说的SMS拦截协议。 The problem with this is you'd realize someone is intercepting your traffic immediately because Whatsapp would be disabled on your own device. 这个问题是你会发现有人会立即拦截你的流量,因为Whatsapp会在你自己的设备上被禁用。 Therefore, this could only be successful if you didn't check Whatsapp for a while or were in the midst of an internet outage. 因此,如果你没有检查Whatsapp一段时间或者正在互联网中断,这只能是成功的。 Overall, this makes their method secure. 总的来说,这使他们的方法安全。

@Srinivas What you have observed is nothing more than Whatsapp storing that a particular phone number cannot be verified for the next two hours, irrespective of the origin of request, on their verification server. @Srinivas您所观察到的只不过是Whatsapp存储在接下来的两个小时内无法验证特定电话号码,无论请求的来源如何,都在验证服务器上。

EDIT: In response to @Srinivas's comment: 编辑:回应@ Srinivas的评论:

The last part of your answer is absolutely correct. 你答案的最后一部分绝对正确。 I did few tests and it works as you said. 我做了很少的测试,它就像你说的那样有效。 Thanks. 谢谢。 But i am not clear on the 1st time login and 2nd time login. 但我不清楚第一次登录和第二次登录。

I apologize for not being thorough. 我为不彻底而道歉。 I will attempt to re-explain. 我会尝试重新解释。

As i see whatsapp, initial screen is registration(sms code request screen) and 2nd login is verify code(verify sms code). 正如我看到whatsapp,初始屏幕是注册(短信代码请求屏幕),第二次登录是验证码(验证短信代码)。 Can you provide some more info for my understanding please? 您能为我的理解提供更多信息吗?

What I meant by first time login is the entire SMS verification process. 我第一次登录时的意思是整个SMS验证过程。 Hence, I'll divide it up in two segments: 因此,我将它分为两​​部分:

  1. First-time login : The user requests an SMS verification code. 首次登录 :用户请求短信验证码。 They are required to enter the code correctly if from another device, or alternatively have Whatsapp recognize the SIM and complete verification automatically. 如果来自其他设备,他们需要正确输入代码,或者让Whatsapp识别SIM并自动完成验证。 They are then logged in and have access to their undelivered or backed up messages if it's a previously existing account. 然后,如果它是以前存在的帐户,则会登录并访问其未传递或备份的邮件。

  2. Second-time login : Immediately following this verification process Whatsapp delivers a secret access token which is stored locally on the device. 第二次登录 :在此验证过程之后,Whatsapp立即提供秘密访问令牌,该令牌存储在设备本地。 Thus, any time they open the app and attempt to connect to the server they are required to use this access key. 因此,只要他们打开应用程序并尝试连接到服务器,就需要使用此访问密钥。 As I explained, if they'd like to re-activate their account on another device, they'll have to complete step 1 again from the new device, which will then generate a new secret key--invalidating the previous one and making it only possible to login with the new device. 正如我所解释的,如果他们想要在另一台设备上重新激活他们的帐户,他们将不得不再次从新设备完成步骤1,然后生成一个新的密钥 - 使之前的密钥无效并使其成为只能使用新设备登录。

Here's some documentation i found who has created similar api : github.com/mgp25/Chat-API/wiki/WhatsApp-Registration-Flow. 以下是我发现的一些创建类似api的文档:github.com/mgp25/Chat-API/wiki/WhatsApp-Registration-Flow。 please provide your valuable input 请提供宝贵的意见

I reviewed the documentation and they follow the same pattern precisely. 我查看了文档,他们精确地遵循相同的模式。 What may have confused you is the initial "code request token". 可能让您困惑的是最初的“代码请求令牌”。 This is simply a key that verifies the validity of the device that is making a request to complete step 1. This ensures the legitimacy of the origin of the user who's attempting to register their device. 这只是一个密钥,用于验证正在请求完成步骤1的设备的有效性。这可以确保尝试注册其设备的用户的来源的合法性。

Here's how that works: 这是如何工作的:

The user would like to complete step one. 用户想要完成第一步。 Therefore, they send a request token to the server along with their identity (phone number). 因此,他们向服务器发送请求令牌及其身份(电话号码)。 This is a code that was delivered upon load to the application. 这是在加载到应用程序时传递的代码。

This still isn't sufficient to stopping an SMS-intercept during step 1. Given that the origin of the request is a legitimate Whatsapp installation, the SMS verification code can give an attacker access to the user's account. 这仍然不足以在步骤1期间停止SMS拦截。鉴于请求的来源是合法的Whatsapp安装,SMS验证码可以使攻击者访问用户的帐户。 However, as I previously noted this invalidates the previously generated secret key from step 2. Therefore, the user will notice that they've been logged out locally as long as they're actively using Whatsapp and connected to Internet. 但是,正如我之前提到的,这使得先前生成的密钥从步骤2无效。因此,只要用户正在积极使用Whatsapp并连接到Internet,用户就会注意到他们已经在本地登出。

Let me know if there's any more confusion. 让我知道是否有任何混乱。

解决方案2
 3  2015-04-08 12:55:34

Nowadays Whatsapp authorizes you to use the app simply by sending your phone a text message. 如今Whatsapp授权您只需向手机发送短信即可使用该应用。 If your phone's SIM card has the same number as you entered, Whatsapp automatically takes the code from the text message and authorizes your phone. 如果您手机的SIM卡号码与您输入的号码相同,则Whatsapp会自动从短信中获取代码并授权您的手机。 If not, you still have to get to the phone that uses that phone number and enter the verification code. 如果没有,您仍然需要使用使用该电话号码的电话并输入验证码。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 意图打开WhatsApp不起作用 - Intent to open WhatsApp does not work WhatsApp弹出通知如何工作? - How does WhatsApp pop-up notification work? Ionic-仅在IOS中无法发送whatsapp - Ionic - Sending a whatsapp does not work, only in IOS 移动设备上的facebook身份验证如何工作? - how does facebook authentication on mobile devices work? 指纹认证在手机中如何工作? - How does fingerprint authentication work in mobile? WhatsApp从技术上如何获取电话号码? - How does WhatsApp technically get the phone number? 软键盘转换...... WhatsApp如何做到这一点? - soft keyboard transition … how does WhatsApp do it? Android 如何检测到该手机有 WhatsApp? - How does Android detect that phone has WhatsApp? Whatsapp 如何在 Android 中跟踪时间? - How does Whatsapp track time in Android? whatsapp 如何立即收到消息? - How does whatsapp instantly receive a message?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM