FYI: Whatsapp support and rooted phones

Hi everybody,

I’m having an issue with Rich Previews on Whatsapp and since Github staff pointed me to Whatsapp Support, I thought, “hey, they make money with my data, I might as well make the most of my ‘subscription’ and politely ask for help.”

Although their legal info doesn’t contain any section that would forbid me to root my phone, they refused to give me support in an automated e-mail (see below in German). They basically are saying, “we understand that you like to have a rooted phone, but we won’t help you with your issue. Go, unroot your phone, and come back.”

I thought I’d share this with you in case anyone with a rooted phone was playing with the unreasonable thought to contact Whatsapp support. :wink:

Have a nice weekend!
Stefan

@Stefan pro tip: Use Signal instead :wink:

EDIT: Or Kontalk, or Riot, or Kik*, or KakaoTalk*, or WeChat*, or Zom, or XMPP, or or or…
*not secure

Also interesting, that chats are marked with “your conversation is end-to-end encrypted”. So support and app are not in synch
But true, just use a reasonable app, like signal or wire

To be fair, when you set up WhatsApp in a rooted phone, they show you a message with exactly that warning (“we don’t support custom ROMs”). They should have a notice in their legal info, sure. Poorly done, WhatsApp!

AFAIK, he used Kontalk, at least time ago, right? I guess social needings forced him to use WhatsApp again… (I’m still trying to escape them! >.< )

Guess you are talking about this fragment (translated):

The WhatsApp security model does not work as intended on rooted devices and your messages are not backed up with end-to-end encryption.

I think it is a support slip-up. I guess they try to say that your messages won’t be protected on your end (i.e. your phone) because any app with root access could read directly the plain-text WhatsApp database(s). A rooted Android basically ruin the Android security model, so you must be careful (i.e. use open source software and know what you do when giving root access). Their E2EE only works in transit, and it doesn’t matter whenever you have a pristine or rooted phone. But anyway, WhatsApp backups unencrypted your message history to Google and the anti-feature is enabled by default so, even if you don’t have a Gobble account or use microG, your contacts probably will, and it effectively defeats the purpose of end-to-end encryption, :man_facepalming:.

@stefan If I can help with something web-developer-related, you already know you can just ping me, :slight_smile:

Edit: Ooooh, I revived a 3 months old post! Sorry. Discourse plays with my mind in very weird ways… not the first time, :roll_eyes: Well, I’ll just leave it here because I think unencrypted backups on WhatsApp are relevant.

1 Like

Thank you for your support! I’ve contacted them via e-mail (see Github forum) now.

The problem is that Rich Previews work for other apps (e.g. Telegram), but not for WhatsApp. They were working for some time, but when I switched to https for our custom domain they stopped working again. It’s surely an issue on WhatsApp’s side and I’m not very hopeful that it will be solved.

1 Like

I’ve been trying some urls of mine, monitoring the log of my own server and it appears that the WhatsApp client still does itself the connections required for link previews.

In my FP2, your github.io link gets correct image and description, with and without HTTPS, as well as the new domain, also with and without HTTPS. If you are testing on your FP1, I only guess two things that could be causing that:

  1. Your Android version is no longer security-supported —I know you are aware— which implies the OpenSSL library on your phone is obsolete too. It has some security-holes in it and servers may refuse secure connections to it (SSL Handshake Faliure), depending on cyphers and stuff. If the HTTP connection is upgraded, and a SSL handshake fails, then probably the WhatsApp client fails silently. I can confirm Telegram does not do the connections on-device (it connects to an intermediary service of theirs, with useragent TelegramBot (like TwitterBot)). I don’t know about other apps.
  2. Your WhatsApp cached wrong or null image and description for that link and it doesn’t reload them for some reason. This is not likely, though. I don’t observe any caching method in my monitoring, but in my experience, caching is the source of a lot of problems and it sometimes doesn’t have an unambiguous behaviour, so :man_shrugging:.
1 Like

Yeah, I was suspecting something like (1), but you, of course, go into much more detail. :slight_smile: On the other hand, my friend, who has a pretty new Samsung, also doesn’t get the Rich Preview… :confused:

At least it works on your FP2, so the website works correctly. :slight_smile:

1 Like

Then it’s clearly not fault of an obsolete OpenSSL, :worried:

Yeah, those are the good news. I’ve looked at the code and you did quite a great job there. Microdata is a complex matter (each platform has it own non-standard method, pfff), but if you need to do this again I’d recommend to use Silo Buster or the jekyll-seo-tag for Jekyll sites (it’s whitelisted in GitHub Pages).

1 Like

Thanks. :slight_smile:

Yep, it wasn’t enough customization for my likes… :grin:

Edit: @Roboe

This post at the Github forum kinda supports your theory:

1 Like

If you take a look at https://www.ssllabs.com/ssltest/analyze.html?d=github.io&s=185.199.109.153&latest, you will see that the server correctly does an SSL handshake with Android 4.4 and later but has a protocol mismatch with Jelly Bean (click the button to expand).
The server does not offer TLS 1.0 anymore - it appears some web sites have recently started to move away from that version, even though it is not yet considered insecure as far as I know.

2 Likes

It could well be that the alpha #kitkat on my phone does not include the latest SSL protocol patches of Android 4.4.

Clever finding, but it doesn’t explain why an up-to-date Samsung fails too. A protocol downgrade for what reason? :confused:

Well, there’s an official recommendation to do so:

Source: https://en.wikipedia.org/wiki/Transport_Layer_Security

2 Likes

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.