[est31]

> reverse engineer network requests and write a more raw client

People already have done that. The most famous example is the yowsup [1] python library. The problem with these client implementations is that WhatsApp is banning any numbers that use them [2]. So most recent attempts to use WhatsApp outside of the official clients revolve around using WhatsApp Web somehow. That appears to work better, but even here if you are using it on a long term basis, WhatsApp might ban you.

Ultimately, WhatsApp is a bad host when it comes to using their service outside of the official app. This is really sad for people like me who don't want to install WhatsApp on their phones because it sends too much of my data to Facebook... probably that's precisely why they are so strict, to get all the data because that's all they get (the service is gratis after all). That and spam.

[1]: https://github.com/tgalal/yowsup [2]: http://google.com/search?q=yowsup+name+ban

[octorian]

3rd party implementations, such as that python library, have two fundamental issues (beyond what's mentioned here).

1) They're using outdated versions of the protocols, which they won't be motiviated to fix until those old versions are cut off server-side and their implementation suddenly stops working. 2) They never quite figured out how to correctly handle all the nuances and corner cases of the E2E encryption, so that part of their design is extremely fragile (just look at the issue trackers for all the evidence of this that you need).

On top of all that, the maintainers have basically given up and abandoned the projects... So they're not even being actively maintained.

[est31]

> they won't be motiviated to fix until those old versions are cut off server-side and their implementation suddenly stops working.

I've never used one of these products, so I might be wrong, but as far as I understood it, the way WhatsApp bans your phone number if you use a third party client is done in a way that is permanent? So instead of saying "sorry your version is too old please use a newer one" they say "sorry your version is too old we don't want to see you ever again even if you fix it". It's totally okay to do something like "sorry the version is too old" if it's not your number that's banned but the outdated protocol implementation.

> the maintainers have basically given up and abandoned the projects

Because WhatsApp is sending DMCA requests like crazy [1] and the constant protocol changes make it hard for third party developers. See the opinion by one dev here [2].

If WhatsApp came out with a public statement about supporting third party clients, listing their conditions, it would be really great progress. Matrix, IRC, etc all thrive with different client implementations, even Threema officially tolerates the OpenMittsu third party client. The official communication I've seen by WhatsApp is the opposite.

[1]: https://github.com/github/dmca/blob/332f1896902c4f5780a249c0...

[2]: https://github.com/Enrico204/Whatsapp-Desktop/commit/18ba8a4...

[gsich]

I have used yowsup for some time, bans were not the issue. However there is a keying issue, leading to failed messages. Ultimately I had to switch to some Web API, as the 'official' version hasn't been updated for some time.

[sopooneo]

How can the server component of WhatsApp tell that the client is using the Python library you mention? If that library implements the protocol correctly, shouldn't it be indistinguishable from the official web client to the server?

[est31]

Creating a correct implementation of a protocol is one thing, creating one that is indistinguishable from another implementation another. E.g. for TCP/IP you can find out the OS just from the additional information even though implementations are correct [1]. I guess they are doing something similar. And even if your protocol implementation were perfectly indistinguishable from the other one, usage patterns might reveal differences. E.g. if you have a bot then bots will most likely reply immediately after you issue a command. If you add a constant wait time, it's still distinguishable from humans typing at varying times. Same for uniformly randomly distributed wait times, I'm sure there is a distinction (I'd say it's correlated to message length for example). All of this is visible without looking at the message contents, which are obviously not available to the WhatsApp service.

[1]: https://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting

[thaumasiotes]

Based on your parent comment...

> This is really sad for people like me who don't want to install WhatsApp on their phones because it sends too much of my data to Facebook... probably that's precisely why they are so strict, to get all the data because that's all they get (the service is gratis after all).

When you send a message through WhatsApp, WhatsApp knows you sent the message and who you are.

Since they know who you are, they also know, independently of the request you just sent, whether you're using their official client, and what data they've managed to extract from your phone.

If I get a seemingly-valid message from you despite the fact that I know perfectly well you've never installed my official client, I'm going to conclude you're not using my official client.

[jaimehrubiks]

This was an incredibly interesting topic when pokemon go came out. People started using the reverse engieered protocol to gain information about the map from the pc (instead of the official android app), and Niantic updated the app every now and then with slight protocol changes and complex functions or crypto algorithms so that it was harder for those people to perfectly emulate the client. The protocol worked, but they could detect them sometimes because it was not identical.

I feel that I love this topic. It seems that it is an exciting challenge trying to protect an API to only be used (or at least, detected if not) by the official app. I don't even know if there is even a 'solution' to this problem. Would like to read more about it.

[gsich]

Hardcoded device maybe:

https://github.com/tgalal/yowsup/blob/master/yowsup/env/env_...