Hi,
I need to use WhatsApp on my phone but I don’t want to install the app. So I installed it on an Android VM on my PC, and created an account. Then I connected it to my phone using this WhatsApp Web To Go - Mobile Client for WhatsApp We | F-Droid - Free and Open Source Android App Repository . A half a minute later my account was suspended.
Does anyone know if it has to do with the app or of a better solution for my issue?
Thanks!
Beeper or another Matrix-Homeserver like tchncs.de that offers a WhatsApp bridge might be more suited.
How does this sort of service effect the E2E encryption of Whatsapp?
The server that runs the bridge becomes one of the two ends in “E2EE”.
Good to know. So between Whatsapp (the other peron’s Whatsapp client?) and the bridge it is E2E encrypted using Whatsapp’s encryption (signal protocol), It is decrypted by the bridge and than re-encrypted with Matrix’s encryption between the bridge and the matrix client?
Whether it is encrypted between the bridge and Matrix client depends on the bridge implementation. It might also be unencrypted. But yes, between the bridge and the other person’s WhatsApp client it is the regular E2EE used by WhatsApp.
Now that is the state today. Potentially if WhatsApp would use an encryption method compatible with the protocol used by the bridge (Matrix in this example), then there would be no need for the bridge to have the ability to decrypt. That’s why RFC 9420: The Messaging Layer Security (MLS) Protocol might become interesting, especially if certain regions were to force encryption compatibility by law.
This is my hope (possibly in a few years if the EU forces Apple, Meta, et al to open up their messaging services. However based on the little info I have, I doubt that if this were to happen, Meta would switch to Matrix’s encryption, since they already use Signal’s which seems to be the emerging standard (Signal, Whatsapp, Google RCS, Skype and I believe the not-yet-fully-implemented e2ee chat in Instagram and Facebook all make use of Signal Protocol under the hood, Twitter has expressed an interest in Signal as well).
I’ve been using the WhatsApp Web To Go app for about a year - not heavily, most of the time it’s just not running - and not had any problems. If I understand correctly, it’s just a nice wrapper around WhatsApp’s own web interface, so I don’t see why they should object to it being used on your account. I’m sure they can detect the wrapper somehow rather than the site being accessed in a regular web browser on a PC as they probably intended (just check User-Agent?), but unless they’re just trying to force you to use the proper WhatsApp app, I see no reason they should care. (Even then, wouldn’t they be better just stopping their web interface working if they detect the app, rather than suspending your account? If your account is suspended you aren’t going to be bothering to install their app “properly”.)
If I had to guess I’d suggest running the WhatsApp app on an Android VM on your PC is what raised red flags at their end. As for a better solution - do you have an old mobile you could dedicate to running just the WhatsApp app, instead of using an Android VM on your PC? That’s what I’m doing. The phone with WhatsApp on doesn’t have the SIM with the WhatsApp number in any more either and it doesn’t seem to matter. (I still have that SIM in another phone and can enter any code they text me to prove I control the number, not that this has happened.)
Do they store your messages? I think the puppeteer-ing config has a flag for not storing the bridged messages.
end-to-end encryption isn’t affected, but the unencrypted message may be stored for a very brief period of time as it gets bridged.
so it’s affected.
the encryption in of itself isn’t affected directly. The bridge encrypts correctly as expected by a normal WhatsApp client. Though, you don’t have to trust beeper to host the bridges.
Note that they’re also bridged with End-To-End-Encryption.
I not sure I understand, if it’s e2e it means the message is encrypted before it leaves the device but if it is the bridge that encrypt the message then it’s not e2e.
I have a contact who does this with iMessage. Personally, I don’t like it. When I use an encrypted platform with someone I’m trusting the network it’s on and the recipient. Not a middleman they’ve inserted in-between without telling me.
I don’t use Whatsapp, but if I did I would prefer that using an unsecured circumvention would cause you to be removed from the network. Or, at a minimum, some kind of notification to me that messages to you are insecure.
the bridge acts as a whatsapp client, by design it has to support end-to-end-encryption with WhatsApp as otherwise it cannot actually communicate with anyone on WhatsApp.
From there, another part in the chain-of-trust is added, that being Matrix-Side End-To-End-Encryption
Note that when I say it supports E2EE I mean the bridge does E2EE with both WhatsApp (or other) and Matrix, not that the app(s) do the encryption themselves.
That’s what I thought so the problem is that the bridge is a middle man who can read your messages and you have to trust it.
That is not the same using only Whatsapp and I would not recommend it.
In that case, you’re right, which is why Beeper open-sources all their bridges and provides tools for you to easily self-host them.
Again, you have to put a bit of trust in for bridges not hosted by you, but that is the reason why they’re open-source and easily self-hosted
As I said earlier, the problem is you as the sender are aware of all this. The remote party is not.
The message IS NOT encrypted from end to end.
on this note, I would recommend checking their FAQ real quick, as this is not a design decision to undermine encryption. I would assume and hope that once MLS is part of the Matrix spec / Existing clients, and things like WhatsApp, iMessage etc also adopt it that it’ll become easier for Beeper to get to their goal of full, end-to-end-encryption for these bridges
WhatsApp is terrible for privacy because it’s owned by facebook which collects dozens of your metadata