我将在这个问题上采取行动.

据我所知，Whatsapp仍然使用您的电话号码作为主要的唯一标识符.首次登录Whatsapp时，请验证电话号码是否属于您自己的电话号码.

但是，Whatsapp第二次在登录时提供了一个秘密密钥.这有助于避免某些类似于Telegram的攻击服务，在该攻击服务中，可以随时调用和拦截SMS来访问该帐户(请查看其Web登录的工作方式).

实际上，他们提供的这个秘密密钥是您的标识符，该标识符安全地存储在本地，必须在所有进行中的请求中使用.当然，用户会切换电话.在这种情况下，必须通过SMS重新激活该帐户，该帐户将产生一个新的秘密ID，从而使先前的ID无效.

因此，攻击者可以通过重新激活来尝试我所说的SMS拦截协议.问题是您会意识到有人会立即拦截您的流量，因为Whatsapp将在您自己的设备上被禁用.因此，只有当您一段时间未检查Whatsapp或发生互联网中断时，这才可能成功.总体而言，这使他们的方法安全.

@Srinivas您所观察到的不过是Whatsapp存储的内容，即在接下来的两个小时内，无论其请求来源如何，都无法在其验证服务器上验证特定的电话号码.

---

编辑:针对@Srinivas的评论:

答案的最后一部分是绝对正确的.我进行了几次测试，结果如您所说.谢谢.但是我不清楚第一次登录和第二次登录.

对于不彻底，我深表歉意.我将尝试重新解释.

当我看到whatsapp时，初始屏幕是注册(短信代码请求屏幕)，第二次登录是验证码(验证短信代码).您能否提供更多信息以供我理解?

我第一次登录的意思是整个SMS验证过程.因此，我将其分为两个部分:

1. 首次登录:用户请求SMS验证码.如果他们是从另一台设备输入的，则要求他们正确输入代码，或者让Whatsapp识别SIM卡并自动完成验证.然后，他们将登录并可以访问尚未发送或备份的邮件(如果该帐户是先前存在的帐户).

2. 第二次登录:此验证过程之后，Whatsapp会立即提供一个秘密访问令牌，该令牌存储在设备本地.因此，他们每次打开应用程序并尝试连接到服务器时，都需要使用此访问密钥.正如我所解释的，如果他们想在另一台设备上重新激活其帐户，则必须从新设备上再次完成步骤1，这将生成一个新的密钥-使先前的密钥失效并使其生效只能使用新设备登录.

以下是我发现谁创建了类似api的一些文档:github.com/mgp25/Chat-API/wiki/WhatsApp-Registration-Flow.请提供您宝贵的意见

我查看了文档，并且它们完全遵循相同的模式.可能让您感到困惑的是初始的代码请求令牌".这只是一个密钥，用于验证请求完成步骤1的设备的有效性.这确保了尝试注册其设备的用户来源的合法性.

这是它的工作方式:

用户想完成第一步.因此，他们将请求令牌及其身份(电话号码)发送到服务器.这是在加载到应用程序时交付的代码.

这仍然不足以在步骤1中停止SMS拦截.鉴于请求的来源是合法的Whatsapp安装，SMS验证代码可以使攻击者访问用户的帐户.但是，正如我之前指出的那样，这会使先前在步骤2中生成的密钥无效.因此，用户将注意到他们已经在本地注销，只要他们正在积极使用Whatsapp并连接到Internet.

让我知道是否还有更多的困惑.

I want to develop a mobile app and use a whatsapp like user registration. Now I remember the security problems that were discussed some years ago. Whatsapp used to authenticate users simply by their phone number and IMEI. Now of course this is not really safe but I don't really know how to do it more secure.

Now I didn't hear something about Whatsapp authentication problems anymore for a long time so I guess they have secure method now. Do you know how Whatsapp does it today?

I'll take a stab at this question.

To my knowledge, Whatsapp still uses your phone number as the primary unique identifier. The first time you log-in to Whatsapp you verify the phone number to be your own.

However, the second time Whatsapp provides a secret key at log-in. This helps to avoid some of the attacks services like Telegram have seen, where an SMS can be called and intercepted at any point to access the account (take a look at how their web log-in works).

Indeed, this secret key they provide is your identifier, which is stored securely locally, that must be used in all proceeding requests. Of course, users switch phones. In such a case, the account must be re-activated via SMS where a new secret id will be produced, invalidating the previous one.

Hence, an attacker could attempt the SMS-intercept protocol I spoke of by means of re-activation. The problem with this is you'd realize someone is intercepting your traffic immediately because Whatsapp would be disabled on your own device. Therefore, this could only be successful if you didn't check Whatsapp for a while or were in the midst of an internet outage. Overall, this makes their method secure.

@Srinivas What you have observed is nothing more than Whatsapp storing that a particular phone number cannot be verified for the next two hours, irrespective of the origin of request, on their verification server.

---

EDIT: In response to @Srinivas's comment:

The last part of your answer is absolutely correct. I did few tests and it works as you said. Thanks. But i am not clear on the 1st time login and 2nd time login.

I apologize for not being thorough. I will attempt to re-explain.

As i see whatsapp, initial screen is registration(sms code request screen) and 2nd login is verify code(verify sms code). Can you provide some more info for my understanding please?

What I meant by first time login is the entire SMS verification process. Hence, I'll divide it up in two segments:

1. First-time login: The user requests an SMS verification code. They are required to enter the code correctly if from another device, or alternatively have Whatsapp recognize the SIM and complete verification automatically. They are then logged in and have access to their undelivered or backed up messages if it's a previously existing account.

2. Second-time login: Immediately following this verification process Whatsapp delivers a secret access token which is stored locally on the device. Thus, any time they open the app and attempt to connect to the server they are required to use this access key. As I explained, if they'd like to re-activate their account on another device, they'll have to complete step 1 again from the new device, which will then generate a new secret key--invalidating the previous one and making it only possible to login with the new device.

Here's some documentation i found who has created similar api : github.com/mgp25/Chat-API/wiki/WhatsApp-Registration-Flow. please provide your valuable input

I reviewed the documentation and they follow the same pattern precisely. What may have confused you is the initial "code request token". This is simply a key that verifies the validity of the device that is making a request to complete step 1. This ensures the legitimacy of the origin of the user who's attempting to register their device.

Here's how that works:

The user would like to complete step one. Therefore, they send a request token to the server along with their identity (phone number). This is a code that was delivered upon load to the application.

This still isn't sufficient to stopping an SMS-intercept during step 1. Given that the origin of the request is a legitimate Whatsapp installation, the SMS verification code can give an attacker access to the user's account. However, as I previously noted this invalidates the previously generated secret key from step 2. Therefore, the user will notice that they've been logged out locally as long as they're actively using Whatsapp and connected to Internet.

Let me know if there's any more confusion.