DEF CON Forum Site Header Art

Announcement

Collapse
No announcement yet.

How to yowhatsapp download?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question: How to yowhatsapp download?

    Hello,
    I hope to be able to ask this here. I recently got to know YoWhatsApp from my friends, I tried searching to download it on Google but it has too many different versions I downloaded and most of them are old.
    Any suggestions will be appreciated, thanks.

  • #2
    Originally posted by KelliDavis View Post
    Hello,
    I hope to be able to ask this here. I recently got to know YoWhatsApp from my friends, I tried searching to download it on Google but it has too many different versions I downloaded and most of them are old.
    Any suggestions will be appreciated, thanks.

    I don't know your skillset.
    This answer is for you and for others that may not know about it.

    Generally, getting apps through a central "store" with standards and archives and apps stored for scanning for malware and unauthorized data-mining is safer than downloading apps from a store with fewer or weaker standards or no enforcement.

    Apple's AppStore and GooglePlay both have their own standards and claims for scanning for malware. It is in their interest to maintain good reputation. If a publisher publishes something harmful, it is possible for an audit trail to expose the abuse, and then cause the maintainer to lose their developer status. (Side-note: just because something is in the GooglePlay store or the Apple AppStore does not mean it is safe.)

    Even with GooglePlay or AppStore, there have been cases where "look-alike" apps have appeared briefly because of name changes, to try to fool people into installing their non-official app for various reasons, often nefarious. Google has cracked down on this before, but variations of look-alike apps continue to appear. When this happens, you can usually find the "Real" app by looking at number of downloads or reviews, especially when a popular app has 100,000,000 or more downloads, and the look-alike have less than 1,000. Other methods include looking for online discussions and news articles from reputable sites, which have very old dates. The older the citation, the more likely for the citation to be the oldest (original) version of an App.

    Outside of this, users of some stock Android phones, some jailbroken android phones, and some JailBroken iPhone can "side-load" (sideload) applications (on Android as APK) into their devices outside of the store.

    A huge problem with this is that there is no 3rd-party audit trail to show a history of app packages. Another problem is without standards or enforcement of standards by a third party, there is greater risk for malware, or other questionable or harmful code.

    It is also possible for "accidental" code changes. (scare quotes to imply intended changes with malicious intent, which can't be proven, or genuine mistakes.) For messaging apps, which claim end-to-end encryption, if they are effective, and data is hidden from being data-mined or intercepted by governments, or powerful corporations, then both governments and powerful corporations have an interest in getting data from users. This can include manufacturing competing apps which have built-in weaknesses which governments or large corporations can exploit to make "private" conversations supposedly encrypted, readable by intermediates. (Crypto is very hard. It is very easy to make small mistakes in crypto to break it. Intentional mistakes can easily be indistinguishable from accidental mistakes which weaken security.)

    For those that want to take the path of higher security risks, they can point their favorite search engine to include searched for "sideload" and maybe "jail break" for their phone (iPhone or Android.) If for android, then also search for "APK" -- a common packaging for Android applications.

    There are many write-ups online for different versions of mobile device OS which can walk you through a process of side-loading and/or jail-breaking your devices so you can side-load an app not found in the AppStore or GooglePlay.

    Next, for act-alike apps which are side-loaded, which claim to support more features, but are not from the service vendor, there are on-going incompatibility issues when the original app/service vendor changes their protocol, or encoding, and your side-loaded app maintainer has to discover what changes were made and then support them.

    Example: https://www.reddit.com/r/YoWhatsapp/...inally_had_to/
    (Users of older YoWhatsApp even YoWhatsApp anti-ban find they can't use it and are banned from use.)

    Next, for some services, accounts are required, and the original app/service owner may choose to BAN your account from using their service if they detect you are not using their approved app.

    So, if you do decide to travel the LESS SECURE path of side-loading apps, how can you find apps less likely to cause you problems?

    Most important is the reputation of the app manufacturer with all apps and applications they make and have made available to users. How long have they had their reputation? Have they even been found to have included malware? Have they ever been found to have included crypto-currency-mining/background-advertising in their app to get your device to 'pay' for the use of their app by draining your battery and consuming CPU cycles and memory? How responsive have they been to address reported security issues? How do they make money? Who pays them? Why do they want to publish an app outside of GooglePlay or the Apple AppStore?

    If they don't have an excellent reputation, then the rest of these checks are MEANINGLESS:

    * Does the vendor/maintainer publish a URL for their site within the GooglePlay Store or Apple AppStore?
    * Does that URL have a site-name which matches the domain where the side-loaded version can be downloaded? (Pay attention to the domain name in the URL, and look for shenanigans such as 'punycode' domains which may look like the original domain, but not actually match: See https://en.wikipedia.org/wiki/Punycode )
    * Does the domain use DNSSEC? Is it properly configured? ( Example: https://dnssec-analyzer.verisignlabs.com/ and https://dnsviz.net/ )
    * Does publisher require use of HTTPS (no HTTP) to visit their hosts in their domain(s)?
    * Do they have an archive of past releases with hashes for each? Are these visible through the "Internet Archives" ? https://archive.org/ to allow you to see if they have changed hashes on old releases?
    * Do they use GPG/PGP to sign each release using a public key which you can validate with a GPG/PGP "web of trust"?
    * What classes of other security access does their side-loaded app need compared to their GooglePlay or AppStore version?

    Even with all of the above, why are they publishing something to be side-loaded instead of installed from GooglePlay store or the AppStore? Is the reason meaningful? Does it make sense?

    Next, it looks like "YoWhatsApp" appears to be a name for many apps presently published in GooglePlay:
    https://play.google.com/store/search...=apps&hl=en_US

    You could ask your friend which version they installed. Then you could investigate that version for risks.

    A search for sites claiming to have "YoWhatsApp" shows many domains, each claiming to be where users should download it.

    None of these (multiple sources claiming same product name) are good signs for apps with excellent reputations. All are more strongly correlated with piracy and modern piracy is strongly correlated with malware, adware, crypto-currency-mining, etc.

    The original "WhatsApp" appears to be:
    https://play.google.com/store/apps/d...tsapp&hl=en_US

    Asking GooglePlay for any apps published by the same publisher shows:
    https://play.google.com/store/apps/d...d=WhatsApp+Inc.
    (None include any versions of "YoWhatsApp".)

    Details of app:
    https://play.google.com/store/apps/d...tsapp&hl=en_US
    Email address: android-support@whatsapp.com
    Twitter: https://twitter.com/WhatsApp

    So, for the official "WhatsApp" app, appears to use whatsapp.com and I see no reference to "YoWhatsApp" by the original vendor. This forces the conclusion that any of the "YoWhatsApp" applications are not official variations of "WhatsApp" made by the original vendor.

    It appears the original WhatsApp is owned by Facebook. If true, the app is no safer than Facebook. If you trust Facebook, then maybe it is not so bad. If you don't trust Facebook, maybe "Signal" is a more secure choice?
    https://play.google.com/store/apps/d...rime.securesms


    Looking through google for sites claiming to be developing variations on YoWhatsApp , it looks like 3 sites float to the top as more likely:

    * yowayousef.com : Creation Date: 2018-06-10T05:44:53Z
    * gbapps.net : Creation Date: 2019-05-03T14:48:53Z
    * gbplus.net : Creation Date: 2019-05-06T02:56:41Z

    There are many more sites which claim to have the APK for download, but most of those appears to have many APK available, not just one.
    These above 3 seem to be dedicated to variations of just this one app.

    Hopefully, all of the above provides you with enough information on how to try to identify which source for this app would be "best" for you.
    Use the suggestions to find which you think is the "real" source for YoWhatsApp and suffer the consequences of installing it if you choose to.



    For me, I would not use these side-loaded APK for YoWhatsApp, or the GooglePlay store "YoWhatsApp" options. I don't see any with good reputations or a large number of downloads reported by a third party (GooglePlay.) There is too much risk in trusting my private data to these. Maybe my risks are different from yours?

    Visit any of the 3 domains claiming to have APK for side-loading, and realize they can claim any number of downloads they want. If they don't have a good reputation, can you trust their claims? If you don't know a person is honest, can you know if any of their claims are true?

    I also would not trust Facebook with my data or an account, or their apps.

    Good luck!
    Last edited by number6; 3 weeks ago.
    6: "Who is Number1?"
    2: "You are number6"
    6: "I am not a number!..."

    Comment

    Working...
    X