Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
WhatsApp Blocking Encrypted Calls to All Saudi Numbers
Suppose I have a friend named Alice. Alice has registered to WhatsApp with a
Saudi number but resides in Europe. We chat over WhatsApp regularly. We are both
using the latest version of WhatsApp for Android (2.16.155).
However, Alice is unable to receive or initiate WhatsApp calls, even though she
is in Europe and is using European WiFi. If you can test this, I suggest you do.
Get a Saudi phone number, register to WhatsApp, and then fly to France and make
a call. You will encounter the same result even if you're on French WiFi.
WhatsApp claims that "the Saudis are blocking the initial handshake [for
encrypted calls]" and that this is why encrypted calls are dropped. However, I
insist that WhatsApp is dropping all encrypted calls made by, or received by any
WhatsApp user that registers with a Saudi number, regardless of whether they are
connecting from Saudi Arabia, the United States via WiFi, or Tahiti.
Here is what initially led me to call this claim into question:
Reason 1: The call-prohibiting screen [0] is obtained even when Alice is in
Europe and using European WiFi. How can "Saudi firewalls" affect her phone then
and "drop the initial handshake?"
Reason 2: How could Saudi firewalls distinguish an initial encrypted call
handshake from a regular Signal protocol handshake if both handshakes are
transported over the same Noise-encrypted transport layer? Are they
man-in-the-middling the transport layer? How is this accomplished in a way that
bypasses static server authentication on behalf of WhatsApp clients?
This explanation doesn't make sense even in that respect. Since WhatsApp
messages and encrypted phone calls are both initiated and carried over Noise
pipes, they are indistinguishable to an active attacker (such as a Saudi telco
agency.) WhatsApp knows this, and I strongly suspect they chose to block calls
in their apps so that the Saudi government wouldn't blanket-block regular
WhatsApp messages as well by dropping all Noise pipe key exchanges: the only way
the Saudi government could have stopped encrypted calls is by also dropping
encrypted WhatsApp messages, and WhatsApp is dropping calls made from/to Saudi
numbers in order to save their text messaging business.
To put it simply: because of the way WhatsApp clients communicate with
WhatsApp servers, I find it impossible to believe that the Saudi government
could drop phone calls and not messages, especially at the key exchange level
(which occurs bundled atop a regular Signal session!) This makes me suspect that
the WhatsApp client itself is dropping calls if the caller/callee is registered
with a +966 number.
I then decided to decompile the APK binary of the latest WhatsApp release
(again, version 2.16.155). I found evidence that strongly supports my assertion
that WhatsApp is blocking encrypted calls purely based on the country code of
the registered phone number and without any attempt to even connect the call in
the first place, thereby not even giving the Saudi telcoms a chance to "drop the
initial handshake":
1. In `res/values/public.xml`, we find the string `%s is in a country where
WhatsApp Calling is unavailable.`, which is the UI string I presented in [0].
The string is referenced with the identifier `0x7f070612`. [1]
2. This identifier, `0x7f070612`, pops up in
`com/whatsapp/VoipNotAllowedActivity.java`, which references it in a code block
that can be triggered programatically to render [0]. [2]
3. The function triggered in [2], `VoipNotAllowedActivity`, can be seen called
by a central call provisioning method in `com/whatsapp/App.java` [3]. This
central provisioning function first calls a series of functions which determine
whether the call recipient has registered with a phone number that is capable of
receiving encrypted phone calls.
I strongly urge that WhatsApp stop blocking encrypted phone calls based on phone
number and allow Saudis to communicate safely. At the very least, WhatsApp should
allow users with Saudi numbers to make calls when using data and WiFi networks
that are outside Saudi jurisdiction. However the only true solution that respects
the human rights of Saudi users is to give them encrypted calls no matter the
consequences, instead of downgrading them to using regular Saudi phone lines,
which are tapped by a religious dictatorship.
As it stands, WhatsApp is banning an entire nationality of people from
encrypted calls, regardless of where they are in the world or the technical
ability of their networks. Seeing thousands of people as the side-effect of a
"UX edge-case" is sick and degrading.
Addendum: WhatsApp's claim of Saudis "dropping the initial handshake"
is contradicted by their own website. [4]
Update (14 July, 2016): There are allegations that WhatsApp cannot allow Saudi
users to make calls when outside Saudi Arabia without tracking their location.
This is completely false. The WhatsApp client is perfectly able to determine
a user's location without querying a WhatsApp server, keep that information
private, and use it to allow a call to go through. Locations can be determined
via GPS queries but also via far simpler methods such as IP address space
queries.
References and media:
[0] http://i.imgur.com/rQu9Ocf.jpg
[1] http://i.imgur.com/bOfMIPD.png
[2] http://i.imgur.com/d6NdoGO.png
[3] http://i.imgur.com/i1R6Mu7.png
[4] https://www.whatsapp.com/faq/en/general/28030008

In link [4] you provided, they mention:

not available in some countries due to local regulations

but they don't mention who is doing the blocking.

Owner

kaepora commented Jul 13, 2016

@RaedsLab Good point. I think they should, and I think they should specify a list of countries they're blocking calls to/from based on phone number.

Saudi isn't the only country that's blocked. United Arab Emirates (UAE) also is.

Ali492 commented Jul 14, 2016

Not only Whatsapp is block ,Facebook Facetime Skype all drop video or voice chat and just last week Snapchat !

mva1985 commented Jul 14, 2016

would an earlier version of whatsapp still work? with encryption capabilities still available

baselkhateeb commented Aug 8, 2016

I couldn't agree more with your theory, as whatsapp calls are still blocked when using VPN in Saudi Arabia, and that way, the only way to block calls is obviously the phone number and since the VPN connection is encrypted, Saudi Telecos can't spy nor stop the call, the only one who can is Whatsapp it self!

I have a question for you though,, was the code you discovered to block the call in specific countries a client side only? what I mean if this was modified on the client, will the calls functionality work in France on a Saudi number?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment