Robustness and Practical Feasibility
To underline the advantage of this approach, we periodically analyzed the application binary of the WhatsApp messaging app for any changes to its core functionality. In doing so, we noticed that the application components responsible for managing communication between the app and the WhatsApp backend and the respective class and method descriptions for retrieving personal user data have remained mostly unchanged over the last two years. Although WhatsApp has undergone major upgrades and protocol changes in the past few years, particularly with regard to the authentication scheme and transport layer security mechanisms, app methods we initially identified for tracking user data have hitherto survived without any changes.
Moreover, we were able to run our monitoring solution against the WhatsApp services from July 2013 to April 2014 without any interruption. Although we monitored personal information of thousands of users for several months — and thus strongly deviated from normal user behaviour — our monitoring efforts were not inhibited in any way.
Although our approach enables monitoring on a permanent basis and provides better scalability than any manual solution so far, the quantity of observed targets is limited, as some messenger apps restrict the number of maximum possible contacts. For instance, in the early stages of our experiments, in June 2012, we were able to track more than 4,000 WhatsApp accounts simultaneously using a single monitoring instance. This number was reduced over time to about 250, which still reflects today's limit on concurrent sessions.
 Cheng, Yao, et al. "Bind your phone number with caution: automated user profiling through address book matching on smartphone." Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, 2013.
 Schrittwieser, Sebastian, et al. "Guess who’s texting you? evaluating the security of smartphone messaging applications." Proceedings of the 19th annual symposium on network and distributed system security. 2012.