A look at WeChat security

Author: Roberto Paleari (@rpaleari)

TL;DR: Any (unprivileged) application installed on an Android phone can instruct WeChat to send an hash of your password to an external, attacker-controlled server. If you are a WeChat user, it is probably worth reading the rest of this post :-)


Nowadays, instant messaging (IM) has become one of the main applications of mobile phones, with plenty of "apps" available and literally billions of messages exchanged every day. With the widespread diffusion of mobile Internet traffic plans, IM applications are rapidly replacing other forms of mobile communication, such as text messages and, in some situations, even e-mails.

As conversations are rapidly converging to IM applications, it is natural to start asking how secure this communication channel actually is, and if users can really trust IM apps and their back-end infrastructure. We decided to pick one of these applications and look "under the hood", in order to see how the developers tried to ensure the confidentiality of in-transit communications.

After a quick survey of available IM applications, we decided to start with WeChat, a popular mobile IM platform developed by the China-based Tencent company. The choice of this specific application was quite arbitrary and mainly based on the fact that, in this period, WeChat is publicized a lot on the Italian TV.

WeChat is a feature-rich and sophisticated mobile application, which allows users to communicate via text messages, voice calls, to share photos and videos, and much more. The app is available for several mobile platforms, but we focused on the Android version only: according to Google Play, WeChat for Android alone has more than 50 million downloads. Most of the issues discussed in this post should affect Android versions of WeChat up to 4.5.1. On August 5th, 2013, Tencent released version 5.0, which introduced some major changes; we still have to analyze this version in detail.

A glimpse at the network traffic

The most obvious and easy thing to start with was an analysis of the network traffic generated by the application during normal usage. At this aim, we instructed our Android emulator to save all network traffic to file, we installed WeChat, we logged in and sent a couple of text messages. Part of the traffic generated by WeChat is shown below.

As can be seen from the figure, most of the traffic travels on TCP port 8080, typically reserved for HTTP connections (previous versions of WeChat were using the standard HTTPS port, tcp/443). However, at a first sight, the payload of these packets looks quite strange; indeed, Wireshark is not even able to dissect the HTTP payload.

Looking more closely, we noticed WeChat developers implemented a custom communication protocol: we were able to recognize an initial packet header, right at the beginning of the payload, that confirms these are actually not HTTP/HTTPS sessions. More precisely, we identified the following header fields:
  • Packet length (4 bytes)
  • Header length (2 bytes, always equal to 0x0010)
  • Protocol version (2 bytes, always equal to 0x0001)
  • Opcode (4 bytes, specifies the actual command encapsulated in this packet)
  • Sequence number (4 bytes)

This initial header is followed by an opcode-dependent message body, usually in encrypted form. Briefly, the first message is encrypted by the application using RSA, with an hard-coded public key; next messages are encrypted in AES. In WeChat versions up to 4.3.5 we identified several vulnerabilities which allow an attacker who can intercept the traffic to quickly decrypt the message body, thus being able to access the messages sent and received by the user. More recent versions seems to be immune to these attacks, but we still have to perform a more in-depth analysis of the encryption scheme implemented in the latest WeChat releases.


Here we come to the interesting part :-) WeChat includes an undocumented debugging infrastructure, probably used by developers for testing purposes. However, this infrastructure can also be abused by attackers to steal sensitive information concerning a WeChat user account.

In detail, WeChat reads debug settings from an Android ContentProvider, identified by URI "com.tencent.mm.coolassist.debugprovider/config". This ContentProvider is used by the application as a centralized source of debug configuration parameters, and can be employed to specify which debug messages should be logged to the Android console (adb logcat), to save log messages to the sdcard, and even configure a remote logger.

From a security perspective, the remote logging feature is surely the most interesting one. By exploiting this functionality, an attacker can develop a malicious application which exposes the aforementioned ContentProvider and, through specially-crafted debug settings, makes WeChat to send logs to an external, attacker-controlled, server. Such a malicious application would not require any special Android permission.

It is worth considering that logged messages disclose sensitive information about the users, including the user ID, password hash and other details. As an example, here is an excerpt from a remote log session:

09-09 14:32:51 594 V/MicroMsg.MMBuiltInIP <-- data-blogger-escaped-br="" data-blogger-escaped-dump="" data-blogger-escaped-end="" data-blogger-escaped-mmbuiltinip=""> 09-09 14:32:51 626 D/MicroMsg.AccInfo update session info: session=, uin=-1893467821
09-09 14:32:51 635 I/MicroMsg.AutoAuth sending remote request, network.active=false
09-09 14:32:51 666 I/MicroMsg.AutoAuth.SceneInfoQueue inQueue: netid=0
09-09 14:32:51 691 V/MicroMsg.SDK.SyncTask sync task done, return=0, cost=56(wait=0, run=56)
09-09 14:32:51 783 V/MicroMsg.NetStatWatchDog dkreport status:9999002 nowCount:1 ret:1
09-09 14:32:51 810 D/MicroMsg.AutoAuth account info updated:AccInfo:
|-uin =-1893467821
|-user =ukcd_ao03gex3y2731v
|-session =
|-pass =5f4dcc3b5aa765d61d8327deb882cf99
|-pass2 =5f4dcc3b5aa765d61d8327deb882cf99
`-cookie =(null)
09-09 14:32:51 885 D/MicroMsg.NetStatWatchDog item.toByteArray() :433
09-09 14:32:52 101 D/MicroMsg.GYNet encoding, type=380, key=, time=284
09-09 14:32:52 108 I/MicroMsg.GYNet sendImp reqData.len:866
09-09 14:32:52 114 D/MicroMsg.NetStatusUtil activeNetInfo extra=internet, type=0

As can be seen from these logs, the application forwards to the remote server the user name (ukcd_ao03gex3y2731v), another user identifier (uin, with value -1893467821), and even the user's password hash (5f4dcc3b5aa765d61d8327deb882cf99). It should be noted the hash value is a plain MD5 of the user's password, sent to the server for the authentication. Obviously some parameters in the above logs have been edited to prevent readers from hacking our account but, yes, 5f4dcc3b5aa765d61d8327deb882cf99 is the MD5 for string "password" and this was really our account's password :-)

The next section details the communication protocol used by WeChat to interact with the remote log server.

Remote logging protocol

Remote logging can be enabled by configuring the following debug keys:
  • .com.tencent.mm.debug.log.level = 0
  • .com.tencent.mm.debug.log.mmlog.url.mm.log = <ip1>:<port1>
  • .com.tencent.mm.debug.log.mmlog.url.push.log = <ip2>:<port2>
The first key defines the log level ("0" simply means to log everything), while others are used to set the log server address for the two main WeChat application modules (mm and push).

WeChat developers implemented a trivial key derivation scheme to allow the application and the remote log server to agree on an encryption key to cipher debug logs. In a nutshell, the app reads three ASCII lines from the server and uses these lines to derive a DES key. Before transmitting debug messages, the application encrypts them in DES/ECB using this key.

The key generation function is implemented by the following Python code snippet. Function generatekey() receives in input the three lines sent by the server and returns the corresponding DES key.

import hashlib

def mangle(data):
    charset = "0123456789abcdef"
    r = ""
    for c in hashlib.md5(data).digest():
        r += charset[(ord(c) >> 4) & 0xf]
        r += charset[ord(c) & 0xf]
    return r

def generatekey(line0, line1, line2):

    seed = line1[2:]
    seed += str(int(line2[2:]))
    seed += "dfdhgc"
    key = mangle(seed)[7:21]
    return key

We also implemented a buggy "quick & dirty" Python script that listens for incoming connections, sends out three ASCII lines, computes the key and deciphers incoming messages. The script is available here.

As a final note, we would like to point out that the ".com.tencent.mm.debug.log.mmlog.url.* " configuration keys are not supported by the latest version of WeChat (5.0). However, this version still queries the ContentProvider for debug settings and part of the logging functionalities have been moved to a dedicated JNI library. We plan to investigate these new features in the future, so at the moment we cannot exclude that the remote logging mechanism has simply been moved elsewhere.

Local database encryption

WeChat locally stores application data in an encrypted SQLite database named "EnMicroMsg.db". This database is located in the "MicroMsg" subfolder inside the application's data directory (typically something like "/data/data/com.tencent.mm").

The database is encrypted using SQLCipher, an open source extension for SQLite that provides full database encryption. The encryption password is derived from the "uin" parameter (see previous sections) combined with the device identifier through a custom function. More precisely, the key generation function leverages the mangle() function shown in the previous Python snippet. The actual database encryption key can be generated through the following pseudo-code:

password = mangle(deviceid + uin)[:7]

Here deviceid is the value returned by the Android API function TelephonyManager.getDeviceId(). Follows a sample SQLCipher console session that demonstrate how the EnMicroMsg.db database can be decrypted.

$ sqlcipher EnMicroMsg.db
sqlite> PRAGMA key = 'b60c8e4';
sqlite> PRAGMA cipher_use_hmac = OFF;
sqlite> .schema
CREATE TABLE conversation (unReadCount INTEGER, status INT, ...
CREATE TABLE bottleconversation (unReadCount INTEGER, status INT, ...
CREATE TABLE tcontact (username text PRIMARY KEY, extupdateseq long, ...

It is also worth pointing out that, as the key generation algorithm truncates the password to 7 hex characters, it would be not so difficult for motivated attackers who are able to get the encrypted database to brute force the key, even without knowing the uin or the device identifier.


In this post we discussed some security weaknesses that affect Android versions of WeChat up to 4.5.1 (and possibly others). We tried to contact developers to notify our findings, but with no luck: we wrote an e-mail to Tencent technical support both on August 30th and on September 3th, but we got no reply. With the recent widespread diffusion of mobile instant messaging, app developers should take security into more serious considerations, as their application will probably rapidly become an attractive target for attackers.


  1. Hi,Roberto

    I sent the link of your article to a friend who knows WeChat security team as well .And he already sent the link to them. He said that you may not sent to a incorrect Email address. Hope Wechat can fix the problem. Thank you.

  2. Send to bloomberg should speed things up a bit

  3. Hi!

    Thank you for forwarding this post to WeChat team. We simply wrote to the (only) technical address reported on WeChat homepage. BTW, it's quite strange you have to know the security team personally to be able contact them :-)

    Thank you again for your help, we also hope this will be fixed soon.

  4. @rpaleari about ,tencent security team has been in dealing with wechat vul. u can submitted tencent vul to TSRC : http://security.tencent.com , or mail to security@tencent.com , thx. —— tencent security team

  5. Tencent security team is awfully stupid, that's all i can say.

  6. I need someone to have some mean-full words with.

  7. No need to report to Tencent, they intended to do this for China Government

    1. I am from china, in fact by our law Tencent are obliged to provide anything the government wants. They do not have to leave a loopo for them. But I do not think chinese government is interested in what you tell your girlfriends everyday and a chinese knows better than not to say things that may get him arrested. Thank you for your concerns.

    2. Forget my wechat pass words

    3. Forgot my we chat password

  8. China government has many past records to hack into somebody account and spread message in favor of gov/ communist party.

    This happen especially on Celebrities, as they got many "fans" and effectively hijacks their views and manipulate people thought.

    One famous case in china, gov internet monitoring officials accidentally include internal instructions on their hijack message:


    I'm from Hong Kong and we all know dirty tricks by China gov,
    save Hong Kong!

  9. good one :-)
    there are only few person in your community who's interested into this kind of security.
    this instance was obviously a negligence on the developer part.

  10. you share, you chat, we pown :)

  11. Thanks for sharing! I seem to have difficulties finding the local db files though using my Android. I've tried on 3 phones already, but I cannot find a db file under MicroMsg. Please advise!

  12. Omg my account has been hacked on wechat I'm panicking like crazy I could kill myself right now there's so much to lose if:x

  13. Mr. Anonymous China is the most unreliable country in this world including country like Pakistan and alike. In the past they cheated the Australian Company with Billions of dollars after the country set the industry in China. It is common knowledge that they are one of the biggest hackers of the world. Even though every country does that. I never would like to use WeChat or trust China. Go through their past history. Only a Chinese support another Chinese.

  14. They will not fix this. This is deliberately designed. You should be aware that EVERY app made in China is somehow with backdoor or insecurity.

  15. very risky to talk with friend on private. Nw i gona think thrice b4 sharing specialy pics nd vids with my friends in WECHAT.

  16. i use bluestacks.....when i change my bluestacks device id to my real phone device id and try log into my account it log me out from my phone (or viseversa) .... how can i log into my account simultaneously from my phone and bluestacks?

  17. Since WeChat messages (so are all the others like Whatsapp, Viber, Line, and etc) can be intercepted at the server, the other security issues are really none issues. WeChat has removed the remote logging mechnism in the latest version. The data store security hole can be fixed relative easily by implementing an expiration scheme.

  18. Thank you so much for Tencent security that now my account has been stolen by an unauthorized person. I don't know how he gain access to my account since i change my password a lot of time and he is definitely a chinese. Can anybody here help me recover the stolen account or at least help me take a peak on my friend list so i can add them back and warn them?

  19. Well about about 2 weeks ago I made a file under pictures named ; family . My WeChat was disabled for 3 months. At searching in my phone files, I found that my file family has moved to tencent/micromsg.!

  20. what are the starting and ending ports for wechat?

  21. Is this still valid ?? having trouble testing this for my Uni Report

    1. Yes, the problem is still there. They have not changed the db encryption strategy.

  22. People use different channel for the communication with assignment help australia. The E maze technology helps people to load the apps in mobile or on system. This make a perfect chance for the fast communicate further its saves way for the communication. The traffic on different server caused loss of time. People should adopt such technology.

  23. You know which messenger is the best - Telegram.
    I think we need more like that one, because they are protected from interrupting private messages and spying on sms

  24. If you are interested in hacking various devices, you can visit this blog http://topspyingapps.com/ikeymonitor/ for more info.

  25. This blog content was real to my IT job interview career opportunities.
    data science online training

  26. Awesome article. Thanks for sharing a it

  27. Be sure to look at this gps tracking device spy app for iphone and android,

  28. This comment has been removed by the author.

  29. This comment has been removed by the author.