Schlagwort-Archive: Whatsapp

How Whatsapp spies on Your Messages – WhatsApp Retransmission Vulnerability

According to Tobias Boelter tobias@boelter.it

Download the Slides from Tobias here: Whatsapp Slides from Tobias Boelter

Setting: Three phones. Phone A is Alice’s phone. Phone B is Bob’s phone. Phone C is the attacker’s phone.

Alice starts by communication with bob and being a good human of course meets with Bob in person and they verify each other’s identities, i.e. that the key exchange was not compromised.

Remember, Alice encrypts her messages with the public key she has received from Bob. But this key is sent through the WhatsApp servers so she can not know for sure that it is actually Bob’s key. That’s why they use a secure channel (the physical channel) to verify this.

Now, Alice sends a message to Bob. And then another message. But this time this message does not get delivered. For example because Bob is offline, or the WhatsApp server just does not forward the message.

wa3

Now the attacker comes in. He registers Bob’s phone number with the WhatsApp server (by attacking the way to vulnerable GSM network, putting WhatsApp under pressure or by being WhatsApp itself).

Alice’s WhatsApp client will now automatically, without Alices‘ interaction, re-encrypt the second message with the attackers key and send it to the attacker, who receives it:

wa2

Only after the act, a warning is displayed to Alice (and also only if she explicitly chose to see warnings in here settings).

wa1

Conclusion

Proprietary closed-source crypto software is the wrong path. After all this – potentially mallicious code – handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.

Signal is better

Signal is doing it right. Alice’s second message („Offline message“) was never sent to the attacker.

signal3 signal1 signal2

Signal is also open source and experimenting with reproducible builds. Have a look at it.

Update (May 31, 2016)

Facebook responded to my white-hat report

„[…] We were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing.[…]“

https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/

Download the Presentation here: Whatsapp Slides from Tobias Boelter

Whatsapp spies on your encrypted messages

Exclusive: Privacy campaigners criticise WhatsApp vulnerability as a ‘huge threat to freedom of speech’ and warn it could be exploited by government agencies

Research shows that the company can read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.
Research shows that WhatsApp can read messages due to the way the company has implemented its end-to-end encryption protocol. Photograph: Ritchie B Tongo/EPA

A security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApphas implemented its end-to-end encryption protocol.

Privacy campaigners said the vulnerability is a “huge threat to freedom of speech” and warned it can be used by government agencies to snoop on users who believe their messages to be secure. WhatsApp has made privacy and security a primary selling point, and has become a go to communications tool of activists, dissidents and diplomats.

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been resent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

The WhatsApp vulnerability calls into question the privacy of messages sent across the service used around the world, including by people living in oppressive regimes.
Pinterest
The WhatsApp vulnerability calls into question the privacy of messages sent across the service used around the world, including by people living in oppressive regimes. Photograph: Marcelo Sayão/EPA

Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights, verified Boelter’s findings. He said: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”

Boelter said: “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”

The vulnerability calls into question the privacy of messages sent across the service, which is used around the world, including by people living in oppressive regimes.

Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the existence of a backdoor within WhatsApp’s encryption “a gold mine for security agencies” and “a huge betrayal of user trust”. She added: “It is a huge threat to freedom of speech, for it to be able to look at what you’re saying if it wants to. Consumers will say, I’ve got nothing to hide, but you don’t know what information is looked for and what connections are being made.”

In the UK, the recently passed Investigatory Powers Act allows the government to intercept bulk data of users held by private companies, without suspicion of criminal activity, similar to the activity of the US National Security Agency uncovered by the Snowden revelations. The government also has the power to force companies to “maintain technical capabilities” that allow data collection through hacking and interception, and requires companies to remove “electronic protection” from data. Intentional or not, WhatsApp’s backdoor to the end-to-end encryption could be used in such a way to facilitate government interception.

Jim Killock, executive director of Open Rights Group, said: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that technical capability notices could be used to compel companies to introduce flaws – which could leave people’s data vulnerable.”

A WhatsApp spokesperson told the Guardian: “Over 1 billion people use WhatsApp today because it is simple, fast, reliable and secure. At WhatsApp, we’ve always believed that people’s conversations should be secure and private. Last year, we gave all our users a better level of security by making every message, photo, video, file and call end-to-end encrypted by default. As we introduce features like end-to-end encryption, we focus on keeping the product simple and take into consideration how it’s used every day around the world.

“In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Asked to comment specifically on whether Facebook/WhatApps had accessed users’ messages and whether it had done so at the request of government agencies or other third parties, it directed the Guardian to its site that details aggregate data on government requests by country.

Concerns over the privacy of WhatsApp users has been repeatedly highlighted since Facebook acquired the company for $22bn in 2014. In August 2015, Facebook announced a change to the privacy policy governing WhatsApp that allowed the social network to merge data from WhatsApp users and Facebook, including phone numbers and app usage, for advertising and development purposes.

Facebook halted the use of the shared user data for advertising purposes in November after pressure from the pan-European data protection agency groupArticle 29 Working Party in October. The European commission then filed charges against Facebook for providing “misleading” information in the run-up to the social network’s acquisition of messaging service WhatsApp, following its data-sharing change.

https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages

Facebook Messenger On Android Hits 1 Billion Downloads

Only two companies have apps with over 1 billion Google Play downloads, and the other is Google. Today Facebook proved just how big a business replacing SMS can be, as its leader David Marcus announced Messenger has now been downloaded over 1 billion times on Android. It joins Facebook and WhatsApp, and Google’s Gmail, YouTube, Search, and Maps in this very exclusive club.

Messenger’s strategy of layering modern mobile sharing features over a speedy texting app has paid off, and it looks like Facebook’s just getting started. With VOIP, video calling, stickers, voice clips, peer-to-peer payments, location, and a whole platform of third-party content creation apps, Messenger wants to own every way you communicate. And it partially is for well over 600 million users.

11406840_10155749985835195_5645524173167231589_n

Combined with WhatsApp’s streamlined SMS alternative, Facebook controls messaging in a way that deeply insulates it from disruption. Snapchat and Yik Yak might steal a few users from its social network feed, but Facebook’s already focusing on the next fundamental communication utility.

In fact, Facebook has been subtly baking Messenger munch deeper into its product.

When you graph search for people, like friends who like a certain band, Facebook shortcuts you to ping them on Messenger, not visit their profile. When it’s a friend’s birthday, in some cases Facebook now recommends that you message them Happy Birthday, rather than writing it on their wall.

Messenger In Facebook

Just last week, Facebook overhauled how Messenger handles map and location sharing to lay the groundwork for a slew of new GPS-enabled features. Before, finding where to meet up with people was the domain of Nearby Friends in the main Facebook app.

And Facebook’s secret weapon in the messaging wars is that chat isn’t where it makes its money. Rather than having to cram Messenger full of ads or convince you to buy Sticker packs, it just has to tie people closer to its big brother Facebook where lucrative mobile ads earn enough money to provide for the whole family.

messenger-location-sharing3

Getting to this point wasn’t easy. Facebook had offend the pride of its whole userbase by telling them they were required to download whole other app for Messaging. It wasn’t sweet, but the medicine went down, and Facebook saw engagement rise once chat wasn’t buried in its blue behemoth. Freed from the extra weight, Messenger was thin and agile enough to build out its bells and whistles.

With former PayPal President David Marcus in command and expert product guy Stan Chudnovsky as his first mate, in just the last six months Messenger has:

Meanwhile, the other giant with deep enough pockets to fund a true attempt at owning messaging has spent the past few years distracted by moonshots. Google was late to launch its mobile messenger, which was dragged down by Google Plus. It squandered its Hangouts product’s early lead in video chat, and missed on the chance to acquire WhatsApp, which could have turned this into a two-horse race.

facebooks-family

Instead, Facebook saw that messaging was the center of mobile, the app you use the most times per day. If it’s the reason you open your phone at first, it’s wedged a foot in the door to become the second and third thing you do too. And with China’s WeChat pioneering the chat-app-as-a-portal roadmap, Facebook can just port what works to the rest of the world.

After years of people asking what would be the Facebook killer, Facebook happily provided its own answer.

Quote: http://techcrunch.com/2015/06/09/the-new-facebook

Facebook’s WhatsApp Will Be How the World Makes Phone Calls

Further Reading: http://www.wired.com/2015/04/facebooks-whatsapp-worlds-next-phone

WhatsApp is the world’s most popular smartphone messaging app, letting more than 800 million people send and receive texts on the cheap. But it’s evolving into something more.

On Tuesday, the company, which is owned by Facebook, released a new version of the app that allows people with iPhones to not only text people, but actually talk to them. This built on a similar move the company made at the end of March, when it quietly released an Android update that did the same thing. And in the week following the addition of voice calling on Android, WhatsApp-related traffic increased about 5 percent on carrier networks, according to a study by Allot Communications—an Israeli company that helps manage wireless network traffic worldwide.

That figure will likely get a lot bigger as WhatsApp shifts from being the world’s favorite messaging app to become a more wide-ranging—and bandwidth-intensive—communication tool.

Others have offered internet voice calls on smartphones, most notably Skype and Viber. But WhatsApp is different. So many people already use the app, and the company is intent on keeping it free (or nearly free). Though it has little traction here in the US, WhatsApp is enormously popular in parts of Europe and the developing world—areas where there’s a hunger for cheap communication. The result is an app that could bring inexpensive Internet calls to an audience of unprecedented size.

Developing World

The rapidly evolving WhatsApp is but one face of the dramatic technological changes sweeping across the developing world. So many companies are working to bring affordable smartphones to the market, from China’s Xiaomi to the Silicon Valley’s Cyanogen, as many others, from China’s WeChat to Viber, push cheap communication services onto these devices.

These technologies face the usual obstacles—and WhatsApp is no exception. Though the app is expected to reach a billion users by year’s end, its push into voice calls could alienate many wireless carriers. If you have free internet calls, after all, you don’t need to pay for cellular calls. Some carriers may fight the tool as a result, says Allot associate vice president Yaniv Sulkes.

But the same could be said of messaging on WhatsApp. It too cuts into the carriers’ way of doing things. And yet, WhatsApp has thrived. It has so much traction in large part because it has cultivated partnerships with carriers, striking deals that bundle its app with lost-cost wireless services. According another Allot survey, about 37 percent of the carriers now have deals with WhatsApp or similar inexpensive Internet-based services—a sharp rise over the past few years. “More and more operators are adopting the strategy of ‘let’s partner with them’ rather than ‘let’s fight them,’” Sulkes says.

In the meantime, Facebook is pushing for somewhat similar arrangements, through its Internet.org initiative, that bundle limited Internet access with access to specific apps. Mark Zuckerberg and company have encountered some opposition to these deals. But the combined might of Facebook and WhatsApp will be hard for carriers to resist.

Video Next?

As WhatsApp spreads, Sulkes believes, it will keep pushing into new services. After rolling out voice calling, he says, it may venture into video calling. The app already lets you send files, including videos, and other messaging apps, such as SnapChat, already have ventured into video calls.

None of these tools—video calls, voice calls, file sharing—are new technologies. But not everyone has them. WhatsApp has the leverage to change that. The app has grabbed hold of the developing world in rapid fashion, and now it can serve as a platform for bringing all sorts of modern communications to the far reaches of the globe. Yes, there’s another major obstacle to overcome: so much of the developing world doesn’t have the network infrastructure to accommodate these kinds of modern services. But Facebook is set to change that, too.

Whatsapp Calls on Iphone

Further Reading: http://www.forbes.com/sites/amitchowdhry/2015/04/21/whatsapp-voice-calling-ios/ and http://www.macrumors.com/2015/04/21/whatsapp-gains-voice-calling/

WhatsApp, the popular mobile messaging service owned by Facebook, has released a major update to its iPhone app today. The update includes the highly-anticipated WhatsApp Calling feature, which rolled out to every Android user late last month. The WhatsApp Calling feature is comparable to Skype and the FaceTime Audio service on iOS. Data charges may apply while using the WhatsApp Calling feature.

“Call your friends and family using WhatsApp for free, even if they’re in another country. WhatsApp calls uses your phone’s Internet connection rather than your cellular plan’s voice minutes,” said WhatsApp in its app update description. 

Unfortunately, The WhatsApp Calling feature is rolling out slowly so you may not see it right away. The new calling feature should be available for every iOS user within the next few weeks. Prior to launching WhatsApp Calling for Android, the messaging company ran a lengthy beta test.

WhatsApp version 2.12.1 also includes an iOS 8 share extension, a quick camera button in chats, the ability to edit your contacts right from WhatsApp and an option to send multiple videos at once. You can also crop and rotate videos before sending them. The iOS 8 share extension lets you share photos, videos and links to WhatsApp from other apps. And the quick camera button lets you seamlessly capture photos and videos or choose a recent camera roll photo or video.

WhatsApp Update For iOS / Credit: WhatsApp

How does WhatsApp Calling for iOS work? If someone calls you through WhatsApp, you will see a push notification from the messaging service showing who the call is from. Once you answer the call, you will notice that there are options to mute the call or put it on speakerphone. You can also send a message to the person calling you. If the WhatsApp Calling feature for iOS is similar to the Android app, then you will see a Calls tab that has a list of your incoming, outgoing and missed WhatsApp calls. Personally, I do not have access to WhatsApp Calling for iOS app yet.

Launched in 2009, WhatsApp started out as a simple group text messaging app. Four years later, WhatsApp added a voice messaging service. And then Facebook acquired WhatsApp for $19 billion in February 2014. Several months ago, WhatsApp launched a desktop client called WhatsApp Web — which you can activate with an Android, BlackBerry, Windows Phone or Nokia S60 device.

Earlier this month, WhatsApp hit 800 million monthly active users. WhatsApp has been adding about 100 million monthly active users every four months since August. In January, WhatsApp hit 700 million monthly active users. WhatsApp now has more users than every other messaging app, including Facebook Messenger. It took Facebook about 8 years to hit 1 billion users. Facebook now has about 1.4 billion monthly users and Facebook Messenger has roughly 600 million users.“

„After promising to deliver voice calling capabilities back in 2014, WhatsApp has finally delivered, introducing voice over IP features in its latest update. With the new version of the app, it’s possible for WhatsApp users to call friends and family directly within the app using a Wi-Fi or cellular connection at no cost.

The introduction of voice calling to the Facebook-ownedWhatsApp app puts it on par with Facebook’s other messaging app, Facebook Messenger, which gained voice calling back in 2013. It also allows the app to better compete with other iOS-based VoIP calling options like Skype and FaceTime Audio.

Today’s WhatsApp update also brings a few other features, including the iOS 8 share extension for sharing videos, photos, and links to WhatsApp from other apps, contact editing tools, and the ability to send multiple videos at one time.

What’s new
-WhatsApp Calling: Call your friends and family using WhatsApp for free, even if they’re in another country. WhatsApp calls use your phone’s Internet connection rather than your cellular plan’s voice minutes. Data charges may apply. Note: WhatsApp Calling is rolling out slowly over the next several weeks.

-iOS 8 share extension: Share photos, videos, and links right to WhatsApp from other apps.

-Quick camera button in chats: Now you can capture photos and videos, or quickly choose a recent camera roll photo or video.

-Edit your contacts right from WhatsApp.

-Send multiple videos at once and crop and rotate videos before sending them.

WhatsApp can be downloaded from the App Store for free. The new WhatsApp calling feature will be rolling out to users over the next few weeks.“

Facebooks WhatsApp reaches the next level with its Voice Calling Functionality

Read the Full Story here: http://www.forbes.com/sites/parmyolson/2015/04/07/facebooks-whatsapp-voice-calling/

Whatsapp-Future

„WhatsApp’s head office is among the most impressive you can find in start-up infested Mountain View, California, with glass walls cascading down from a rooftop patio that apparently glows at night.

You’d never guess that one of the most disruptive forces in the history of the telecommunications industry was housed inside.

Like the older, smaller digs it once frequented down the road on Bryant Street, there is no hint of corporate signage out in front. Just an abstract sculpture called “Caring” by California artist Archie Held, and a small Zen garden tucked in a corner of the lobby.

All very calming, but not for mobile carriers. This time last year, WhatsApp’s then-470 million users had already erased an estimated $33 billion in SMS revenue from wireless operators. That number is growing. Between 2012 and 2018 the entire telecommunications industry will have lost a combined $386 billion between 2012 and 2018 because of OTT services like WhatsApp and Skype, according to Ovum Research.

Today WhatsApp has more than 700 million people using it at least once a month, sending more than 10 billion messages a day. At its current rate of growth it should pass the 1 billion user mark before the end of 2015. The company doesn’t push through many updates. While other messaging apps like WeChat, Kik and Facebook Messenger host content and e-commerce services to become all-encompassing platforms, WhatsApp has limited its new features to communications.

Now the stakes for the world’s biggest messaging company are about to get much higher as it pushes through one of the most fundamental methods of communication out there: voice calling.

In February WhatsApp began rolling out the feature to select users across the world who could receive calls through the app. Receiving a call allowed them to make calls too. Then last week it offered an application file on its website which, if downloaded, allowed anyone with an Android phone to call other WhatsApp users.

The feature is expected to launch on Windows Phones and iOS phones soon, and already, around 20 million people including 2 million in Germany have been able to test it, says Pamela Clark-Dickson, a telecom analyst at Ovum Research, citing a source close to Facebook.

WhatsApp’s staff of approximately 80 people were spread thinly across three stories in their impressive 20,000 square foot building when I last visited in late 2014. The edgy graffiti that once adorned WhatsApp’s walls had taken on a more sophisticated, Banksy-like flavor inside: marking the third floor’s entrance was a huge mural of a woman riding a bicycle in Hong Kong, a reminder of WhatsApp’s international popularity.

WhatsApp had been living a hermetic, four-year existence in the Silicon Valley bell jar before Facebook swooped in and bought the company for $22 billion in February 2014. It continued that air of secrecy in the months afterwards, except now it was subject to a steady stream of visitors and it needed a pair of security guards to mind the entrance to its headquarters.

WhatsApp’s resources with Facebook were only just starting to converge in the wake of their landmark deal, with Facebook now helping with legal matters and public affairs. “We were very cheap when we were WhatsApp,” said Neeraj Arora, WhatsApp’s long-time business development head when asked about how money was being spent. “We’re more disciplined now because we are part of a public company.”

Yet Facebook’s largesse makes it easier to pull off big expansion plans. At the top floor, Arora pulled back one of the blinds and pointed to the roof of another building about a block away that was still under construction.

Milling about on top in ant-like proportions were half a dozen construction workers wearing bright yellow vests. This was WhatsApp’s next headquarters, scheduled to be ready for them to move in in 2015: an 80,000-square-foot colossus that would include a gym and a floor big enough for all departments to be together once again.

WhatsApp had actually leased the building before the Facebook deal, a confident move by the founders who fully believed that in three-to-five years they would have a workforce of around 500.

Today with big plans to become a comprehensive communications service and all-round-new-breed of phone company, that looks more likely than ever.

Though many of us already make free calls on Skype, Viber or Apple’s FaceTime, WhatsApp’s calling service stands to be the most popular of them all simply because it has the highest single number of active users.

“It has the potential to affect mobile voice revenues [for carriers] more so than LINE or Viber or even Skype, which is not that big on mobile,” says Clark-Dickson.

That’s troubling news for carriers like AT&T or Vodafone for two reasons. WhatsApp’s rise coincides with the gradual erosion of a carrier’s relationship with consumers, relegating them to the grey world of infrastructure inhabited by Cisco and Ericsson, packet-based networks whose primary role is to transport data.

It will also cost them revenue. Voice minutes are already falling across the industry, according to Ovum, which says mobile network revenues will contract for the first time in 2018 as over-the-top services like WhatsApp push us towards using data rather than voice minutes.

While mobile data revenues will grow by a compound annual rate of 8% to reach $586.4 billion globally in 2019, voice will decline by 3% over the same period, to $472.7 billion. North America and Western Europe will be hardest-hit with respect to mobile voice revenues, with these regions representing nearly 80% of the global voice revenue decline.

This points to the frustrating paradox for carriers: enormous growth but tighter margins. Consumers have developed an insatiable demand for data, Facebooking, YouTubing and Netflixing on their mobile phones at all hours of the day. Cisco predicts mobile data traffic will increase 11-fold from 2013 to 2018. But the average revenue per user (ARPU) for carriers is falling, because the cost of data is getting cheaper. Imagine McDonald’s customers buying 10 times more food, but only ordering french fries.

Data used to contribute a disproportionately high level of revenue in relation to traffic when it was mainly related to SMS. Back in 2005 for instance, someone sending 3,000 text messages was sending less than 0.1MB data per month. Now that load has increased into the gigabytes. ARPU for carriers has remained steady since 2010, but what’s changed is that data now makes up more than half of their total revenue, and overshadowed voice for the first time earlier this year.

Data is essentially devouring voice. T-Mobile and Verizon are already dealing with this by launching Voice over LTE which transforms a voice call into a data call, and doubling the amount of data available to customers for the same price.

With voice and SMS margins dwindling, carriers may eventually be forced to stick to flat-rate data plans which are being pioneered by younger operators like 3 and Tele2, and taking full advantage of their expensive new 4G networks. WhatsApp’s voice feature might not necessarily be a disaster for carriers if it boosts their data revenues further. But Clark-Dickson warns that “even if data traffic revenue increased, it would not go back to the old revenue days.”

What’s infuriating for carriers is how WhatsApp and its ilk can run a potentially profitable service on top of their expensive infrastructure. Just last year, carriers bid more than $40 billion on new wireless spectrum at a government auction for a high-band spectrum that could carry more data than usual. Good timing for WhatsApp’s voice plans, since the new spectrum will lead to smoother connections and less hiccups in the service, though it could take around two years for the faster data speeds to kick in.

For their part, Koum and his team have long insisted that WhatsApp is no enemy to carriers. Instead they’ve partnered with more than 100 of them around the world, asking carriers to not count the use of WhatsApp against their data allowance. In other words, when a customer’s data allowance runs out, they can still use WhatsApp. It’s unclear how those partnerships will develop when voice kicks in. T-Mobile has formed a similar partnership with Facebook and with music streaming, and the model is helping around half the world’s carriers improve their revenue prospects, according to one recent survey.

Still, some carriers have taken their time before getting on board with WhatsApp. It took a while, for instance, before leading Latin American carrier America Movil agreed to partner with the company.

WhatsApp has rolled out its voice feature in a characteristically slow and methodical way, introducing it to tranches of users at a time. Its founders Jan Koum and Brian Acton were more interested in making sure the service worked reliably than getting it out to their user base quickly.

Voice is trickier than messaging to do well. Real-time communications services have to contend with drop-outs and lags, as anyone who’s ever made a Skype call will know. That’s a big reason why WhatsApp is behind schedule on voice, according to people at the company. Co-founder Koum originally said the feature would be available in the second half of 2014, but it’s only just becoming available now.

For mobile operators, the extra time to prepare for what could be a major disruption to one of their most precious revenue sources is a small silver lining, says Clark-Dixon. “Mobile operators had 12 months to prepare and plan for this, so they know what’s coming,” she says. Still, she adds, “I don’t think operators have moved quickly enough.”

Carriers have increasingly bundled data, voice and SMS into a single rate, while operators like Vodafone and Sprint have signed up to the Rich Communication Services (RCS) standard, their own version of a web-based service to compete with apps like Viber and WhatsApp.

RCS, marketed under the name joyn, has been around for eight years. Yet until a year ago carriers offered these web-based services through their own third-party apps, says Clark-Dixon. Only recently have they started integrating them into an Android phone’s native dialler and texting applications. The number of people who have phones with the service are likely in the single-digit millions, she estimates, which means it could be too little too late to counteract the expected popularity of WhatsApp voice calling.

WhatsApp is still a ways off from being what you could call a phone company, with all the infrastructure and back-end billing and customer care services that entails. But it’s also graduating from the status of simple OTT player to a new kind of communications service provider. In the meantime, it should heed the mistakes of carriers who moved too slowly in the face of disruptive upstarts.

“We’ve been waiting a year for [WhatsApp voice calling] and it’s still only available on Android. It’s rolling out across market slowly,” Clark-Dickson warns, pointing to competitors like Viber, LINE and WeChat who have already have voice calling enabled for some time. “It needs to move more quickly in communications and with VoIP.”