A couple of months ago, my carrier charged me almost 30 euros just in text messages (SMS). It was unsustainable. Between friends and family, maintaining an asynchronous conversation cost a fortune. Then, a buddy recommended I install a small app with a green icon called WhatsApp. I installed it on my Android, but the surprise was huge: it works with iPhones, BlackBerrys, and even prehistoric Nokia Symbians.
The SMS bill can drop to zero! But, as an IT guy, what keeps me awake at night isn't the savings, but understanding how the hell these people are handling millions of messages per second without their servers exploding.
The guts of the monster: XMPP and Erlang
If you reverse engineer it or simply start monitoring your phone's network traffic with tools like Wireshark, you quickly realize that WhatsApp hasn't reinvented the wheel. Under the hood, they are using a highly well-known protocol: XMPP (formerly Jabber).
They took the ejabberd server, programmed in Erlang, and heavily tuned it. Erlang is a functional language designed by Ericsson in the eighties specifically for concurrent, fault-tolerant telecommunications systems. It is perfect for keeping hundreds of thousands of TCP sockets open simultaneously with minimal resource consumption.
When you send a message, you are actually sending a modified XML packet. Something conceptually similar to this:
<message to="34600123456@s.whatsapp.net" type="chat" id="msg-12345">
<body>¿Te vienes a tomar unas cañas luego?</body>
<request xmlns="urn:xmpp:receipts"/>
</message>
When the server receives it and delivers it, it returns that famous green "double check". It's brilliant in its simplicity. They tied the phone number as the unique identifier (JID in the XMPP world), eliminating the painful step of "creating a user and adding friends by email". Your contact book is your friends list.
The terrifying security issue
Now comes the part that makes my hair stand on end. I've been analyzing the packets captured on the university's WiFi network. WhatsApp is sending all messages in plain text!
There is no SSL/TLS encryption by default. If you are connected to a public WiFi network in a coffee shop, anyone with a network sniffer can read your intimate conversations, see who you are talking to, and even intercept the photos you send. This seems like a brutal negligence to me, especially considering the app is already seeing massive use.
Reflection: Checkmate to the carriers
Telecom carriers are losing their golden goose. For years they have been charging 15 cents to send 160 bytes of data (which also travel on the leftover signaling channels of the cellular network). It was a robbery.
The success of WhatsApp proves that the carriers' closed solutions (anyone remember MMS?) are dead in the face of solutions based on internet data and open protocols (even if WhatsApp modified and closed it on their client). My question is whether this small startup will be able to maintain the infrastructure when they go from 10 million users to, I don't know, 100 million. And above all, when on earth are they going to encrypt the communications?