Device Activity Tracker

Proof of Concept Review

⚠️ DISCLAIMER: Proof-of-concept for educational and security research purposes only. Demonstrates privacy vulnerabilities in WhatsApp and Signal.

Overview

This repository is a fork of the original Device Activity Tracker project, which implements a proof-of-concept based on recent academic research into delivery receipt timing side-channels in end-to-end encrypted messaging platforms.

The purpose of this fork is to:

• Validate how much of the academic theory holds up in real-world conditions
• Identify practical limitations and sources of noise
• Clearly separate theoretical capability from observable, repeatable behavior
• Document security and privacy implications without overstating risk

This work focuses primarily on WhatsApp, though the underlying concepts may apply to other platforms with similar protocol behavior.

Security implications: This demonstrates a significant privacy vulnerability in messaging apps that can be exploited for surveillance.

---

Background

End-to-end encryption protects message content, but messaging platforms still rely on metadata for functionality such as:

• Message delivery acknowledgements
• Multi-device synchronization
• Presence management

Recent research shows that delivery receipts, even when read receipts and presence indicators are disabled, can leak timing information that may be used as a side channel to infer device or account activity.

This repository explores that premise from a defensive and research-oriented perspective.

---

Scope & Goals

This fork is intended to answer the following questions:

• Does delivery receipt timing provide a usable signal outside of lab conditions?
• How noisy is the signal across different networks and devices?
• What real-world constraints limit accuracy or scalability?
• Where does the theoretical risk meaningfully degrade in practice?

This is not an exploitation framework and is not designed for surveillance or monitoring.

---

High-Level Findings

Based on initial testing:

• Delivery receipt timing can act as a covert signaling mechanism

• It is possible, under controlled conditions, to infer:

  • Online vs offline states
  • Relative activity (active, idle, backgrounded)

• No user-visible artifacts were observed:

  • No notifications
  • No chat entries
  • No interaction required beyond knowledge of a phone number

These findings align with the core claims of the academic research, while exposing several important practical constraints.

---

Practical Limitations

While the signal exists, it is highly contextual and noisy.

Network Variability

• RTT values vary significantly based on:

  • Carrier latency
  • Wi-Fi vs mobile data
  • Geographic distance

• Single RTT samples are unreliable

• Meaningful inference requires:

  • Aggregation
  • Baseline calibration per target

Multi-Device Effects

WhatsApp’s multi-device architecture introduces ambiguity:

• Delivery acknowledgements may originate from:

  • Mobile devices
  • Web sessions
  • Secondary linked devices

• In some cases, timing patterns suggested the presence of multiple logged-in devices

This can cause:

• False positives for “active” states
• Reduced confidence in mapping activity to a specific physical device

---

Untested & Known Gaps

The following scenarios were not tested and remain open research questions:

Blocked Contacts

• The PoC did not evaluate behavior when the probing number is blocked

• Unknowns include:

  • Whether delivery receipts are still generated
  • Whether timing behavior changes
  • Whether probes are silently dropped

Device-Level Attribution

• This PoC does not reliably distinguish:

  • Which linked device generated the delivery acknowledgement

• Observed signals should be interpreted as account-level, not device-level

---

Resource Impact Considerations

High-frequency probing may result in:

• Increased battery drain on mobile devices
• Elevated data usage
• Potential server-side throttling or rate limiting

These factors act as natural constraints on sustained or large-scale probing and limit stealth at scale.

---

Security & Privacy Implications

This PoC does not:

• Break encryption
• Expose message content
• Bypass authentication or access controls

However, it demonstrates that:

• Delivery receipts can leak behavioral metadata
• Privacy expectations based solely on disabling “read receipts” or “last seen” may be incomplete

This is particularly relevant for users who rely on invisibility rather than content secrecy.

---

Ethical Considerations

This repository is intended for:

• Defensive security research
• Protocol analysis
• Privacy impact assessment

It should not be used for:

• Surveillance
• Harassment
• Monitoring individuals without consent

All testing should comply with applicable laws and ethical research standards.

---

Future Research Directions

Potential areas for further exploration include:

• Controlled testing across:

  • Different regions and carriers
  • iOS vs Android vs Web clients

• Measuring accuracy degradation under real-world background traffic

• Evaluating mitigation strategies such as:

  • Randomized delivery acknowledgements
  • Batched or delayed receipts

• Assessing whether machine learning improves inference over simple thresholding

---

Interpretation Guidance

Findings from this repository should be interpreted as:

• Demonstrating metadata leakage potential
• Not a guarantee of reliable tracking or surveillance
• A reminder that encrypted systems can still leak sensitive context

End-to-end encryption protects content, not context.

---

Disclaimer

This project is provided for educational and research purposes only. The author assumes no responsibility for misuse.

---