Hello everyone, does anyone know if (and where) whatsapp on iOS stores informations about WHEN a message is successfully delivered to the destination recipient?
it's crucial for an investigation i'm working on
by looking at the database chatstorage.db i've noticed that there is a column named "ZRECEIPTINFO" it's a BLOB tho, and i have no clue on how to decode that blob.
any help is really apreciated.
Thanks in advance.
EDIT ok, at least i've figured out that the content of the ZRECEIPTINFO blob is a binary plist, so it's easy to decode
In the decoded value there are two timestamps, i "think" one is related to when the message was SENT, while the other one when the message was DELIVERED, but I'd love some confirmation because i cant just assume.
Maybe anyone knows? else i'll have to do some tests in the lab.
ok, at least i've figured out that the content of the ZRECEIPTINFO blob is a binary plist, so it's easy to decode
In my experience, the contents of ZRECEIPTINFO in recent WhatsApp versions are not binary plists. I realized they are stored as protobuf data and they can be decode with
For instance, here's a receipt12-10-0A-07-81-39-33-41-23-45-67-1A-01-00-20-00-00-10-28-00-18-D0-FC-B8-F0-05-20-00
It contains the following fields
- A string payload which is a nested protobuf
- A "variant" field containing 0x00
- Another "variant" field containing D0-FC-B8-F0-05, that is 1577991760 "raw", the Unix timestamp for 2020-01-02 @ 702pm (UTC)
0A-07-81-39-33-41-23-45-67-1A-01-00-20-00-00-10
[/listo]
The first payload contains this string
81-39-33-41-23-45-67
It is not exactly clear what 0x81 means, however here the mobile phone number is +39 334 1234567.