Handle other WhatsApp Message Types

[gfd2020]

I detected two new types of unimplemented WhatsApp messages ( Android NEW DB):

message_type equal to 32, appears to be text. message_type equal to 25, is an image type. It appears to be of type Jpeg.

It would be good to compare it with a WhatsApp conversation on a cell phone to find out.

I suspect they are related to robotic messages.

I think that they are interactive messages: 25 is the text option with image. 32 is the answer.

The info is on the tables: message_template_button, message_template, message_template_quoted

https://developers.facebook.com/docs/whatsapp/guides/interactive-messages/

[wladimirleite]

Hi @gfd2020! I understand you created this issue but you are not working on it, right? Let me know if it is not the case. While working on #2030, I found these two message types you mentioned and a few others that are not handled. I started to use two phones to check the unhandled message type, comparing parser results with actual messages displayed on them, so I will work on this issue too. I am also changing it to include a few other types.

[wladimirleite]

The unhandled message types (or subtypes) I found:

• [x] 0 with UI Elements - Regular text messages with UI Elements.
• [x] 7/actionType 13 - System message user(s) left the group (only actionType 5 is currently handled).
• [x] 7/actionType 10, 28 - System message contact phone number changed.
• [x] 7/actionType 16 - System message "You're no longer an admin".
• [x] 7/actionType 29 - System message "changed this group's settings to allow only admins to edit this group's info".
• [x] 7/actionType 30 - System message "changed this group's settings to allow all participants to edit this group's info."
• [x] 7/actionType 31, 33 - System message only group admins can send messages.
• [x] 7/actionType 32 - System message any group member can send messages.
• [x] 7/actionType 47 - System message "This chat is with the official business account of".
• [x] 7/actionType 50 - System message business account is now a standard account.
• [x] 7/actionType 56 - System message temporary messages are enabled.
• [x] 7/actionType 57 - System message device changed.
• [x] 7/actionType 67/bizStateId 10, 7/actionType 69 - System message: "This business use a secure service from Meta to manage this chat. Tap for more info."
• [X] 7/actionType 68 - System message temporary messages are enabled.
• [x] 7/actionType 75/108 - System message group added to community.
• [x] 7/actionType 88/110 - System message community management action.
• [x] 7/actionType 80 - System message saving temporary messages is now possible.
• [x] 7/actionType 118 - System message user pinned a message.
• [x] 7/actionType 129 - System message user is on your contact list.
• [x] 7/actionType 132 - System message channel was created.
• [x] 7/actionType 134 - System message channel added privacy.
• [x] 7/actionType 136 - System message user joined WhatsApp.
• [x] 14 - Multiple contacts.
• [x] 23 - Product.
• [x] 24 - Invitation to join a group.
• [x] 25, 27, 28 - Template message from a business account.
• [x] 32 - Quote of a Template.
• [x] 36, 7/actionType 68 - Duration of ephemeral (user changed the duration of ephemeral messages, a.k.a. "disappearing messages").
• [x] 44 - Order (of a product that is being sold).
• [x] 45 - UI Elements (message with UI elements, like "title", "content", "footer", "buttons", defined in another table).
• [x] 46, 49 - Quote of UI Elements.
• [x] 64 / Status 4 - This message was deleted by admin.
• [x] 66 - Poll.
• [x] 81 - Quote with media (I found few examples, so there may be other similar types and details).
• [x] 90 - Call (redundant with audio and video calls already handled, but in messages table).

[wladimirleite]

An example with messages of type 90. After each call (video or audio) a redundant "unknown message" is currently displayed.

[patrickdalla]

Maybe there could be some alerts of any other yet unhandled messages types if found. In iped log, or even in a specific log/subitem report.

Em qui., 28 de dez. de 2023 06:51, Wladimir Leite @.***> escreveu:

The unhandled message types I found:

• 24
• 25
• 27
• 28
• 32
• 36
• 45
• 46
• 49
• 66 - Poll
• 90 - Call (redundant with audio and video calls already handled, but in messages table)

— Reply to this email directly, view it on GitHub https://github.com/sepinf-inc/IPED/issues/1923#issuecomment-1871051455, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG247S76KKNFBJU5CZRZ43LYLVFK3AVCNFSM6AAAAAA5ZLGPI6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZRGA2TCNBVGU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[gfd2020]

Hi @gfd2020! I understand you created this issue but you are not working on it, right? Let me know if it is not the case.

Hi @wladimirleite . I just started looking at these codes and did just a few queries to start the reverse engineering process. I didn't make any relevant code, I just put code 25 as an image and 32 as text and both were already rendered by IPED. Any extra information I discover, I will report here to help you with its implementation.

I believe most of these codes you found are interactive messages.

[patrickdalla]

Maybe there could be some alerts of any other yet unhandled messages types if found. In iped log, or even in a specific log/subitem report.

Another good alert, maybe in another issue, would be to show noncontinuous msg id. Msg row id is sequential, and missing ranges may indicate deleted messages.

I worked on a case that I recovered images with names like the names given by whatsapp and missing id ranges within the same date range of the created dates of the images. This info with others context info was enough to suggest that the found images were exchanged by whatsapp in that conversation.

[gfd2020]

I also found type 23 in a test. I don't know exactly what it does but the message_row_id references the message_media table ( file_path column with image path ).

[wladimirleite]

Working with an iPhone, I will apply similar changes to ExtractorIOS, to at least handle most common messages that are not currently handled. Part of the code (like the report generation) and resources (messages to be shown) are used by both parsers (iOS and Android), so this should be simpler. I will update the handled message types below:

• [x] 6/Event 1 - User changed group's name to "new name".
• [x] 6/Event 9 - "changed their phone number. Tap to send a message to the new number" (in a group).
• [x] 6/Event 11 - You are no longer an admin.
• [x] 6/Event 15 - User joined group using a link.
• [x] 6/Event 17 - User changed group's description.
• [x] 6/Event 18 -User changed group's settings. Only admins can edit group configurations.
• [x] 6/Event 20 -User changed group's settings. Only admins can send messages.
• [x] 6/Event 21 -User changed group's settings. All members can send messages.
• [x] 6/Event 22 - User removed group's description.
• [x] 6/Event 26 - User changed the duration of ephemeral messages (in a group).
• [x] 6/Event 31 - Group added to community.
• [x] 6/Event 33 - Group rmoved from community.
• [x] 6/Event 39 - User in now an admin.
• [x] 6/Event 56 - Another type of group rename.
• [x] 6/Event 60 - Welcome to community.
• [x] 10/Event 5 - "changed their phone number. Tap to send a message to the new number".
• [x] 10/Event 6 - "changed their phone number. You're currently chatting with their new number".
• [x] 10/Event 21 - Missed voice call (group).
• [x] 10/Event 29 - Business account changed its name.
• [x] 10/Events 25,38 - Chat with business official account.
• [x] 10/Event 36 - Another type for security code changed.
• [x] 10/Event 45 - Missed voice call, due to "not disturb" active.
• [x] 10/Event 46 - Missed video call, due to "not disturb" active.
• [x] 10/Event 46 - Missed video call, due to "not disturb" active.
• [x] 10/Event 47 - Ephemeral can be saved.
• [x] 10/Event 51 - Chat added privacy.
• [x] 12 - Waiting message.
• [x] 19 - Template message.
• [x] 26 - Product message.
• [x] 27 - Group Invite.
• [x] 28 - Ephemeral enabled/disabled.
• [x] 46 - Poll.
• [x] 54 - Instant video message (circle shaped video).
• [x] 55/Event 1 - Channel created.
• [x] 55/Event 4 - Channel added privacy.
• [x] 59 - Voice call (in messages table).

[wladimirleite]

I also found type 23 in a test. I don't know exactly what it does but the message_row_id references the message_media table ( file_path column with image path ).

I found out that type 23 is used for "product" messages. They can have an associated media and other textual fields (like title, description, currency and amount) stored on another table.

[wladimirleite]

Working with an iPhone, I will apply similar changes to ExtractorIOS, to at least handle most common messages that are not currently handled.

I just found a nasty bug (see below) in ExtractorIOS that was setting many system group-related messages as APP_MESSAGE (they are rendered as an empty attachment message) . After fixing it and processing a single iOS UFDR that I am working on, a few thousand of "unknown messages" appeared😅 I will try to add support to them in the next few days. Meanwhile, I will change the related PR #2048 to draft.

Two break's are missing, after cases 6 and 7 (code from current master). Going back on the history of this class, the issue was already present at 3.18.x (at least). https://github.com/sepinf-inc/IPED/blob/183016b89418917cdae8532fcbaa3ef99167cd38/iped-parsers/iped-parsers-impl/src/main/java/iped/parsers/whatsapp/ExtractorIOS.java#L698-L722

[lfcnassif]

Wow... Thank you @wladimirleite for catching this long standing bug! I always thought those APP_ MESSAGEs rendered as empty attachments quite strange, but never stopped to investigate. Actually I'm not sure exactly what an actual APP_MESSAGE means, maybe @fmpfeifer could clarify us.

[wladimirleite]

Actually I'm not sure exactly what normal APP_MESSAGE means.

I believe that it is used for messages with other kinds of attachments (not audio, image or video). I can confirm that tomorrow.

[wladimirleite]

Actually I'm not sure exactly what normal APP_MESSAGE means.

I believe that it is used for messages with other kinds of attachments (not audio, image or video). I can confirm that tomorrow.

Confirmed. It just a minor code detail, but probably DOC_MESSAGE would be clearer. I will rename it.

[wladimirleite]

@lfcnassif, I am making a few more changes to handle other community-related message types, I found in a Android DB I am working on. Can I create a PR referencing this issue number (as it is a complement of it), or is it better to create a new issue?

[lfcnassif]

Great! Sure, this same issue can be used, since 4.2 will take some time to be out.