gommzystudio / device-activity-tracker
A phone number can reveal whether a device is active, in standby or offline (and more). This PoC demonstrates how delivery receipts + RTT timing leak sensitive device-activity patterns. (WhatsApp / Signal)
AI Architecture Analysis
This repository is indexed by RepoMind. By analyzing gommzystudio/device-activity-tracker in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.
Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.
Embed this Badge
Showcase RepoMind's analysis directly in your repository's README.
Repository Overview (README excerpt)
Crawler viewDevice Activity Tracker WhatsApp & Signal Activity Tracker via RTT Analysis > ⚠️ **DISCLAIMER**: Proof-of-concept for educational and security research purposes only. Demonstrates privacy vulnerabilities in WhatsApp and Signal. Overview This project implements the research from the paper **"Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers"** by Gabriel K. Gegenhuber, Maximilian Günther, Markus Maier, Aljosha Judmayer, Florian Holzbauer, Philipp É. Frenzel, and Johanna Ullrich (University of Vienna & SBA Research). **What it does:** By measuring Round-Trip Time (RTT) of WhatsApp message delivery receipts, this tool can detect: • When a user is actively using their device (low RTT) • When the device is in standby/idle mode (higher RTT) • Potential location changes (mobile data vs. WiFi) • Activity patterns over time **Security implications:** This demonstrates a significant privacy vulnerability in messaging apps that can be exploited for surveillance. Example The web interface shows real-time RTT measurements, device state detection, and activity patterns. Installation **Requirements:** Node.js 20+, npm, WhatsApp account Usage Docker (Recommended) The easiest way to run the application is using Docker: The application will be available at: • Frontend: http://localhost:3000 (or your configured ) • Backend: http://localhost:3001 (or your configured ) To stop the containers: Manual Setup Web Interface Open , scan QR code with WhatsApp, then enter phone number to track (e.g., ). CLI Interface (only WhatsApp) Follow prompts to authenticate and enter target number. **Example Output:** • **🟢 Online**: Device is actively being used (RTT below threshold) • **🟡 Standby**: Device is idle/locked (RTT above threshold) • **🔴 Offline**: Device is offline or unreachable (no CLIENT ACK received) How It Works The tracker sends probe messages and measures the Round-Trip Time (RTT) to detect device activity. Two probe methods are available: Probe Methods | Method | Description | |--------|-----------------------------------------------------------------------------------------------------------------| | **Delete** (Default) | Sends a "delete" request for a non-existent message ID. | | **Reaction** | Sends a reaction emoji to a non-existent message ID. | Detection Logic The time between sending the probe message and receiving the CLIENT ACK (Status 3) is measured as RTT. Device state is detected using a dynamic threshold calculated as 90% of the median RTT: values below the threshold indicate active usage, values above indicate standby mode. Measurements are stored in a history and the median is continuously updated to adapt to different network conditions. Switching Probe Methods In the web interface, you can switch between probe methods using the dropdown in the control panel. In CLI mode, the delete method is used by default. Common Issues • **Not Connecting to WhatsApp**: Delete the folder and re-scan the QR code. Project Structure How to Protect Yourself The most effective mitigation is to enable “Block unknown account messages” in WhatsApp under Settings → Privacy → Advanced. This setting may reduce an attacker’s ability to spam probe reactions from unknown numbers, because WhatsApp blocks high-volume messages from unknown accounts. However, WhatsApp does not disclose what “high volume” means, so this does not fully prevent an attacker from sending a significant number of probe reactions before rate-limiting kicks in. Disabling read receipts helps with regular messages but does not protect against this specific attack. As of December 2025, this vulnerability remains exploitable in WhatsApp and Signal. Ethical & Legal Considerations ⚠️ For research and educational purposes only. Never track people without explicit consent - this may violate privacy laws. Authentication data ( ) is stored locally and must never be committed to version control. Citation Based on research by Gegenhuber et al., University of Vienna & SBA Research: License MIT License - See LICENSE file. Built with @whiskeysockets/baileys --- **Use responsibly. This tool demonstrates real security vulnerabilities that affect millions of users.** Star History